3

We have a WIFI router with SSID: "dummyssid" with our own WPA2 password. Today unexpectedly, another WIFI SSID was available in the WIFI scan list with exactly same as of our SSID: "dummyssid" but without any password. Just at that time internet on our devices, like laptop and mobile phones, stopped working. I suppose because there were exactly same WIFI SSID's in the scan list and our laptop/mobile phone is unable to decide which one to use?

I thought my WIFI router is having some issues. So I disconnected from power it but still that ambiguous SSID was available in WIFI scan list. I tried to connect with that ambiguous SSID, then I tried to access the router web page of that ambiguous WIFI. In that page it asked me for my WIFI password. I didn't entered anything there. Leaving everything as it is. After 30 minutes or so, that ambiguous WIFI is no more visible in list and our internet is working fine again.

This is the page that was showed to me when I accessed router page of that ambiguous WIFI. ambiguous wifi login

Do you think someone is trying to get our WIFI password by creating an ambiguous WIFI device and pushing us to enter our WIFI password? If that's so, how do you think we can prevent it?

Ghulam Ali
  • 875
  • 1
  • 6
  • 9
  • 3
    https://null-byte.wonderhowto.com/how-to/hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-attack-0183880/ Here is a good overview of "Evil Twin" attacks and their goals. – Monica Apologists Get Out May 16 '18 at 19:54
  • I think exact same thing happened here. Attacker first flooded our WIFI with incorrect passwords so our WIFI router stopped working and the story started after that... Thanks for great article. – Ghulam Ali May 16 '18 at 20:34
  • ESSID and BSSID, really? You'd think phishers would use friendlier bait these days; anyone who even knows what those mean probably knows better than to fill out the form... – dandavis May 16 '18 at 21:06
  • Why do you say it was the same ESSID but then go on to state a different ESSID? Also, your devices will not be confused by this, nor will they try to connect to the new network with the matching ESSID because the security type does not match. – multithr3at3d May 16 '18 at 21:23
  • @multithr3at3d Sorry my mistake. It was actually same SSID and I updated my question. Secondly, Yes I now understand device won't be confused with same SSID but the article linked by Adonalsium says that: "The way we'll trick the victim into doing this is by flooding their trusted network with de-authentication packets, making it impossible to connect to the internet normally..." – Ghulam Ali May 16 '18 at 21:31

1 Answers1

5

Yes, as posted in the comments, this looks like an evil twin attack. Someone is likely trying to obtain your network's PSK by:

  1. Creating an open network with your ESSID
  2. Kicking you off your real network with a deauthentication attack
  3. You manually connect to the attacker's network because yours isn't working
  4. You type your PSK into a captive portal on the attacker's wireless network

There is no other logical reason a duplicate network should appear, nor would a configuration page ask for a WPA PSK in that fashion.

While you can't prevent someone from creating their own access point, there are ways to mitigate damage.

  1. The simplest solution is to not connect to the other network, and tell your household/users/guests to pick the network that is secured with WPA2.
  2. A more advanced solution, as deployed in businesses and hotels, is a wireless intrusion prevention system (WIPS), which can actively deauthenticate clients that attempt to connect to unauthorized wireless networks. The legality of such active measures may vary by jurisdiction.
  3. Find out who is performing the attack and get them to stop or involve law enforcement.
multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • Add, never enter your PSK into a captive portal. It isn't actually a password and is only used by your wireless devices, so you should only ever enter it into your device's configuration, never into any sort of web page. – YLearn Apr 09 '19 at 21:00