50

Let's say you are traveling, and you pause in the airport lounge, or your hotel lobby, or a nearby coffee shop. You haul out your laptop and scan the available wireless networks. You know the name of the wireless network because it is written behind the counter/on a slip of paper/well known.

You see that there are two options:

"Free Public Wifi" &
"Free Public Wifi"

Which one is the actual wireless network, and which one is the Evil Twin attack? How can you tell? What tools or techniques would you use to decide?

(I'm less interested in answers that involve not connecting to either, or avoiding public wireless, and more interested in the techniques to discriminate legitimate vs non-legitimate APs from a users and not administrators perspective. I'm using "Evil Twin" in this specific sense rather than a general "malicious actor" sense.)

J Kimball
  • 2,137
  • 1
  • 13
  • 19
  • 13
    What, to you, distinguishes the "actual" network from the "evil" one? What if they are both set up with good intentions? How about both set up with bad intentions? What if one is from the coffee shop next door? Does that make it evil since I'm sitting over here? When I move there does this one become the evil one? – Gene Gotimer Apr 02 '15 at 18:48
  • 6
    An "Evil Twin" would be an AP set up to deliberately mimic an existing legitimate AP. Setting aside any elements of intention, the "Evil Twin" will be one that is not controlled by the organization that offers the service that user intends to use. – J Kimball Apr 02 '15 at 19:56
  • 8
    So if I'm at the book store, the evil AP is the one next door at the coffee shop. When I'm at the coffee shop, the book store AP has become evil. If intent to use is the distinguishing feature, then they cannot be distinguished with technology. – Gene Gotimer Apr 02 '15 at 20:07
  • 2
    Instead of "evil" or "malicious", think "Legitimate". If the Book Store clones the settings of the Coffee shop, it is the Evil Twin, regardless of how the connection is used. – J Kimball Apr 02 '15 at 20:18
  • There is no electronic tool you can use to tell whether two networks called "Free Public WiFi" are two legitimate networks that happened to pick the same name, one legitimate network and one malicious, or two malicious networks. – user2357112 Apr 02 '15 at 20:51
  • 1
    @JKimball: so you want to determine which one was there first, given that they chose the same name, and knowing *only* the name since that's all that's written on the counter, and not assuming any difference in behaviour of the APs? Sounds tricky ;-) Clearly you need to get *some* information that distinguishes them, but by definition of the problem you're saying we're not allowed to know anything else. – Steve Jessop Apr 03 '15 at 01:30
  • 1
    Evil sounds like a loaded term, perhaps imposter is the word you're looking for – Tom J Nowell Apr 03 '15 at 02:23
  • Unless the network is using WPA enterprise (unlikely) anybody who's been told the network password can intercept all the traffic anyways. So why do you care? – CodesInChaos Apr 03 '15 at 07:39
  • 15
    Simple, the evil one will have a goatee. – asawyer Apr 03 '15 at 13:55
  • Use the one with the correct MAC address. Have the sign display the MAC address of the WIFI router, and verify that is the MAC address you are connecting to. If the evil access point clones the MAC address, then it will cause general network problems and neither network will work correctly. True, it's not user friendly to verify a MAC address. – Chloe Apr 04 '15 at 00:26
  • 1
    @Chloe The Evil Twin could mimick the MAC address. – PyRulez Apr 04 '15 at 15:21

7 Answers7

40

They're both evil. You shouldn't be connecting to any "Free Public Wifi" without assuming that all your unencrypted traffic will be monitored and modified. The best solution is to not connect to public networks at all, but if that's not an option for you then you can protect yourself a little more by specifying your own DNS (rather than letting the router pick for you), using https everywhere you can, not accessing your sensitive accounts on public networks, considering a VPN, and keeping your software and firmware up to date.

In direct answer to your question, some routers have their MAC address printed on a label; you could ask the router owner to check for you, then connect to it, ping it, and view your arp table (arp -a) to see if it matches. Alternatively, you could tell the router owner that there's an imposter nearby and have them change the network name.

