Avoiding 'Evil Twins' and Rogue Access Points

By Larry Seltzer  |  Print this article Print


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

Analysis: "Evil Twin" and other wireless spoofing attacks provide a rich set of tools for identity thieves and corporate espionage agents.

A whole new class of attacks is emerging to threaten Wi-Fi users. "Evil Twin" and other Wi-Fi-oriented attacks can fool users into providing confidential information or compromise their computers.

Here's the basic evil twin scenario: The attacker sits in the parking lot of a coffee house—or maybe even in the coffee house itself—with a Wi-Fi card and a separate connection to the Internet, probably over a cellular carrier network. Using an attack tool such as hotspotter, they simulate a wireless access point with the same SSID (wireless network name) as the one users would expect, such as 't-mobile'.

If the signal is strong enough, other users will connect to the attacker's system instead of the real access point. The attacker can then serve them a Web page asking for the user to re-enter their credentials, including credit card info if they have the nerve to go so far, give them an IP address and then pass them on to the Internet.

Some golf courses are becoming Wi-Fi hot spots. Click here to read more.

There are many other scenarios. Even without stealing the credentials and credit card info, the attacker sits as a man-in-the-middle and can capture any unencrypted traffic. The attacker doesn't even really need the cellular card; they can just get the info and return an error. If the attacker doesn't stick around too long, the user may eventually get through on the real access point and drop all suspicion.

These attacks are more likely to work with public hot spots rather than corporate Wi-Fi networks, which are likely to use more secure network authentication mechanisms. The real exposure to corporate users is when they use a public hot spot to run the corporate VPN; first they must expose themselves to evil twin-type attacks.

Rogue access points have become a problem as well within corporate networks, and these too could operate from the parking lot of a building, especially if aided by a directional antenna. Windows connects by default to all wireless networks a user has in their networks list, meaning all networks to which they have connected in the past. So if an attacker waits with a rogue access point named 'linksys' odds are that a user will eventually come along who had connected to such a network at home. The user's notebook, and the corporate network to which it is attached, may then be vulnerable.

Personal firewalls don't stop the evil twin part of the attack, as they don't operate at that network level. Of course, the notebook itself is exposed when connected to an evil twin, and the attacker could access any open shares or exploit any uncorrected vulnerabilities, and here a firewall could help.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer's Weblog.

There are companies, such as AirDefense, which sell products to defend against such attacks. AirDefense sells products both for personal systems and enterprises to counter evil-twin, rogue AP and other attacks. Strong authentication and encryption are also generally good defenses.

It's not surprising that connections over a wireless network would have vulnerabilities. Wi-Fi is becoming so ordinary a technology that users may not be alert enough for the threats they are likely to face. So as with other threats, education is the first line of defense against wireless attacks.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com's for the latest security news, reviews and analysis.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...