Meeting the "Evil Twin"

By Adam Stone

February 09, 2005

This phishing scam specifically targets hotspots and has been getting lots of press lately. Here's how it works and thoughts from the experts on the actual threat it poses.

If you are going to be a really malicious technology, you ought you have a cool name, right? So that's one point in favor of the "evil twin," the latest wireless attack strategy to get the attention of analysts and security vendors alike.

The threat is hardly at crisis levels today. However, vendors and analysts agree that the ease with which hackers can run such a scam makes the evil twin a legitimate threat to the Wi-Fi community.

Here's how it works.

A hacker sets its service identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. The hacker disrupts or disables the legitimate AP by disconnecting it, directing a denial of service against it, or creating RF interference around it. Users lose their connections to the legitimate AP and re-connect to the "evil twin," allowing the hacker to intercept all the traffic to that device.

Analysts say that is just the kind of threat that could steer people away from Wi-Fi in the short term.

"People are very concerned about security at public hotspots. Security is the top three reason that prevents consumers from using public Wi-Fi," right behind "no need or desire" and lack of Wi-Fi enabled equipment, said Ina M. Sebastian, a research analyst with JupiterResearch.

With security that high on the agenda, scams like the "evil twin" ploy are important in so far as they bring negative publicity to the adoption process, she said.

While the possibility of evil twins has existed for some time, it was only last month that a British cyber-crime expert drew attention to the escalating threat. "Cyber criminals don't have to be that clever to carry out such an attack," Dr. Phil Nobles of Cranfield University in England warned in a January statement to the press. "Because wireless networks are based on radio signals, they can be easily detected by unauthorized users tuning into the same frequency."

The damage from an evil twin attack can take on a wide range of characteristics. An intruder can degrade network performance or deny service completely. An evil twin also can offer up fake login prompts to gather up user names and passwords, which can then be used for later access by the hacker or a third party.

When they say "evil," they are not kidding.

So, what is to be done? At least one vendor says it can thwart the attack.

Security player AirMagnet has software that can identify 20 different types of denial-of-service attacks, which often are the hacker's first move in generating an "evil twin." AirMagnet can also spot multiple devices with the same MAC address, a likely sign that a spoof is in progress.

The company's applications can identify rogue devices with legitimate SSIDs that do not match up with a legitimate vendor, or are on the wrong wireless channel or band. They can note AP power cycling and configuration changes, as well as suspiciously silent APs.

The chief competition here comes from rival AirDefense, which in January announced its response to the evil twin attack: A free download of the AirDefense Personal 1.0 Lite. It's a free application intended to protect users at the personal level from wireless-specific vulnerabilities while accessing hotspots.

The application includes 13 wireless-specific alarms. It will notify the user if a wireless connection is being formed or if a laptop is being redirected to an unintended access point, or connected to a non-preferred or unsecured access point.

It's a good thing these solutions are simple and relatively self-managing. After all, it hardly makes sense to expend lots of time and effort defending against a threat that may not even exist.

Not exist? Then what is all the brouhaha about?

We said the evil twin attack could be done. That does not mean it is being done, and in fact even the security vendors are ready to admit the threat may exist more in theory than in practice at this point.

"The incidence of true malicious incursions is still very low," said Rich Mironov, vice president of marketing at AirMagnet. Most of the time when security issues do arise, he said, they are the result of "self-inflicted problems. Every week in a big company somebody brings in an access point that shouldn't be there. We see rogues weekly. We see people who have turned off their laptop security every day."

Nonetheless, he said, the ease with which an evil twin can be set up, coupled with the serious repercussions of a possible security breach, make it incumbent upon the corporate IT staff to take prophylactic measures.

"There are readily available tools that you can download" to establish a twin, Mironov said." If you know what you are doing you could do it in five minutes, if there is not a monitoring system out there watching for this.

"Now suppose I am in healthcare and I have to follow HIPPA regulations. Those say I have to take all reasonable precautions to protect patient data. It's the same reason they have locks on the doors where the x-rays are kept. It's an obligation on the part of a corporate network to do some basic defensive maneuvering."



Comment and Contribute
(Maximum characters: 1200). You have
characters left.