How 'evil twins' and multipots seek to bypass enterprise Wi-Fi defenses

First, it's important to note that several differences exist between the security monitoring systems of wired vs. wireless networks. In-line probes inspect wired network segments, monitoring packets as they traverse the LAN. Enterprise WLAN monitoring, however, relies on wireless intrusion prevention systems (WIPS), where a distributed network of transceiver sensors constantly monitor all channel bandwidths, reporting all activity to a centralized server. Through analysis of sensor data, the server is able to locate and thwart denial-of-service (DoS) attacks and unauthorized use of network resources, yet such WIPS architectures are more complex to implement and manage than their wired counterparts.

Despite increasingly effective WIPS, wireless attacks are rapidly increasing due to several factors, most notably the proliferation of enterprise usage, the frequent changes in standards and the common misconception that Wi-Fi security is nothing more than an afterthought. Today there are also many well-written applications, platforms, operating systems and hardware modifications designed to simplify the setup and execution of sophisticated wireless attacks. Most of the commonly known types of network threats traditionally seen in wired network environments have been redesigned to exploit wireless systems; sniffing, probing, scanning, spoofing and cryptographic attacks, to name a few, have all been effectively executed.

One of the most widespread and effective Wi-Fi attack methods is the "evil twin" attack. A "rogue" or unauthorized access point is set up to appear identical to a near

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

The multipot attack takes the evil twin concept a step further and presents a more significant threat to enterprises. Coined from the term "multiple honeypots", a multipot employs the use of two or more malicious access points configured as clones of a legitimate access point.

The multipot's use of multiple rogue access points, however, creates a unique and difficult situation for an enterprise WIPS. In this scenario, when session containment is attempted, the client receives the WIPS's deauthentication packets, which force network disconnection. But when the client restarts the 802.11 reconnection process, it associates itself to the second rogue access point and resumes communication attempts. Although the sensors again detect improper activity and transmit deauthentication packets, the WIPS is presented with a temporal obstacle. Its sensor is a transceiver and is responsible for channel-frequency scanning and packet broadcasting for session containment. While the time required to complete these tasks is in the order of seconds, it is much longer than the millisecond process of client reconnection.

So in a scenario with only one rogue access point, the process of connecting to and being disconnected from a single access point would result in a cycle causing packet flooding, yet with two rogue access points, the client effectively "outruns" the deauthentication packets by hopping back and forth between the rogue access points. Again, this vast difference in the time that each device needs to perform its job -- the WIPS sensor requires seconds while the client just milliseconds -- allows for client communication to proceed without perception of any disruptions.

There are a number of steps that can be incorporated into an enterprise security strategy to mitigate these types of threats. Site surveys to maintain a current database of network elements allow for monitoring WLAN changes via access point characteristics such as channel signal strengths associated with each SSID, physical access point location, RF triangulation, vendor consistency via MAC addressing, and access point firmware versions. Since the 802.11 standard only defines Layer 1 (physical) and Layer 2 (data link layer/MAC address sublayer) segments, multilayered protection should be implemented with additional upper-layer authentication, encryption, network access control and vulnerability management. Knowledge of the geographic coverage area, physical mapping of wireless threat exposure, identifying areas of high risk probability, dense sensor deployment, 24x7 real-time monitoring, effective threat classification and increasing physical access to office premises and surrounding areas are also essential for secure enterprise WLAN deployment. Finally, employee education and enforcement of a well-defined security policy remain the cornerstones for maintaining a secure network environment.

About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. He holds degrees in psychology and mechanical engineering, as well as a doctorate in medicine from the Medical University of South Carolina. Schiffman is based in Charleston, S.C.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Wireless Network Security: Setup and Tools,   Wireless LAN Design and Setup,   Enterprise Network Security,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor How to defend against rogue DHCP server malware When BIOS updates become malware attacks Mac OS memory flaws pose challenges for enterprise endpoint protection Cybercrime and threat management How to find and stop automated SQL injection attacks Short-lived Web malware: Fading fad or future trend? Security book chapter: The Truth About Identity Theft How to use (almost) free tools to find sensitive data How to block adult websites from enterprise users by logging content Are Windows Vista security features up to par? Wireless LAN Design and Setup A list of wireless network attacks Wireless Security Lunchtime Learning An introduction to wireless security Hunting for rogue wireless devices A wireless network vulnerability assessment checklist Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business Wireless Security Lunchtime Learning Entrance Exam Lesson 1: How to counter wireless threats and vulnerabilities Study reveals lack of financial wireless computer security Wireless LAN Design and Setup Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary evil twin  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.