Evil twin

An evil twin is a malicious wi-fi access point (AP) that mimics a legitimate AP. Typically an attacker sets up an evil twin in an area of public wi-fi hotspot access such as a coffee shop, airport, hotel or event. The evil twin spoofs the Service Set Identifier (SSID) and password of the legitimate wi-fi, which provides the opportunity for the attacker to eavesdrop on data passing through.

Evil twin attacks can be successful against both PCs and mobile devices. Unsuspecting users logging in to what they think is the legitimate wi-fi connection, have no idea that their traffic is being routed via the malicious AP.

Evil twin attacks are not new – they have been around for a decade or more – however they are still a significant threat in public hotspot areas. An attacker can re-direct traffic to the legitimate AP, or simply route the traffic directly to the internet. The attacker is in the position of a man-in-the-middle, able to analyse all internet traffic passing through the evil twin.

Users either login manually to the malicious access point, or their device logs in automatically. After the user has manually entered the wi-fi details on the first occasion, PCs and smartphones default to automatically logging in again whenever the device is in the vicinity and the AP is detected. So, if the user visits the same coffee shop, his smartphone will automatically connect if it has connected before.

It is a simple matter to setup a smartphone as an evil twin to conduct a MITM attack at a wi-fi hotspot. On the Android for example, choose Tethering and portable hotspot – Portable Wi-Fi hotspot – Configure – then enter the SSID and password of the legitimate hotspot. Please note that it is illegal to redirect unsuspecting users’ traffic through your device at a public hotspot.

If the user’s device detects two SSIDs, it will connect to the stronger. The attacker can position himself between the legitimate AP and the victim in order to give out a stronger signal. Alternatively, the attacker can disrupt the legitimate AP through radio interference or a denial of service attack.

Through an evil twin, an attacker is able to gain access to all traffic which is not encrypted – all information entered into http sites – and view the contents of files that are uploaded or downloaded. Evil twin attackers are able to obtain additional information by spoofing https sites such as a bank, and directing the user to a duplicate http phishing site. An evil twin is able to provide the attacker with passwords, bank details, and any other sensitive information which the user may enter on their device.

A video demonstration of setting up an evil twin attack on a tablet and successfully capturing the password is here. This demonstration uses Wireshark, StringsWatch and SSLStrip for analysing web traffic from the victim.

It is not obvious how to set a smartphone so that it does not automatically connect to a particular individual AP. It may not be simple to delete a connection – some operating systems require the phone to be in range to do this.

There are not a lot of protections against an evil twin attack apart from never using public wi-fi hotspots or only visiting https sites if you do. Disable autoconnect for saved SSIDs. Only use public wi-fi for harmless internet browsing – do not enter sensitive information while connected publicly. Enterprise connections should be conducted over a VPN.

One thought on “Evil twin

  1. Russell N March 18, 2014 at 5:48 pm Reply

    This is actually more common than you would believe and is very difficult to detect. Another variant is a simple adhoc network that attackers set up on their laptops that just sniff the traffic. With the proliferation of wireless devices it wouldn’t take long before someone would connect to it hoping to get free internet access. The one thing to remember, unless you are connecting to your own private, secure network assume that it is public and someone is listening.

Leave a Reply

%d bloggers like this: