Republished with permission from WatchGuard Technologies, Inc.


Anatomy of a Wireless "Evil Twin" Attack (Part 2: Countermeasures)

by Lisa Phifer, Vice President, Core Competence Inc.

Evil Twin attacks (described in detail in Part 1 of this article) trick users into associating with phony wireless Access Points (APs). Evil Twins wrap old Man-in-the-Middle attacks in new 802.11 clothing, creating a risk that grows at the same rate as Wi-Fi deployment.

Tools used to launch Evil Twin attacks (also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP) are plentiful and potentially dangerous. No published research quantifies attack frequency in corporate networks, but AirDefense estimates that over 80 percent of those using Wi-Fi at InfoSec 2005 were susceptible to this attack. The same can be said for the vast majority of residential WLAN and public hotspot users.

So, how can you defend yourself or your employees against Evil Twin attacks? Here are eight suggestions.

  1. For starters, include Evil Twin attacks in your Wi-Fi Acceptable Use Policy, making users aware of these phony APs, the vulnerabilities they exploit, the risks they pose, and defensive measures.
  1. When you're traveling, if that AP offering free Internet seems too good to be true, it probably is. Given a choice between free wireless and paying out of pocket, most people choose free every time. A company-defined plan that pays for safe Wi-Fi access -- at least to some degree -- may help keep your users out of trouble.
  1. Encourage employees to use "secure hotspot" tools. For example, the iPass Connect client uses an encrypted login protocol, eliminating interaction with spoof-able login portals. T-Mobile offers an "enhanced WPA network" option in US hotspots, using 802.1X to authenticate users over TLS, verifying the Authentication Server's certificate to help defeat Man-in-the-Middle attacks.
  1. Back at the office, use 802.1X Port Access Control for robust mutual authentication. Avoid weak Extensible Authentication Protocol (EAP) types such as LEAP; use EAP-TLS, EAP-TTLS, or PEAP to check the server's signature against a trusted CA certificate configured into every station. Although stations still cannot authenticate APs, your 802.1X Authentication Server will authenticate your APs.
  1. Teach users never to accept certificates or keys presented when connecting to APs or application servers. Warn them to avoid "downgrade" attacks, where a phony AP operates without 802.1X or a phony portal operates without SSL. Phishing often succeeds when users make mistakes; education can help users to recognize attack symptoms.
  1. Client promiscuity is the primary vulnerability exploited by phony APs. Teach users to disable NICs when not in use. Configure wireless clients to reduce risk. For example, configure Windows XP to connect only to Preferred Networks, only in Infrastructure Mode, and only upon request, reducing risk of Hotspotter exploits. In small WLANs, configure clients such as Cisco ACU with a list of Specified APs. (But, given that MACs can be forged, balance how much effort you put into this against the amount of security benefit you'll realistically derive.)
  1. Companies that centrally-manage employee desktops, laptops, and/or PDAs should control wireless station configuration, taking users out of the equation, or at least reducing their role. For example, a product like Wavelink Avalanche or Windows Active Directory Group Policy Objects can be used to administer 802.11 and 802.1X parameters on Windows PCs.
  1. Use a Wireless Intrusion Detection or Prevention System to detect unauthorized APs, recognize attack signatures for tools like Hotspotter, and automatically break associations between legitimate stations and phony APs. These provide the Wi-Fi equivalent of Network IDS/IPS, but wireless host IDS is also starting to emerge. For example, AirDefense Personal is a host-resident scanner that warns users when unexpected events occur, such as roaming to another AP (which may or may not indicate Evil Twin activity).

No single measure listed here is sufficient to stop all forms of Evil Twin attack. However, by combining these measures and educating users, you can build a strong defense to detect and deflect phony APs encountered in home, hotspot, and office environments. ##

For more of Lisa's in-depth advice on wireless networking issues, check out her Wireless Corner.

      Copyrightę 2005, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.