The evil twin is not just a schlocky plot device for TV crime shows and absurd soap operas, it's also a threat to your company's data. It's relatively easy for a criminal to set up an evil twin rogue wireless access point that mimics one that your users and visitors connect to, whether on your premises or in a public place, with the intention of stealing usernames and passwords. That's one of the reasons why it's such a good idea to always use a VPN, creating an encrypted tunnel between your computer and a third-party server, preventing snoopers from intercepting information enroute. But a new tool offers the promise of more proactively warning network administrators if there is a rogue "evil twin" access point in the vicinity. Called EvilAP_Defender, the tool is designed to alert administrators if a suspected evil twin is discovered.
The tool is able to discover evil APs using one of the following characteristics:
- Evil AP with a different BSSID address
- Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
- Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter - mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area).
But the EvilAP_Defender tool offers to take things one step further, launching a denial-of-service (DoS) attack against rogue access points that it discovers in order to reduce the chances of users endangering their data by connecting. In order to help it identify friendly networks (and presumably avoid "friendly fire") it is possible to put for network administrators to run the EvilAP_Defender tool in a "learning mode".
The tool's developer Mohamed Idris says that he will continue to add new features to Evil_AP Defender, and there's some discussion on Reddit about what new versions of the tool might be capable of doing. But the counterattack capabilities of EvilAP_Defender obviously raises some interesting legal questions. In most countries around the world, it would be considered illegal to launch an attack against somebody else's computer without their permission, so if you use EvilAP_Defender to DoS an evil twin access point without getting the attacker's go-ahead first, aren't you yourself committing a criminal act? Mind you, there might be some sneaky ways of getting around that. As a comment left on The Register amusingly points out, seeing as the rogue access point is disguised as one of your own company's access points, you might be able to convincingly argue that you were merely "stress-testing" your access point's resilience to a denial-of-service attack rather than booting away an attacker.
I am not a lawyer, and I'm sceptical if any law enforcement agency would pursue you if you chose to protect your WiFi users in this way, but it's clearly an area where you should tread very carefully.
One thing is clear. More and more organisations are choosing to become more proactive in defending their users and corporate data from attackers. Increasingly we will see companies taking the fight to the attackers, rather than simply defending themselves, just as we have seen countries bluster about pre-emptive strikes against foreign hackers. The jury is still out as to whether that's a sensible road to go down or not, but make sure that you have taken adequate steps to protect your users and your corporate data from evil twin attacks. That means:
- Not just relying on the name of a WiFi network before deciding whether it can be trusted as legitimate or not.
- Where possible restricting browsing on public WiFi networks to websites that do not require login credentials, and never using them for sensitive data. 3G mobile connections, for instance, can be typically considered much safer than public WiFi.
- Running a VPN to ensure that any browsing and transmitted data is done through an encrypted tunnel that cannot be easily snooped upon by malicious parties.
Would you feel comfortable running a tool like this at your company? Would you launch an attack against a suspected evil twin? Leave a comment below sharing your point of view. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
