Anatomy of a Wireless "Evil Twin" Attack (Part 1)
"Evil Twin" is one of several catchy labels referring to attacks in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point (AP). Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.
Fortunately, there are steps you can take to defend yourself from Evil Twins, ranging from user education to strong authentication. Let's disassemble this attack to see where vulnerabilities are exploited and mistakes are made during an Evil Twin attack.
Leveraging a weak foundation
Users fall for e-mail phishing because fake messages are easy to craft, and SMTP senders are not required to authenticate. Evil Twin Wi-Fi phishing exploits similar weaknesses: 802.11 management packets are easily forged, and APs do not prove their identity. To make matters worse, laptops, PDAs, and other Wi-Fi devices automatically select and connect to the AP offering the best signal within a named wireless LAN (WLAN).
As shown in Figure 1, 802.11 associations are initiated by users requesting WLAN access from their stations. APs advertise their presence by sending Beacons, which stations can listen for passively. Or stations can actively send Probe Requests to solicit Probe Responses from all APs with a given ESSID. ESSID (Extended Service Set ID) is the name given to any group of APs providing wireless access to the same upstream network, such as a corporate network or the Internet. Stations can be configured to probe for specific ESSIDs, but Windows XP Wireless Zero Config (and many other Wi-Fi client utilities) probe for any ESSID to discover a list of Available Wireless Networks.
AP Beacons and Probe Responses carry information about the WLAN, including an identifier (Basic Service Set ID, or BSSID) that is usually the AP's MAC address. Based on signal strength and advertised capabilities, the station sends the "best" AP an Authenticate Request. An AP using WEP can optionally challenge the station to prove it knows a shared key. But in most WLANs, the AP just returns an Authenticate Response. The pair exchange an Associate Request/Response to establish a data connection that lasts until either party sends a Disassociate or Deauthenticate packet.
Why does this exchange leave stations vulnerable to Evil Twin attack?
Wouldn't using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) eliminate these weaknesses? The answer is no. WEP and WPA and WPA2 (802.11i) encrypt data after the association is established, but cannot prevent ESSID, BSSID, MAC address, or management packet spoofing. However, as we will see, 802.1X can potentially detect an Evil Twin before the user can be compromised.
Setting the trap
Now that we've seen how legitimate 802.11 associations form, let's consider what happens during an Evil Twin attack.
First, the attacker targets an ESSID. In a conference center, hotel, or airport, the attacker can use that venue's hotspot ESSID. Or he can run Hotspotter to listen for Probes from nearby stations, watching for common ESSIDs. Because Windows XP automatically probes for every ESSID it has associated with in the past, it is not hard to find stations seeking residential or hotspot ESSIDs. To target a specific WLAN, the attacker can run NetStumbler, Wellenreiter, Ethereal, or another freely-available stumbler or analyzer to identify a WLAN's ESSID.
Next, the attacker deploys a phony AP (broadcasting the target ESSID) near victim stations. The attacker could deploy a hardware AP, but more often runs AP software (e.g., HostAP, SoftAP, wifiBSD) on a laptop or PDA. For example, Quetec's 4-in-1 PC card can turn any Windows PC into a SoftAP, creating a platform for further attacks.
Since most stations will associate with any AP having a given ESSID, it may not be necessary to forge the AP's MAC address. But if the victim has tried to stop rogue associations by using a MAC-based Access Control List, or the attacker hopes to confuse Intrusion Detection Systems, the phony AP's MAC address can be set to a legitimate BSSID, thereby creating a "Base Station Clone." This is how the attack earns the nickname, "Evil Twin."
To bait the trap, the phony AP is usually connected to the Internet or your company's network. For example, a Hotspotter AP can be plugged into a hotel's wired broadband connection, using "free Internet" to lure unsuspecting guests. Or a laptop running SoftAP can use a second wireless NIC to associate with a legitimate AP, transparently relaying traffic between victims and the upstream network they had intended to reach.
Reeling in the victim
Launching a phony AP in a populated area is often enough to attract victims. For example, a SoftAP sitting near you in an airport or cafe may present a stronger signal than the legitimate AP, hidden in the distance. At the office, employee laptops will automatically reconnect to a phony AP broadcasting recently-used home/hotspot ESSIDs. If intended victims don't associate to the phony AP without encouragement, the attacker can force roaming by using AirJack or void11 to send Deauthenticate or Disassociate packets, carrying the legitimate WLAN's BSSID.
Once a victim associates to a phony AP, the attacker has a "man in the middle" platform from which to launch exploits. Conceptually, the AP's position is similar to that accomplished in Ethernet LANs through ARP Poisoning. But it's easier to achieve this through an Evil Twin, since the attacker does not require physical access to a LAN port or switch, and wireless stations put themselves at high risk by behaving promiscuously.
What comes next?
Now that you've followed the steps of an Evil Twin attack, what can you do to counteract them? I suggest eight countermeasures in Part 2 of this article.