Anatomy of a Wireless
"Evil Twin" Attack (Part 1)
by Lisa Phifer,
Vice President, Core Competence Inc.
"Evil Twin" is one of several catchy labels referring to attacks in
which unsuspecting Wi-Fi users are tricked into associating with a phony
wireless Access Point (AP). Also known as AP Phishing, Wi-Fi Phishing,
Hotspotter, or Honeypot AP, these attacks use phony APs with faked login
pages to capture credentials and credit card numbers, launch
man-in-the-middle attacks, or infect wireless hosts.
Fortunately, there are steps you can take to defend yourself from Evil
Twins, ranging from user education to strong authentication. Let's
disassemble this attack to see where vulnerabilities are exploited and
mistakes are made during an Evil Twin attack.
Leveraging a weak foundation
Users fall for e-mail phishing because fake messages are easy to craft,
and SMTP senders are not required to authenticate. Evil Twin Wi-Fi
phishing exploits similar weaknesses: 802.11 management packets are easily
forged, and APs do not prove their identity. To make matters worse,
laptops, PDAs, and other Wi-Fi devices automatically select and connect to
the AP offering the best signal within a named wireless LAN (WLAN).
As shown in Figure
1, 802.11 associations are initiated by users requesting WLAN access
from their stations. APs advertise their presence by sending
Beacons, which stations can listen for passively. Or stations can
actively send Probe Requests to solicit Probe Responses from all APs with
a given ESSID. ESSID (Extended Service Set ID) is the name given to any
group of APs providing wireless access to the same upstream network, such
as a corporate network or the Internet. Stations can be configured to
probe for specific ESSIDs, but Windows XP Wireless Zero Config (and
many other Wi-Fi client utilities) probe for any ESSID to discover
a list of Available Wireless Networks.
AP Beacons and Probe Responses carry information about the WLAN,
including an identifier (Basic Service Set ID, or BSSID) that is usually
the AP's MAC
address. Based on signal strength and advertised capabilities, the
station sends the "best" AP an Authenticate Request. An AP using WEP can optionally
challenge the station to prove it knows a shared key. But in most WLANs,
the AP just returns an Authenticate Response. The pair exchange an
Associate Request/Response to establish a data connection that lasts until
either party sends a Disassociate or Deauthenticate packet.
Why does this exchange leave stations vulnerable to Evil Twin attack?
- Stations connect to any AP with a given ESSID. ESSIDs are advertised
names, visible to all within radio range. Even if you've configured your
AP to omit the ESSID from its Beacon, the ESSID is still sent in Probe,
Authenticate, and Associate packets. Thus, any would-be attacker can see
the ESSID and make an AP appear as though it were a member of someone
else's WLAN by using, for example, your AP's ESSID; a common default
ESSID (e.g., "linksys"); or a hotspot ESSID (e.g., "tmobile").
- The AP identifies itself with a public address that is not
authenticated. Although every LAN device has a unique factory-set
address, MAC addresses are easily reconfigured by Network Interface Card
(NIC) utilities and programs like SMAC. Thus, any 802.11
device can transmit packets that appear to originate from your AP or
your station's MAC address.
- None of these 802.11 management packets are cryptographically
protected against eavesdropping, modification, insertion, or replay.
Attackers can easily capture legitimate packets using open source tools,
resending them later with modifications. Evil Twin attacks sometimes
begin with sending forged Deauthenticate or Disassociate packets to
disrupt existing associations, forcing stations to repeat the sequence
shown in Figure 1.
Wouldn't using Wired Equivalent Privacy (WEP)
or Wi-Fi Protected Access (WPA)
eliminate these weaknesses? The answer is no. WEP and WPA and WPA2
(802.11i) encrypt data after the association is established, but cannot
prevent ESSID, BSSID, MAC address, or management packet spoofing. However,
as we will see, 802.1X
can potentially detect an Evil Twin before the user can be compromised.
Setting the trap
Now that we've seen how legitimate 802.11 associations form, let's
consider what happens during an Evil Twin attack.
