Kinaro's blog of things

Evil Twin Attack

June 05, 2019

Evil twin is an Wi-Fi access point that mimics an authentic AP in order for unsuspecting users to connect. This is achieved by using a Wi-Fi radio that can produce a signal stronger than that of the real access point. Devices automatically attempt to connect to the strongest signal. The attacker has to be on the same local area network as the target in order to carry out the attack. The evil twin AP may be configured to pass data to the real AP, or deny service once the user attempts to log on a fake site set up by the attacker.

So why set up one?

The sole purpose of an evil twin access point is to eavesdrop and steal information.

An attacker can use this type to perform a wide variety of nefarious activities. One can sniff unencrypted connections, carry out phishing attacks by redirecting users to fraudulent websites, modify the data in transit among many other scenarios.

Denial of Service may also be carried out against connected hosts. This is trivial to achieve, for instance by continously sending spoofed deauth packets which will effectively prevent users from connecting to the real access point.

In most cases, it is used to perform Man-in-the-Middle attacks against unsuspecting Wi-Fi users. Public hotspots the most common vectors, but one can just as easily set up an AP in an office and trick staff into connecting.

In a MITM attack, two parties communicate as though the connection is private, while in reality it is controlled by the attacker. Since tools such as browsers demand some level of authentication, such as cryptographic keys signed by a third party, this attack can only succeed if the attacker is able to impersonate each node to the satisfaction of the other.

MITM attacks also allow for an attacker to attempt a TLS downgrade attack. This is where the attacker forces a connected host to drop an encrypted connection in favour of an unencrypted one. All data is then transmitted in cleartext, where anyone eavesdropping on the connection can access everything, including form data such as usernames, email addresses, phone numbers and passwords.

How do I identify rogue access points?

  1. Disconnects If a hotspot has a strong signal but your device keeps disconnecting, that might be a malicious hotspot. Whoever controls the access point could be flooding your device with deauth packets.
  2. Free Wi-Fi If a deal seems to good to be true, it probably is
  3. Redirects to a dubious login page This could be someone trying to dupe you to supply credentials. Most people reuse passwords across multiple online services, which an attacker might be relying on in order to compromise your accounts.

How do I defend myself?

  • Use a VPN when you connect to an untrusted network.
  • Disable automatic Wi-Fi connections
  • Don’t supply log in credentials over an insecure connection. Secure connections usually have a green lock icon in the URL bar. Yellow signifies that there are issues. How ever, a rogue access point may redirect you to a fake login page that has SSL enabled.

Felix Kinaro

Github TwitterContact