Evil Twin

What is an Evil Twin?

Hackers need impatient web users to pull off an evil twin attack. Unfortunately, plenty of us falls into this category. When we go into a public space, such as a library or a coffee shop, we expect that establishment to offer free and fast WiFi. In fact, reporters even rank businesses by their connection speeds.

But that speed and convenience come with a cost. Hackers can quickly take over a safe-seeming WiFi connection and see (or steal) anything users do online.

An attack typically works like this:

  • Step 1: Set up an evil twin access point. A hacker looks for a location with free, popular WiFi. The hacker takes note of the Service Set Identifier (SSID) name. Then, the hacker uses a tool like a WiFi Pineapple to set up a new account with the same SSID. Connected devices can't differentiate between legitimate connections and fake versions.

  • Step 2: Set up a fake captive portal. Before you can sign in to most public WiFi accounts, you must fill in data on a generic login page. A hacker will set up an exact copy of this page, hoping that they will trick the victim into offering up authentication details. Once the hacker has those, they can log in to the network and control it.

  • Step 3: Encourage victims to connect to the evil twin WiFi. The hacker moves close to victims and makes a stronger connection signal than the valid version. Anyone new will only see the evil twin, and they will tap and log in. The hacker can kick off anyone currently connected with a distributed denial of service (DDoS) attack, which temporarily takes the valid server offline and prompts mass logins.

  • Step 4: The hacker steals the data. Anyone who logs in connects via the hacker. This is a classic man-in-the-middle attack, which allows the attacker to monitor anything that happens online. If the user logs into something sensitive (like a bank account), the hacker can see all the login details and save them for later use.

Customer participation is critical in an evil twin WiFi attack. And unfortunately, only about half of all consumers think they're responsible for securing their data on a public WiFi account. Most think the companies that offer connections will protect them. The companies may disagree.

How Does Evil Twin Work?

When an evil twin AP is present, a threat actor broadcasts the same SSID as the legitimate AP (and often the same BSSID or MAC address of the SSID) to fool the device into connecting (image below).

While within range of the target SSID, attackers begin by broadcasting the same SSID. This is straightforward and can even be done on smartphones with data plans that allow mobile Wi-Fi hotspot tethering. Attackers looking to avoid drawing suspicion toward antennas and battery packs typically opt for a popular tool called bettercap, which can run natively on Linux, Mac, Windows, and Android systems.

Additionally, it's important to note that evil twin attackers need to use clients with a radio capable of "monitoring mode."

If the target SSID is a busy open hotspot, victim clients will connect to the evil twin AP within seconds. If the target is a private, PSK-encrypted SSID, then the attacker would need knowledge of the PSK (a service offered online that requires packet capture files of the WPA/WPA2 handshake sequence).

Most Wi-Fi clients and their human operators choose to "auto join" previously saved Wi-Fi networks. If the attacker can't successfully trick the victim into connecting to the evil twin, he can simply break the connection between the victim and any legitimate AP he or she is using by flooding a client and/or associated AP with spoofed de-authentication frames in what's called a de-authentication attack. This means that the target device and AP are informed that their connection has been dropped.

Once a client is connected to the evil twin AP, the attack is over. This entire process is used to allow attackers to establish MitM (man-in-the-middle) positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you've simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.

Detecting Evil Twin

AirGuard could detect two types of evil twins:

  1. AP spoofs

    The malicious mimic of a legitimate AP by spoofing the SSID name.

  2. AP Impersonation

    Malicious impersonation not only on the SSID name but also the BSSID (the wireless MAC address, which makes it indistinguishable from the original AP).

The system not only helps detecting the evil twin but also helps analyzing the attacks in detail.

Preventing Evil Twin AP Attacks

EnGenius AirGuard offers wireless intrusion prevention systems (WIPS) solutions to detect the presence of an evil twin AP and contain any managed corporate clients from connecting to them. (Full disclosure: EnGenius is one of a number of companies that provide such services.)

For Wi-Fi users, an evil twin AP is nearly impossible to detect because the SSID appears legitimate and the attackers typically provide Internet service.

Last updated