First, the attacker targets an ESSID. In a conference center, hotel, or
airport, the attacker can use that venue's hotspot ESSID. Or he can run Hotspotter
to listen for Probes from nearby stations, watching for common ESSIDs.
Because Windows XP automatically probes for every ESSID it has associated
with in the past, it is not hard to find stations seeking residential or
hotspot ESSIDs. To target a specific WLAN, the attacker can run NetStumbler, Wellenreiter, Ethereal, or another freely-available
to identify a WLAN's ESSID.
Next, the attacker deploys a phony AP (broadcasting the target ESSID)
near victim stations. The attacker could deploy a hardware AP, but more
often runs AP software (e.g., HostAP, SoftAP, wifiBSD) on a laptop or PDA. For
example, Quetec's 4-in-1 PC card can
turn any Windows PC into a SoftAP, creating a platform for further
Since most stations will associate with any AP having a given ESSID, it
may not be necessary to forge the AP's MAC address. But if the victim has
tried to stop rogue associations by using a MAC-based Access Control List,
or the attacker hopes to confuse Intrusion Detection Systems, the phony
AP's MAC address can be set to a legitimate BSSID, thereby creating a
"Base Station Clone." This is how the attack earns the nickname, "Evil
To bait the trap, the phony AP is usually connected to the Internet or
your company's network. For example, a Hotspotter AP can be plugged into a
hotel's wired broadband connection, using "free Internet" to lure
unsuspecting guests. Or a laptop running SoftAP can use a second wireless
NIC to associate with a legitimate AP, transparently relaying traffic
between victims and the upstream network they had intended to reach.
Reeling in the victim
Launching a phony AP in a populated area is often enough to attract
victims. For example, a SoftAP sitting near you in an airport or cafe may
present a stronger signal than the legitimate AP, hidden in the distance.
At the office, employee laptops will automatically reconnect to a phony AP
broadcasting recently-used home/hotspot ESSIDs. If intended victims don't
associate to the phony AP without encouragement, the attacker can force
roaming by using AirJack
or void11 to send
Deauthenticate or Disassociate packets, carrying the legitimate WLAN's
Once a victim associates to a phony AP, the attacker has a "man in the
middle" platform from which to launch exploits. Conceptually, the AP's
position is similar to that accomplished in Ethernet LANs through ARP
Poisoning. But it's easier to achieve this through an Evil Twin, since
the attacker does not require physical access to a LAN port or switch, and
wireless stations put themselves at high risk by behaving promiscuously.
What comes next?
- Using any Web server (IIS, Apache), the attacker can present a fake
hotspot login page to steal the victim's username, password, or credit
card number. Airsnarf, a shell
script, demonstrates this simple attack.
- Victims can be redirected to the fake portal or any phony server by
DNS spoofing. The attacker either uses DHCP to designate himself as the
WLAN's DNS server, or intercepts queries addressed to other DNS servers.
The phony AP's DNS server then resolves e-commerce URLs to localhost so
that it can present look-alike Web pages.
- There, common Web phishing attacks can solicit confidential
information or use active content to infect the station. For example, at
Interop 2005, AirDefense
identified APs posing as a free wireless network, presenting a malicious
Web page that downloaded a virus whenever the victim clicked anywhere on
- As described in "Nandi
versus Virtual Virtuoso: Part 2," application packet injection tools
like Airpwn can
modify content sent to victims. Airpwn listens to one wireless NIC and
injects traffic through a second wireless NIC -- for example, responding
to any "GET" or "POST" packet with an offensive graphic image.
- Finally, a phony AP can run traditional man-in-the-middle (MitM)
tools like Dsniff and
Cain. Dsniff can access
encrypted data by tricking SSH clients into accepting a forged SSH
server public key, or tricking Web users into accepting a forged SSL
server certificate. Cain also records cleartext passwords sent by common
applications like email. These are just two of many MitM attacks that
can be run on a phony AP to take advantage of traffic relayed between
the victim and upstream servers.
Now that you've followed the steps of an Evil Twin attack, what can you
do to counteract them? I suggest eight countermeasures in Part
2 of this article. ##
Copyrightę 2005, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.