Anatomy of a Wireless "Evil Twin" Attack (Part 2: Countermeasures)
by Lisa Phifer,
Vice President, Core Competence Inc.
Evil Twin attacks (described in detail in Part
1 of this article) trick users into associating with phony wireless
Access Points (APs). Evil Twins wrap old Man-in-the-Middle attacks in new
802.11 clothing, creating a risk that grows at the same rate as Wi-Fi
Tools used to launch Evil Twin attacks (also known as AP Phishing,
Wi-Fi Phishing, Hotspotter, or Honeypot AP) are plentiful and potentially
dangerous. No published research quantifies attack frequency in corporate
networks, but AirDefense estimates that over 80 percent
of those using Wi-Fi at InfoSec 2005 were susceptible to this attack. The
same can be said for the vast majority of residential WLAN and public
So, how can you defend yourself or your employees against Evil Twin
attacks? Here are eight suggestions.
- For starters, include Evil Twin attacks in your Wi-Fi Acceptable Use
Policy, making users aware of these phony APs, the vulnerabilities they
exploit, the risks they pose, and defensive measures.
- When you're traveling, if that AP offering free Internet seems too
good to be true, it probably is. Given a choice between free wireless
and paying out of pocket, most people choose free every time. A
company-defined plan that pays for safe Wi-Fi access -- at least to some
degree -- may help keep your users out of trouble.
- Encourage employees to use "secure hotspot" tools. For example, the
iPass Connect client uses an
encrypted login protocol, eliminating interaction with spoof-able login
offers an "enhanced WPA network" option in US hotspots, using 802.1X
to authenticate users over TLS, verifying the
Authentication Server's certificate to help defeat Man-in-the-Middle
- Back at the office, use 802.1X Port Access Control for robust mutual
authentication. Avoid weak Extensible Authentication Protocol (EAP) types such as
LEAP; use EAP-TLS, EAP-TTLS, or PEAP to check the
server's signature against a trusted CA certificate configured into
every station. Although stations still cannot authenticate APs, your
802.1X Authentication Server will authenticate your APs.
- Teach users never to accept certificates or keys presented when
connecting to APs or application servers. Warn them to avoid "downgrade"
attacks, where a phony AP operates without 802.1X or a phony portal
operates without SSL. Phishing often succeeds when users make mistakes;
education can help users to recognize attack symptoms.
- Client promiscuity is the primary vulnerability exploited by phony
APs. Teach users to disable NICs when not in use. Configure wireless
clients to reduce risk. For example, configure Windows XP to connect
only to Preferred Networks, only in Infrastructure Mode, and only upon
request, reducing risk of Hotspotter exploits. In small WLANs, configure
clients such as Cisco
ACU with a list of Specified APs. (But, given that MACs can be
forged, balance how much effort you put into this against the amount of
security benefit you'll realistically derive.)
- Companies that centrally-manage
employee desktops, laptops, and/or PDAs should control wireless station
configuration, taking users out of the equation, or at least reducing
their role. For example, a product like Wavelink Avalanche
or Windows Active Directory Group Policy Objects can be used to
administer 802.11 and 802.1X parameters on Windows PCs.
- Use a Wireless
Intrusion Detection or Prevention System to detect unauthorized APs,
recognize attack signatures for tools like Hotspotter, and automatically
break associations between legitimate stations and phony APs. These
provide the Wi-Fi equivalent of Network IDS/IPS, but wireless host IDS
is also starting to emerge. For example, AirDefense Personal is a
host-resident scanner that warns users when unexpected events occur,
such as roaming to another AP (which may or may not indicate Evil Twin
No single measure listed here is sufficient to stop all forms of Evil
Twin attack. However, by combining these measures and educating users, you
can build a strong defense to detect and deflect phony APs encountered in
home, hotspot, and office environments. ##
For more of Lisa's in-depth advice on wireless networking issues, check
out her Wireless
Copyrightę 2005, WatchGuard Technologies, Inc. All rights
reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the United
States and other countries.