Evil twin attacks, also known as Wi-Fi phishing or rogue access point attacks, are a type of cyberattack that involves creating a fake wi-fi network that resembles a legitimate network. Attackers set up the fake network in a public area in hopes of tricking users into connecting to it. Once connected, any information sent over the evil twin network can be stolen by the attacker. Evil twin attacks are a serious threat to public wi-fi security.
What is an evil twin attack?
An evil twin attack is when a hacker sets up a wi-fi network with the same SSID (name) as a legitimate public network and then tricks users into connecting to the fake network instead of the real one. For example, if the legitimate network is called “Free Airport WiFi,” the hacker may set up an evil twin network called “Free Airport WiFi” as well. Because the names are identical, users may connect to the fake network thinking it’s the real thing.
Once connected, the hacker can monitor all traffic sent over the evil twin network. This allows them to steal sensitive information like login credentials, financial information, emails, and more. The attacker is essentially between the user and the internet, putting them in a prime position to carry out man-in-the-middle attacks.
How are evil twin attacks carried out?
Performing an evil twin attack requires the following steps:
- Locate a public wi-fi network: The attacker needs to set up in an area with an existing public wi-fi network that uses a simple SSID without encryption. Airports, coffee shops, libraries, etc are common targets.
- Analyze the target network: The attacker performs network analysis to gather information about the public network. This includes learning the network name (SSID), channel, encryption type, and other details.
- Set up a fake access point: Using a wireless router or laptop with wifi capabilities, the attacker configures their device to broadcast a wireless network with the same SSID as the public network. They make the evil twin look like the real thing.
- Enable packet sniffing: The attacker enables software on their device to sniff the wireless traffic passing through the fake network. This allows them to view and steal any unencrypted data sent over the connection.
- Trick users to connect: The hacker monitors nearby wifi networks, waiting for a user to connect to their fake network. Sometimes trickery is used to force users off the legitimate network and onto the evil twin.
- Capture user data: When a user connects, the hacker can intercept passwords, emails, messages and other unencrypted data using their packet sniffer.
With these six steps, the hacker can successfully impersonate a legitimate network and steal user information through their evil twin.
Why are evil twin attacks a threat?
Evil twin attacks are dangerous for several reasons:
- Hard to detect: From a user’s perspective, the evil twin appears just like any other network. Unless actively monitoring for fakes, most users won’t notice any difference.
- No encryption: Many public networks lack encryption. This allows attackers to easily view all unsecured traffic on an evil twin network.
- User credentials exposed: If users log into emails, banking sites or other services on an evil twin, their usernames and passwords are easily stolen. These credentials can then be used in other attacks.
- Sensitive data theft: Evil twins allow attackers to sniff credit cards, social security numbers, medical records and other private user data.
- Malware spreading: Hackers can use evil twins to inject malware onto user devices, or direct users to malicious phishing sites.
Due to these risks, organizations should take measures to detect and prevent evil twin attacks. Individuals should also take care when using public wi-fi networks.
Examples of evil twin attacks
Some notable examples of real-world evil twin attacks include:
- In 2017, security researchers set up fake networks at Black Hat and Def Con security conferences to demonstrate how easy it is to get users to connect to evil twins.
- A 2018 investigation found fake cell towers called IMSI catchers operating in Washington D.C. These devices impersonate real towers to collect user data.
- In 2019, the FTC charged a hacker who used an evil twin to redirect users from legitimate hotel wi-fi networks to a fake one under his control.
- At various times, fake wi-fi hotspots impersonating networks like “Starbucks WiFi” have been reported in public areas to trick users.
- Security researchers frequently detect evil twins with SSIDs imitating networks at airports, hotels, coffee shops and other public venues.
These examples illustrate that attackers commonly leverage evil twins to snare victims at public locations. Users should be cautious when connecting to open wi-fi hotspots.
Tools and techniques to carry out evil twin attacks
Attackers use a variety of tools and techniques to execute evil twin attacks. Some of the most common include:
| Tool/Technique | Description |
|---|---|
| Rogue access points | Hardware devices like wireless routers can be configured as fake access points to imitate real hotspots. |
| Wi-fi adapters | Most laptops have built-in adapters that can be set to broadcast evil twin networks. |
| Wireless signal amplifiers | Long-range antennas can amplify wifi signals to extend the reach of evil twins. |
| Packet sniffers | Software like Wireshark is used to intercept data on evil twin networks. |
| Fake login pages | Phishing pages mimic real login portals to steal user credentials. |
| MAC address spoofing | Impersonating the MAC address of real access points makes evil twins more convincing. |
With these tools, attackers can spy on connected users. Organizations should monitor for unauthorized access points and sniffing software to detect evil twins.
Preventing and detecting evil twin attacks
Defending against evil twin attacks involves several precautions:
- Use encrypted networks: Encrypted networks like WPA2 prevent data interception even if connected to an evil twin.
- VPN usage: Using a VPN provides encryption to protect data on public networks.
- Access point monitoring: Actively monitor for unauthorized access points impersonating your networks.
- User education: Train users to manually validate networks and be aware of evil twin risks.
- Certificate pinning: Pin trusted SSL certificates in applications to detect fake evil twin login pages.
- Network segmentation: Isolate guest networks from production networks.
Additionally, enterprise wireless intrusion prevention systems can automatically detect fake access points. Portable detection tools can also help identify evil twins in public areas.
Here are some signs that may indicate the presence of an evil twin network:
- Multiple networks with the same SSID
- Unknown access point MAC addresses
- SSID impersonating known public networks
- Unable to access internet or resources after connecting
- SSL errors and certificate warnings in browser
Investigating suspicious networks and verifying legitimate access points helps protect against evil twin attacks.
Conclusion
Evil twin attacks are a dangerous threat to public wi-fi security, as attackers can easily monitor and manipulate traffic on fake networks. Users should avoid transmitting sensitive data on public hotspots when possible. Organizations should take steps to encrypt networks, validate access points, and educate personnel to minimize the chance of successful evil twin attacks.
Implementing robust wireless security and promoting awareness are the best ways to combat evil twin risks in the modern connectivity landscape. Being vigilant about suspicious networks and using technologies like VPNs and network monitoring can also help users and organizations stay protected against fake access points. With proper precautions, the threat of evil twins can be safely managed.