How to Detect and Escape Evil Twin Wi-Fi Access Points

Posted by Geraldine Hunt on Tue, Jun 14th, 2022

So you are hanging out at a new café that just opened up down the street and you bring your laptop or smartphone to take advantage of the free WiFi service they provide.  The café is named “Bread and Butter”, your laptop identifies a wireless hotspot appropriately called “Bread and Butter WiFe”, and you eagerly connect assuming that it belongs to the café.

As you peruse your favorite social media site, access your email and check to see if a financial transaction cleared your online bank account, a hacker has been capturing all of your login credentials and data.  You have just been a victim of a man-in-the-middle attack thanks to an ‘Evil Twin’.

 

An Evil Twin is a rogue wireless hotspot that impersonates a legitimate hotspot. 

Hackers set up evil twin access points in areas serviced by public WiFi by cloning the MAC address and Service Set Identifier (SSIS) of an existing wireless AP.  For instance, perhaps a coffee shop has a hotspot called “Internet Coffee” that is broadcast from the wireless AP in the back office. 

A hacker, using his or her laptop coupled with the necessary equipment can broadcast the same SSID from a table in the customer area.  By ensuring that the signal of the evil twin is stronger than the authorized network, customers will be tempted to select it over the legitimate offering. 

In some cases, a customer’s laptop may choose the stronger signal automatically.  For instance, customers staying at a resort hotel may select “Connect Automatically” on their device so that it connects automatically during the duration of their stay.  Doing so would allow the wireless device to connect to the evil twin when it comes within range of it.  If it identifies both SSIDs, it will choose the strong signal by default. 

It is also possible for a hacker to perform a denial of service (DOS) attack on the legitimate hotspot, which will, in turn, disconnect everyone from it.  The devices will then choose the evil twin when reconnecting.  This is especially easy to perform on open WiFi networks.

Once a client is connected to an evil twin, an attacker can easily eavesdrop on its signal to hijack the device’s communications.  The attacker can monitor traffic, steal credentials or redirect clients to malicious websites to either download malware or capture online credentials to fake sites. 

In some instances, the malicious hotspot does not have to be an evil twin per se.  For instance, maybe a local coffee shop never bothered to change the default name of its SSID, which includes the name of the internet provider.  In this case, a hacker could simply broadcast an SSID that incorporates the name of the coffee shop and many customers will make the incorrect assumption and select it. 

A hacker could also create an evil hotspot in the pool area of a hotel resort with the word “pool” contained within the SSID, tricking resort travelers that it must be a separate pool area hotspot offered by the hotel.

 

What you can do to avoid man-in-the-middle attacks from evil twins

• Always ask the establishment what the name of the official hotspot is.  This will prevent you from making incorrect assumptions and choose a malicious hotspot.
• If the official hotspot you want to connect to has a key, try intentionally typing in the wrong key.  If the connection accepts the blatantly wrong key, it is most likely an evil twin.
• Disable the “auto connect” or “auto join” functions for saved hotspots for all of your wireless devices.  This is good advice period. 
• You should also manually disconnect from a hotspot every couple of hours and manually reconnect to your desired hotspot and type in the password to confirm the connection.

 

What you can do as a business owner or proprietor

• Clearly advertise the name of the wireless network you offer your customers in a prominent location so all your customers can see it.  Rather than simply provide open WiFi, protect the hotspot with a Personal Security Key (PSK) and create a system to provide the key to your customers.
• Check the customer area with your own mobile device to look for hotspots that are impersonating your official ones and alert your customers if necessary.
• Obtain the services of a wireless expert if you suspect that someone has permanently placed an evil twin or malicious hotspot on your property.  Using a laptop and an antenna, a trained professional can triangulate the location of a malicious AP.  There are also software applications such as EvilAP_Defender, which is designed to find evil twins and even notify through email when one has been identified. 

Talk to one of our security experts today about securing your public Wi-Fi to prevent costly and damaging attacks.