Top Ten Ways to Avoid an Evil Twin Attack
Business travelers are particularly susceptible to evil twin attacks--hacker-created wireless access points that use real network names (SSIDs) to bait users into connecting to them.
Wireless security concerns don't seem to be slowing hotspot growth. In 3Q09, AT&T hotspots serviced over 25 million Wi-Fi sessions 66 percent more than in 2Q09. Aircell now offers in-flight Wi-Fi service on over 4,000 flights per day. In my hometown (Philadelphia), Comcast just launched over 2000 new Xfinity hotspots.
Yet, few public hotspots protect users from wireless security threats like eavesdropping, spoofing, or evil twin attacks. Good hotspots protect login values like usernames, passwords, and credit card numbers. But after login, data privacy is often up to the user.
Hotspot data theft is well-understood and easily defeated with SSL websites and VPN connections. But the same cannot be said for evil twins hacker access points that use real network names (SSIDs) to bait users into connecting to them. Here we describe the symptoms of an evil twin attack and how to avoid falling for them.
1. Odd venues
Evil twins aren't limited to public hotspots. These attacks can occur in offices or dorms anywhere victims might be tricked into connecting to look-alike APs. Hotspots SSIDs are just really good bait. So, if you're in your hotel room when you see an SSID that's clearly out of place like linksys or gogoinflight don't connect. Better yet, disable auto-connect for saved hotspot SSIDs to avoid accidental reconnects.
2. Ad hocs
Public hotspots use infrastructure APs to connect many users to the Internet. The alternative ad hoc mode connects peers directly to each other, such as to share a printer. Many ad hocs are perfectly innocent, but if you see an ad hoc advertising a hotspot SSID, don't connect. Better yet, disable ad hoc mode to avoid accidents.
Evil twins can wait passively for users to take the bait. But real hackers would probably use free tools like aireplay to speed things up by disconnecting all users, hoping some will reconnect to the evil twin. A hotspot that keeps disconnecting and reconnecting could just be too weak or distant. But if you have strong signal and suddenly keep getting disconnected, exercise caution. For added protection, a Host IDS can be used to detect this type of "deauth flood."
4. Free rides
If you connect to a commercial hotspot the first time and it lets you use the Internet without prompting for login or payment, you might be the lucky recipient of a free ride. Plenty of hotspots offer free Internet access, but a known for-pay hotspot wouldn't behave this way unless you've connected to an evil twin posing as that hotspot. When a deal seems too good to be true, it probably is.
5. Funky portals
To grab credentials and payment data, evil twins can redirect victims to fake portal login pages, which may even be copies of the real deal. If those portal pages aren't secured with SSL or trigger certificate warnings or simply look odd, keep all sensitive values to yourself. Better yet, take yourself out of the equation by using a hotspot connection manager for secure authentication without portal login.
6. Dubious DNS
To execute man-in-the-middle attacks, evil twins can use their own DNS to redirect user traffic to spoofed application servers. For example, if a hotspot-supplied DNS resolves all Web requests to URLs that include or correspond to non-routable private IP addresses (e.g., 192.168.x.x), that's not a good sign. While this could be something as innocent as a local Web cache, exercise caution.
7. Unfamiliar behavior
If an evil twin succeeds in directing Web requests to a spoofed site, it's up to you to authenticate that server. If you visit a familiar but unsecured site that looks slightly broken or behaves in an unusual way, it could just be undergoing maintenance or an update. Or it could be a hacked copy of the real site. Alas, for unsecured sites, there's no fool-proof way to be sure.
8. Bad certs
Fortunately, secure Web servers can be authenticated by digital certificate. Your browser will even try to validate the server's certificate for you. But if a certificate warning appears, don't ignore it. Legitimate sites occasionally trigger these, but you could well have landed at a phony Web server designed to steal identities or spread malware. In particular, never blindly accept a self-signed certificate or a certificate issued by an untrusted authority.
9. Phony servers
Of course, spoofing isn't limited to Web servers. Evil twins can use free tools like karmetasploit to redirect email and file and other apps to phony servers that record logins, passwords, and message content. Fortunately, many apps support server authentication for example, sending POP and SMTP and FTP over TLS. To avoid falling for man-in-the-middle attacks, seize every opportunity to verify app server credentials.
10. Out-of-service VPNs
Most man-in-the-middle attacks an evil twin might attempt can be defeated by sending all traffic even public Internet traffic over a VPN. If a hotspot lets you connect to the Internet but not to your VPN, you might be tempted to make do but don't. While some real hotspots interfere with VPN protocols, this is a rare exception. It could be an evil twin using a phony IPsec VPN gateway to grab vulnerable IDs and shared secrets. For reliable protection against this attack, use an always-on VPN with strong mutual authentication.
Bottom line: You may never run into an evil twin, but just in case you do: forewarned is forearmed. SSL-protected apps and VPNs are excellent defenses, but they must still be used properly. Don't shoot yourself in the foot by ignoring warnings. And if a hotspot doesn't feel right, move on.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 28-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
For more help with WLAN security, follow eSecurityPlanet on Twitter @eSecurityP.