1

How can I check before I connect that the WPA2 ssid I am connecting to is the correct one when I'm in an area with spoofed ssid's?

How can I evade an evil twin without trying to connect with a fake password? I would prefer to only connect to safe/trusted ssids.

Here is an image illustrating what I am asking about. While the screenshot is windows, I am looking for an operating system agnostic solution.

I'm given a card by the hotel that the official wifi is "Fios-RQ9Vs". But I see two. The desk clerk has no clue what's going on. The ssids here are both using the same radio band 2.4Ghz.

Am I just not supposed to use any wifi anytime I see a name collision? There has to be some way I can investigate and verify before connecting.

enter image description here

schroeder
  • 123,438
  • 55
  • 284
  • 319
Gabriel Fair
  • 1,495
  • 2
  • 13
  • 23
  • 1
    Please don't editorialize about the answers in your question. There is a way to ensure that you are connecting to the right SSID, but not if it is free wifi. There are options with certificates. Your hotel won't offer this, though. – schroeder Mar 11 '21 at 23:45

3 Answers3

1

Does it really matter?

Just assume that all wifi access points are rogue, and proceed accordingly.

  • if you're surfing the web, only connect to sites by way of SSL/TLS. Or, use a VPN.

  • Run a firewall on your laptop that blocks all incoming connections

If you do the above, then it really doesn't matter if the access point that you are connecting to is rogue. All traffic passing through the access point will be encrypted, so the access point won't be able to sniff your traffic. If you are surfing the web, and the access point tries a DNS spoofing attack that directs you to a fake site, or a man-in-the-middle attack, your browser will detect a problem with the host's certificate. You'll want to apply the same caution to any other services that you use as well, such as POP3, IMAP, SMTP, SSH, etc. If you assume that all access points and ISP's are rogue, and proceed accordingly, then it won't matter if/when you connect to one that actually is rogue.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Sure I hear you, but this doesn't answer my question. I have added some more context to my question above. Even a VPN doesn't protect against any hardware based vulnerabilities (looking at intel NICs). There has to be someway a non-techie user can not be helpless prey to this type of attack – Gabriel Fair Mar 11 '21 at 22:38
  • 1
    I see that you've edited your question, but it's not clear to me what threat it is that you are trying to mitigate. What threat do you feel you would be vulnerable to, if you connected to a rogue AP, but applied all of the measures that I outlined in my answer? Also, WRT, `Even a VPN doesn't protect against any hardware based vulnerabilities (looking at intel NICs)` - are you referring to a hardware based vulnerability in the AP or the laptop? If in the laptop, then you're screwed no matter what AP you connect to. If in the AP, then the measures that I outlined should protect you. – mti2935 Mar 11 '21 at 23:28
  • Since the early days of the internet, the internet was built on the premise that the network can't be trusted. That's why we have SSL/TLS, CA's, PKI, etc. The AP is just another node in the network, so it should not be trusted. Security geeks and nerds apply the measures that I mentioned in my question out of habit, but lay-users can install a consumer-grade personal security product (e.g. Norton, McAfee, etc.), which will apply these measures as well. – mti2935 Mar 12 '21 at 00:45
  • At one point in early human evolution the only way we could tell if something was safe to eat was by tasting it first and then waiting... This question is asking if there are ways to probe/verify/investigate/troubleshoot if a wifi is what it says it is, before connecting. If we haven't moved past this stage with wifi yet, that is a fine answer. I was just asking what was available, if any, as tools/strategies for this problem. – Gabriel Fair Mar 12 '21 at 07:07
  • I don't follow your analogy to early human evolution - early humans did not have effective tools to mitigate the dangers of unsafe food, but we do have tools to mitigate the dangers of unsafe networks. Thank you for clarifying your question - but it's still unclear to me *why* you are asking this question. In other words, why is it important to 'probe/verify/investigate/troubleshoot if a wifi is what it says it is, before connecting'? If we take the conventional approach, and assume that all networks are unsafe, then this question is moot. This is starting to feel like an XY problem. – mti2935 Mar 12 '21 at 20:45
0

If you do know the mac address of valid access points, it could be determined by tool line Wireless Net View or some other wireless scanning tool. It lists all available access points in range with the strength of the signal so you can find more about the location too, mac address etc.

Secured
  • 9
  • 2
0

If you are connecting to open networks (that is, without using a PSK and having no encryption), there is no way to verify that the network is the one you think it is. Anybody within range can sniff the traffic as well. ESSIDs can be set to anything, BSSIDs can be spoofed. If you are using any open network for any reason, it is best to secure your traffic inside something like a VPN.

For networks using a variant of WPA* personal, an evil twin attack is not possible unless the attacker also knows the PSK. This is because during the initial handshake, both the access point and client must prove mutual knowledge of the correct PSK. This makes it impossible for the attacker to steal the PSK in plaintext. Of course, there are ways to capture and brute force it, but this is not related to evil twin. If the attacker does already know the PSK (e.g. coffee shop that gives out the PSK publicly), an evil twin attack can be carried out.

There are some evil twin attacks to work around WPA personal networks, by DoS'ing the real network, and setting up an identically-named open network. If the user tries to connect to this network, a webpage pops up that asks for the WiFi password. As long as one is aware that they should only connect to their network when it is WPA-secured and to never input the credentials anywhere else, this shouldn't be an issue.

Unfortunately, WPA enterprise networks sometimes make evil twin attacks even easier. Depending on the 802.1X authentication mechanism and whether the user enables certificate verification, it may be trivial to steal a user's domain credentials in plaintext by using an evil twin.

TL;DR: You cannot trust open networks at all. You can trust WPA personal networks, as long as the PSK is strong and is kept secret from the attacker. You can trust WPA enterprise networks if you and the administrator follow best practices.

*: When I say WPA, you should be using at least WPA2, if not WPA3.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42