How Evil Twins work
An Evil Twin is a phony wireless Access Point that pretends to be a legitimate AP by advertising that WLAN's name (that is, Extended Service Set Identifier, SSID). An Evil Twin can use KARMA, an attack tool that monitors station probes, watching for commonly-used SSIDs and adopting one as its own. Or an Evil Twin can be configured with a common residential SSID (e.g., linksys), hotspot SSID (e.g., Wayport_Access) or the SSID of a specific company's WLAN. Even APs that do not send SSIDs in beacons can be targeted, so long as legitimate users can be monitored with Wireshark, Kismet or another WLAN analyzer.
Why is an AP that uses someone else's SSID dangerous? Wireless stations generally do not generally connect to specific APs; they connect to any AP with a given SSID and the best signal. Worse, many stations automatically reconnect to any SSID used in the past. Just placing an Evil Twin near business users can be enough to trick their wireless devices into associating with a phony AP. An attacker who gets impatient waiting for users to roam to the Evil Twin can use a tool like Aireplay to deauthenticate everyone, forcing immediate reassociation.
Once connected, the Evil Twin can use its vantage point to launch many other attacks. For example, a laptop can run KARMA, creating an Evil Twin that presents a fake login page to solicit user names, passwords or credit card numbers. Any Web request can be redirected to the local host through DNS spoofing. A tool like Airpwn can return malicious responses to users, like Web pages containing embedded viruses or Trojans. A cracker tool like Cain can extract passwords from common application protocols when victims check e-mail or download files. Man-in-the-middle tools like Dsniff can even compromise SSL or SSH sessions by posing as the target server, then relaying client requests to the legitimate server. In short, an Evil Twin is a perfect platform from which to run attacks against unsuspecting users.
Stopping these attacks
Start by educating users about Evil Twin risks. Many users readily connect to any AP to obtain free Internet access, without regard to who might own that AP or how that AP may trick them into disclosing sensitive data. Teach users to avoid promiscuous wireless behavior -- for example, show them how to disable automated connections and use non-default home WLAN SSIDs. Explain why they should never blindly accept SSH public keys or SSL server certificates, and the potential consequences of doing so.
Informed users are more likely to make good choices, but no company should rely exclusively on well-behaved users. Provide your users with tools that detect -- or better yet, prevent -- unauthorized wireless connections. For example:
- Use wireless intrusion detection to spot or block out-of-policy associations. Network WIPS products can provide these services for in-house WLANs. Host-resident agents can extend WIPS beyond your own WLAN, monitoring users that connect to wireless at home or on the road. For example, see Motorola AirDefense Personal and AirTight SAFE.
- Centrally-manage wireless device configurations to avoid mistakes and prevent users from adding unsecured wireless network entries. For example, Windows Active Directory Group Policy Objects can be used to manage 802.11 and 802.1X parameters on Windows PCs.
- Require 802.1X for your own WLAN, using an EAP Type that provides mutual authentication, and always verify server certificates. Although this actually proves the identity of the RADIUS server, that server authenticates your APs with a RADIUS secret, making it hard for an Evil Twin to successfully pose as a legitimate AP. EAP Types that let stations verify the server's certificate include EAP-TLS, EAP-TTLS and PEAP (see our companion tip, Choosing the right flavor of 802.1X).
- Supply mobile workers with secure hotspot clients to avoid Web page login. For example, T-Mobile's Connection Manager uses 802.1X with EAP-TTLS when connecting to "Enhanced WPA Networks." Because the Connection Manager automatically checks the T-Mobile server's certificate, a user cannot accidentally connect to an Evil Twin, so long as that user never accepts any offer to connect to another SSID (including the older "tmobile" SSID).
- Finally, educate teleworkers about options for using 802.1X in home WLANs. For example, some SOHO-class wireless APs have an on-board RADIUS server and local user list that can be used to support 802.1X without an external RADIUS server..
Although there are many steps that you can take to evade Evil Twins, it may not be practical to eliminate all risk. For example, you may not be able to force users to employ 802.1X when working from home or you may need to support embedded wireless client devices that lack 802.1X support (e.g., Wi-Fi phones). For best results, combine 802.1X server authentication with wireless client monitoring.
This was first published in June 2009