Republished with permission from WatchGuard Technologies, Inc.


Anatomy of a Wireless
"Evil Twin" Attack (Part 1)

by Lisa Phifer, Vice President, Core Competence Inc.

"Evil Twin" is one of several catchy labels referring to attacks in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point (AP). Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.

Fortunately, there are steps you can take to defend yourself from Evil Twins, ranging from user education to strong authentication. Let's disassemble this attack to see where vulnerabilities are exploited and mistakes are made during an Evil Twin attack.

Leveraging a weak foundation

Users fall for e-mail phishing because fake messages are easy to craft, and SMTP senders are not required to authenticate. Evil Twin Wi-Fi phishing exploits similar weaknesses: 802.11 management packets are easily forged, and APs do not prove their identity. To make matters worse, laptops, PDAs, and other Wi-Fi devices automatically select and connect to the AP offering the best signal within a named wireless LAN (WLAN).

As shown in Figure 1, 802.11 associations are initiated by users requesting WLAN access from their stations. APs advertise their presence by sending Beacons, which stations can listen for passively. Or stations can actively send Probe Requests to solicit Probe Responses from all APs with a given ESSID. ESSID (Extended Service Set ID) is the name given to any group of APs providing wireless access to the same upstream network, such as a corporate network or the Internet. Stations can be configured to probe for specific ESSIDs, but Windows XP Wireless Zero Config (and many other Wi-Fi client utilities) probe for any ESSID to discover a list of Available Wireless Networks.

AP Beacons and Probe Responses carry information about the WLAN, including an identifier (Basic Service Set ID, or BSSID) that is usually the AP's MAC address. Based on signal strength and advertised capabilities, the station sends the "best" AP an Authenticate Request. An AP using WEP can optionally challenge the station to prove it knows a shared key. But in most WLANs, the AP just returns an Authenticate Response. The pair exchange an Associate Request/Response to establish a data connection that lasts until either party sends a Disassociate or Deauthenticate packet.

Why does this exchange leave stations vulnerable to Evil Twin attack?

  1. Stations connect to any AP with a given ESSID. ESSIDs are advertised names, visible to all within radio range. Even if you've configured your AP to omit the ESSID from its Beacon, the ESSID is still sent in Probe, Authenticate, and Associate packets. Thus, any would-be attacker can see the ESSID and make an AP appear as though it were a member of someone else's WLAN by using, for example, your AP's ESSID; a common default ESSID (e.g., "linksys"); or a hotspot ESSID (e.g., "tmobile").
  2. The AP identifies itself with a public address that is not authenticated. Although every LAN device has a unique factory-set address, MAC addresses are easily reconfigured by Network Interface Card (NIC) utilities and programs like SMAC. Thus, any 802.11 device can transmit packets that appear to originate from your AP or your station's MAC address.
  3. None of these 802.11 management packets are cryptographically protected against eavesdropping, modification, insertion, or replay. Attackers can easily capture legitimate packets using open source tools, resending them later with modifications. Evil Twin attacks sometimes begin with sending forged Deauthenticate or Disassociate packets to disrupt existing associations, forcing stations to repeat the sequence shown in Figure 1.

Wouldn't using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) eliminate these weaknesses? The answer is no. WEP and WPA and WPA2 (802.11i) encrypt data after the association is established, but cannot prevent ESSID, BSSID, MAC address, or management packet spoofing. However, as we will see, 802.1X can potentially detect an Evil Twin before the user can be compromised.

Setting the trap

Now that we've seen how legitimate 802.11 associations form, let's consider what happens during an Evil Twin attack.

First, the attacker targets an ESSID. In a conference center, hotel, or airport, the attacker can use that venue's hotspot ESSID. Or he can run Hotspotter to listen for Probes from nearby stations, watching for common ESSIDs. Because Windows XP automatically probes for every ESSID it has associated with in the past, it is not hard to find stations seeking residential or hotspot ESSIDs. To target a specific WLAN, the attacker can run NetStumbler, Wellenreiter, Ethereal, or another freely-available stumbler or analyzer to identify a WLAN's ESSID.

Next, the attacker deploys a phony AP (broadcasting the target ESSID) near victim stations. The attacker could deploy a hardware AP, but more often runs AP software (e.g., HostAP, SoftAP, wifiBSD) on a laptop or PDA. For example, Quetec's 4-in-1 PC card can turn any Windows PC into a SoftAP, creating a platform for further attacks.

Since most stations will associate with any AP having a given ESSID, it may not be necessary to forge the AP's MAC address. But if the victim has tried to stop rogue associations by using a MAC-based Access Control List, or the attacker hopes to confuse Intrusion Detection Systems, the phony AP's MAC address can be set to a legitimate BSSID, thereby creating a "Base Station Clone." This is how the attack earns the nickname, "Evil Twin."

To bait the trap, the phony AP is usually connected to the Internet or your company's network. For example, a Hotspotter AP can be plugged into a hotel's wired broadband connection, using "free Internet" to lure unsuspecting guests. Or a laptop running SoftAP can use a second wireless NIC to associate with a legitimate AP, transparently relaying traffic between victims and the upstream network they had intended to reach.

Reeling in the victim

Launching a phony AP in a populated area is often enough to attract victims. For example, a SoftAP sitting near you in an airport or cafe may present a stronger signal than the legitimate AP, hidden in the distance. At the office, employee laptops will automatically reconnect to a phony AP broadcasting recently-used home/hotspot ESSIDs. If intended victims don't associate to the phony AP without encouragement, the attacker can force roaming by using AirJack or void11 to send Deauthenticate or Disassociate packets, carrying the legitimate WLAN's BSSID.

Once a victim associates to a phony AP, the attacker has a "man in the middle" platform from which to launch exploits. Conceptually, the AP's position is similar to that accomplished in Ethernet LANs through ARP Poisoning. But it's easier to achieve this through an Evil Twin, since the attacker does not require physical access to a LAN port or switch, and wireless stations put themselves at high risk by behaving promiscuously.

What comes next?

  • Using any Web server (IIS, Apache), the attacker can present a fake hotspot login page to steal the victim's username, password, or credit card number. Airsnarf, a shell script, demonstrates this simple attack.
  • Victims can be redirected to the fake portal or any phony server by DNS spoofing. The attacker either uses DHCP to designate himself as the WLAN's DNS server, or intercepts queries addressed to other DNS servers. The phony AP's DNS server then resolves e-commerce URLs to localhost so that it can present look-alike Web pages.
  • There, common Web phishing attacks can solicit confidential information or use active content to infect the station. For example, at Interop 2005, AirDefense identified APs posing as a free wireless network, presenting a malicious Web page that downloaded a virus whenever the victim clicked anywhere on the page.
  • As described in "Nandi versus Virtual Virtuoso: Part 2," application packet injection tools like Airpwn can modify content sent to victims. Airpwn listens to one wireless NIC and injects traffic through a second wireless NIC -- for example, responding to any "GET" or "POST" packet with an offensive graphic image.
  • Finally, a phony AP can run traditional man-in-the-middle (MitM) tools like Dsniff and Cain. Dsniff can access encrypted data by tricking SSH clients into accepting a forged SSH server public key, or tricking Web users into accepting a forged SSL server certificate. Cain also records cleartext passwords sent by common applications like email. These are just two of many MitM attacks that can be run on a phony AP to take advantage of traffic relayed between the victim and upstream servers.

Now that you've followed the steps of an Evil Twin attack, what can you do to counteract them? I suggest eight countermeasures in Part 2 of this article. ##

      Copyrightę 2005, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.