Avoiding ‘Evil Twins’ and Rogue Access Points

A whole new class of attacks is emerging to threaten Wi-Fi users. “Evil Twin” and other Wi-Fi-oriented attacks can fool users into providing confidential information or compromise their computers.

Here’s the basic evil twin scenario: The attacker sits in the parking lot of a coffee house&#8212or maybe even in the coffee house itself&#8212with a Wi-Fi card and a separate connection to the Internet, probably over a cellular carrier network. Using an attack tool such as hotspotter, they simulate a wireless access point with the same SSID (wireless network name) as the one users would expect, such as ‘t-mobile’.

If the signal is strong enough, other users will connect to the attacker’s system instead of the real access point. The attacker can then serve them a Web page asking for the user to re-enter their credentials, including credit card info if they have the nerve to go so far, give them an IP address and then pass them on to the Internet.

Some golf courses are becoming Wi-Fi hot spots. Click here to read more.

There are many other scenarios. Even without stealing the credentials and credit card info, the attacker sits as a man-in-the-middle and can capture any unencrypted traffic. The attacker doesn’t even really need the cellular card; they can just get the info and return an error. If the attacker doesn’t stick around too long, the user may eventually get through on the real access point and drop all suspicion.

These attacks are more likely to work with public hot spots rather than corporate Wi-Fi networks, which are likely to use more secure network authentication mechanisms. The real exposure to corporate users is when they use a public hot spot to run the corporate VPN; first they must expose themselves to evil twin-type attacks.

Rogue access points have become a problem as well within corporate networks, and these too could operate from the parking lot of a building, especially if aided by a directional antenna. Windows connects by default to all wireless networks a user has in their networks list, meaning all networks to which they have connected in the past. So if an attacker waits with a rogue access point named ‘linksys’ odds are that a user will eventually come along who had connected to such a network at home. The user’s notebook, and the corporate network to which it is attached, may then be vulnerable.

Personal firewalls don’t stop the evil twin part of the attack, as they don’t operate at that network level. Of course, the notebook itself is exposed when connected to an evil twin, and the attacker could access any open shares or exploit any uncorrected vulnerabilities, and here a firewall could help.

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzer’s Weblog.

There are companies, such as AirDefense, which sell products to defend against such attacks. AirDefense sells products both for personal systems and enterprises to counter evil-twin, rogue AP and other attacks. Strong authentication and encryption are also generally good defenses.

It’s not surprising that connections over a wireless network would have vulnerabilities. Wi-Fi is becoming so ordinary a technology that users may not be alert enough for the threats they are likely to face. So as with other threats, education is the first line of defense against wireless attacks.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Check out eWEEK.com’s for the latest security news, reviews and analysis.