Evil Twin Access Point Attack Explained

Anywhere public Wi-Fi is available is an opportunity for an attacker to use that insecure hot spot to attack unsuspecting victims. One specific Wi-Fi hot spot attack called an “Evil Twin” access point can impersonate any genuine Wi-Fi hot spot. Attackers will make sure their evil twin AP is just like the free hot spot network, and users are then duped when connecting to an evil twin AP and the attacker can execute numerous attacks to take advantage of the unaware victim.

The graphic below shows a typical client connection at a Wi-Fi hot spot. The user searches for the available wireless networks within range and then connects to the public Wi-Fi network. I’m simplifying the process, but the result is the user gets connected to the hot spot network which supplies a gateway to the internet. The user can now surf the web, login to web sites, check email, watch videos or stream music, etc…

Typical Hot Spot Connection

Typical Hot Spot Connection

As the user is enjoying their coffee along with the free Wi-Fi the attacker is busy setting up the evil twin AP. The Attacker is not going to have a bunch of extra hardware, and you won’t see someone with a Netgear router or antennas sticking out every where to draw attention themselves. The attacker will more than likely have a laptop to launch the attack, and they could be in the same physical space or could be launching the attack from their vehicle in the parking lot.

A typical evil twin AP attack is shown in the next graphic, and I will explain the steps in more detail.

Evil Twin AP Attack

Evil Twin AP Attack

I will start with our user, the victim, being connected to the free Wi-Fi hot spot on channel 6. You can refer to the first graphic for the typical hot spot connection.

Step 1: The attacker will set up a software AP on their laptop using free utilities from the internet. This software AP will mimic the hot spot network, and the only difference is the attacker will set up the software AP on a different channel. The software AP is a clone or the “evil twin” of the hot spot network.

Step 2: The attacker will jam the hot spot APs wireless signal. The graphic shows a hardware jamming device that blocks the physical radio frequency. The attacker could use deauthentication frames for an attack of the communication layer, but the result is to break the user’s connection with the hot spot network.

Step 3: The clients laptop, which is always scanning for a better connection (feature of wireless roaming) sees the evil twin AP advertising the same SSID network name as the hot spot network and connects.

Step 4: The attacker will have software running on their laptop to assign an IP address to the victim that just connected to the evil twin AP. Basically every device on the internet is assigned a unique IP address so network traffic is properly routed. An IP address is the equivalent of a street address the postal service uses to deliver mail.

Thrown in the mix the attacker will have a second wireless adapter plugged into their laptop to establish a connection back to the hot spot network and the attacker will bridge the software evil twin AP to the second wireless card. The traffic from any victim connecting to the evil twin AP will route through the attacker’s machine and back out to the hot spot network. The victim has no idea their traffic is now being routed through the attacker’s laptop. With the network traffic routing though the attacker they can search for passwords, credit card numbers, read emails, see the web sites being visited, etc… The attacker can also inject themselves into the middle of the conversation by editing the frames in transit.

There are two different scenarios for an evil twin attack. The first, shown in the graphic above happens when a user is already connected to the legitimate hot spot AP and gets disconnected then reconnects to the attacker’s evil twin AP thinking it is the real hot spot network. The second scenario is the attacker has the evil twin AP set up and the user connects to the fake AP thinking it is a hot spot network provided by a legitimate business. Either way the user ends up connected to the attacker’s evil twin AP.

Now for a double dose of bad news! It is difficult to notice if you’re connecting to an authentic hot spot network or an evil twin AP, and there isn’t a perfect defense against the attack. As mentioned the attacker will attempt to configure the evil twin as a precise copy of the hot spot network so users will not suspect anything is wrong. The best option when using public Wi-Fi is to have a VPN connection. VPN is short for virtual private network and a VPN will create an encrypted tunnel between your device and the VPN server. The encrypted tunnel will secure the traffic and anyone eavesdropping on your traffic or connected in the middle of your conversation can not interpret or interfere with the wireless transmissions. Plenty of companies offer personal VPN services and there is a lot of different plans and fees to choice from.

The next time you’re at the local coffee shop be a little extra observant when connecting to the free Wi-Fi network. If something doesn’t feel right you may want to trust your gut and skip connecting to the hot spot network.

Thanks for stopping by my blog and reading the post. If you’re looking for more security tips when using public Wi-Fi please read my earlier blog post Security Is Your Responsibility When Using Free Wi-Fi.

12 thoughts on “Evil Twin Access Point Attack Explained

  1. Thanks for this! Yes. It is difficult to trust a public access points. And by the way, even without setting up a twin access point, you can still sniff the network traffic of an open WIFI network by configuring your wireless interface in promiscuous mode.
    As a rule pf thumb, always use VPN when connected to public access points.

    • Dear Sir,
      Thank you for your blog! We are learning all of this in our third week of class and so far all has proved to be quite useful. With each week that passes by am becoming more computer literate vs being illiterate and clueless to all of this stuff.

  2. You can strip any query from its SSL encryption if you are the host AP. Sniffing won’t be as goood in this case. VPN .. sure thing.

  3. VPN is useful, but there will still be a leak between the time you get onto the network and the time your VPN connects. And in that brief time, probably your device will already have done things like check email, log in to FB, Twitter, etc., already compromising you.

    • As far as protecting yourself some Wi-Fi radios can ignore software generated deauthentication packets, but not a whole lot can be done to prevent a jamming device from interrupting the physical signal.

  4. Pingback: Vulnerabilidade WPA2 (CRACK) – Explicação e Correção
  5. Great post! I discovered this while reading about the new Fingbox network scanner…which I’ve been watching the developement of for a while. Your description is so helpful and explained in such an ‘easy to understand’ fashion. I’m going to link to this in a post I’m currently writing about Krack attack as well as one I previously wrote about the dangers of using public networks. Not only will my readers get a much better understanding of the dangers involved but I too understand it all much better myself after reading your article. Thank you!

  6. Pingback: build rogue AP – grayhat.ca

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s