Evil twin (wireless networks)

Last updated July 03, 2024

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications.^[1] The evil twin is the wireless LAN equivalent of the phishing scam.

Method

The attacker snoops on Internet traffic using a bogus wireless access point. Unwitting web users may be invited to log into the attacker's server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it is sent through their equipment. The attacker is also able to connect to other networks associated with the users' credentials.

Fake access points are set up by configuring a wireless card to act as an access point (known as HostAP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection,^[3] or it can simply say the system is temporarily unavailable after obtaining a username and password.^[4]^[5]^[6]^[7]

Using captive portals

One of the most commonly used attacks under evil twins is a captive portal. At first, the attacker would create a fake wireless access point that has a similar Essid to the legitimate access point. The attacker then might execute a denial-of-service attack on the legitimate access point which will cause it to go offline. From then on, clients would connect to the fake access point automatically. The clients would then be led to a web portal that will be requesting them to enter their password, which can then be misused by the attackers.

Example

In July 2024 a man was charged by Australian Federal Police with running a fake WiFi network to steal credentials of passengers on at least one commercial flight.^[8] An airline had reported that employees had concerns about a suspicious WiFi network identified during a domestic flight.^[8]

Related Research Articles

A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building. This gives users the ability to move around within the area and remain connected to the network. Through a gateway, a WLAN can also provide a connection to the wider Internet.

Wi-Fi is a family of wireless network protocols based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio waves. These are the most widely used computer networks, used globally in home and small office networks to link devices and to provide Internet access with wireless routers and wireless access points in public places such as coffee shops, hotels, libraries, and airports to provide visitors.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. RADIUS was developed by Livingston Enterprises in 1991 as an access server authentication and accounting protocol. It was later brought into IEEE 802 and IETF standards.

In computer networking, a wireless access point, or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network or wireless network. As a standalone device, the AP may have a wired or wireless connection to a router or router, but, in a wireless router, it can also be an integral component of the networking devices itself. An WAP & AP is differentiated from a Wi-Fi|Mi-Fi)|hotspot, which is a can be a physical location or digital location where Wi-Fi or WAP access is available.

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer networks. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).

An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity as well as authenticate itself to the connecting entity by declaring the type of information needed for authentication as well as syntax. It is the most important layer of protection needed for secure communication within computer networks.

A hotspot is a physical location where people can obtain Internet access, typically using Wi-Fi technology, via a wireless local-area network (WLAN) using a router connected to an Internet service provider.

Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in network and internet connections. It is defined in RFC 3748, which made RFC 2284 obsolete, and is updated by RFC 5247. EAP is an authentication framework for providing the transport and usage of material and parameters generated by EAP methods. There are many methods defined by RFCs, and a number of vendor-specific methods and new proposals exist. EAP is not a wire protocol; instead it only defines the information from the interface and the formats. Each protocol that uses EAP defines a way to encapsulate by the user EAP messages within that protocol's messages.

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

In computer science, session hijacking, sometimes also known as cookie hijacking, is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many websites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. After successfully stealing appropriate session cookies an adversary might use the Pass the Cookie technique to perform session hijacking. Cookie hijacking is commonly used against client authentication on the internet. Modern web browsers use cookie protection mechanisms to protect the web from being attacked.

In computing, a wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

A residential gateway is a small consumer-grade gateway which bridges network access between connected local area network (LAN) hosts to a wide area network (WAN) via a modem, or directly connects to a WAN, while routing. The WAN is a larger computer network, generally operated by an Internet service provider.

Wi-Fi Protected Setup (WPS) originally, Wi-Fi Simple Config, is a network security standard to create a secure wireless home network.

Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. It is a legally and ethically controversial practice, with laws that vary by jurisdiction around the world. While completely outlawed or regulated in some places, it is permitted in others.

Snarf is a term used by computer programmers and the UNIX community meaning to copy a file or data over a network, for any purpose, with additional specialist meanings to access data without appropriate permission. It also refers to using command line tools to transfer files through the HTTP, gopher, finger, and FTP protocols without user interaction, and to a method of achieving cache coherence in a multiprocessing computer architecture through observation of writes to cached data.

A Wi-Fi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a Wi-Fi wireless access point.

In information security, a KARMA attack is an attack that exploits a behaviour of some Wi-Fi devices, combined with the lack of access point authentication in numerous WiFi protocols. It is a variant of the evil twin attack. Details of the attack were first published in 2004 by Dino dai Zovi and Shaun Macaulay.

References

↑ Smith, Andrew D. (9 May 2007). "Strange Wi-Fi spots may harbor hackers: ID thieves may lurk behind a hot spot with a friendly name". The Dallas Morning News. Washington, DC: Knight Ridder Tribune Business News. p. 1. Retrieved 6 June 2007.
↑ Wolfe, Daniel (February 14, 2007). "Security Watch". American Banker. Vol. 172, no. 31. New York, NY. p. 7. ISSN 0002-7561. ProQuest 249873579. A security firm used an evil twin as a test to obtain passwords from attendees at an RSA security conference
↑ "Evil Twin with internet access via legitimate access point : Proof of concept". kalitutorials.net.
↑ Crossman, Craig (24 August 2005). "Computer Column". Washington, DC: Knight Ridder Tribune Business News.
↑ Kirk, Jeremy (April 25, 2007). "′Evil Twin′ Hotspots Proliferate". Network World. IDG News Service.
↑ "'Evil twin' threat to Wi-Fi users". CNN. January 20, 2005.
↑ Biba, Erinwork (March 15, 2005). "Does Your Wi-Fi Hotspot Have an Evil Twin?". PC World. Archived from the original on August 20, 2008. Retrieved February 4, 2010.
1 2 Sharwood, Simon (2024-07-01). "Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials". The Register . Retrieved 2024-07-02.

External links

"Jasager – Karma on The Fon". digininja.org. Rogue AP software.
"Wifiphisher a tool for Evil Twin Attack". 29 May 2019.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Smith, Andrew D. (9 May 2007). "Strange Wi-Fi spots may harbor hackers: ID thieves may lurk behind a hot spot with a friendly name". The Dallas Morning News. Washington, DC: Knight Ridder Tribune Business News. p. 1. Retrieved 6 June 2007.

[2] Wolfe, Daniel (February 14, 2007). "Security Watch". American Banker. Vol. 172, no. 31. New York, NY. p. 7. ISSN 0002-7561. ProQuest 249873579. A security firm used an evil twin as a test to obtain passwords from attendees at an RSA security conference

[3] "Evil Twin with internet access via legitimate access point : Proof of concept". kalitutorials.net.

[4] Crossman, Craig (24 August 2005). "Computer Column". Washington, DC: Knight Ridder Tribune Business News.

[5] Kirk, Jeremy (April 25, 2007). "′Evil Twin′ Hotspots Proliferate". Network World. IDG News Service.

[6] "'Evil twin' threat to Wi-Fi users". CNN. January 20, 2005.

[7] Biba, Erinwork (March 15, 2005). "Does Your Wi-Fi Hotspot Have an Evil Twin?". PC World. Archived from the original on August 20, 2008. Retrieved February 4, 2010.

[register-police-allege-evil-twin-8] 1 2 Sharwood, Simon (2024-07-01). "Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials". The Register . Retrieved 2024-07-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]