Aron Foster
  • 1,204
  • 2
  • 11
  • 19
  • 11
    I'm less interested in "don't use public wifi" answers than I am in techniques to distinguish between legitimate APs and their evil twins. – J Kimball Apr 02 '15 at 18:26
  • 21
    There isn't an "evil" bit that's included in packets from bad routers. You will need say what specific attacks that you want to protect yourself against if you want a specific answer. If you want to be safe against the whole palette of things a malicious actor could do after you connect to his/her wifi, the only answer is "don't connect". And without a specific attack in mind, there's no way to distinguish what makes a router "bad" in the first place. – Aron Foster Apr 02 '15 at 18:46
  • 20
    @AronFoster but an evil bit *was* proposed in [rfc 3514](https://www.ietf.org/rfc/rfc3514.txt)... "If the bit is set to 0, the packet has no evil intent. Hosts, network elements, etc., SHOULD assume that the packet is harmless, and SHOULD NOT take any defensive measures. ... If the bit is set to 1, the packet has evil intent. Secure systems SHOULD try to defend themselves against such packets. Insecure systems MAY chose to crash, be penetrated, etc." ... oh wait, that was published a bit over 12 years ago... 12 years and one day, on the first of April. Hmm. ;-) –  Apr 02 '15 at 21:27
  • 9
    What if the evil router changed MAC address to be the same as the original one? – Buge Apr 02 '15 at 22:06
  • 2
    @Buge Yep, definitely a possibility, and [there are plenty more ways the evil router could trick you](http://hakshop.myshopify.com/products/wifi-pineapple?variant=81044992). Which is why the best solution really is to just assume you're on a hostile network (which you are on any unsecured wifi, even if it's not the "Evil Twin" network) and go from there. Generally, though, so few people will check MAC addresses it's not worth the effort of the bad guys to change them. – Aron Foster Apr 02 '15 at 22:12
  • 4
    A note about DNS - some WiFi routers (like the one from TP-Link that I own) will simply redirect anything sent towards udp/53 to whatever DNS server they are using with a firewall rule. No matter which DNS server you try to talk to, you end up with the same result. When you are on an untrusted network, the only (relatively?) secure approach is to setup a VPN to a known endpoint and do everything through the tunnel. – thkala Apr 03 '15 at 10:15
  • Yes. Both are evil. Technically, any wifi that's not protected by WPA or better should be considered evil and not to be trusted for unencrypted communications. That's because another laptop connected to the same wifi can easily see all your traffic - the "evil"-doer doesn't need to be a router. Protected access changes this. – slebetman Apr 03 '15 at 17:03
  • That said, to detect the evil twin on a protected network is easy. Try logging in to both. The evil router most likely don't have the same password so logging in should fail (of course, if they manage to crack the password of the "good" wifi.. that's a different story) – slebetman Apr 03 '15 at 17:05
  • 2
    @slebetman Sure, and if you do this, the evil router can capture your password. Not a good idea. – Michael Hampton Apr 05 '15 at 01:27
  • @slebetman A regular user is unlikely to be able to log into the wireless AP. And if they can, then the Evil Twin attack is likely just one of the problems the legitimate AP is having. – J Kimball Apr 08 '15 at 12:28
  • @user30204 Yes, but that is for TCP, not 802.11 which operates on another layer. – forest Jul 04 '18 at 03:27
24

Traditionally there hasnt been an easy user-oriented method to detect evil twin attacks. Most attempts to detect an evil twin attack (ETA) are geared towards the administrator of a network where they basically have the authorised network admins scanning and comparing wireless traffic. This isnt so much of what you are interested in.

There is a paper here (and slides) that goes over an experimental approach to determine from the user's perspective a real-time ETA. Basically, they use a cunning approach to statistically determine which access point is authorised and which is the evil twin.

A simple approach (that will not always work) that I propose is to merely sniff yourself and see what the IP addresses are. The idea being that an unathorised AP will have a nonstandard (IE what you would expect) IP and thus throw up some red flags... Here is a link that describes how to setup your own ETA so you can play around with my method (or try your own). WARNING: If you are creating an ETA, do so in a lab environment as this is illegal in public.

Also note that an ETA can be greatly mitigated by simply securing the network via an authentication system that uses Extensible Authentication Protocols such as WPA2-enterprise -which works by validating both the client and access point.


To address some other points...

If you have a way to communicate with the authorised network administrators (or at least know which access point is the proper one), then you have already completed a psuedo-meta-athorisation method outside of the digital realm (IE I can physically see the proper router and know it's mac address, ip settings, etc and can thus compare them with what my adapter is telling me I'm connected to). Most often, we do not have this info and moreover shouldnt trust it even if we did. Thus, perhaps the 'best' method for using an untrusted network (ET or not) is to always assume it is compromised and implement a VPN or simply abstain altogether!

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • 2
    I had seen the paper, and it was probably the most direct prompt for my question. I was curious if there were any other techniques that are usable from a user rather than administrator perspective. I think it is fair to say that I don't fully understand the paper well enough to implement it. (I would vote your answer up, but my reputation is not yet high enough to do so.) – J Kimball Apr 02 '15 at 19:46
  • Admittedly, my maths skills are not at par with the A&M professor but the gist is simple. If I do understand it correctly, that paper is essentially using the time it takes for a packet to traverse to and from the ET to physically pinpoint a location and then from there, it draws on a mass of statistics it has gathered to create an educated guess on which AP is the proper one... – Matthew Peters Apr 03 '15 at 12:18
23

Tell the barrista/clerk/etc the wifi has gone down, can they reboot or power cycle the router?

Most people will happily do so, bringing the AP down for a moment, and exposing the evil twin router in the process as any active network that survives a power cycle.

If there is more than 1 evil twin router, this still works.

If there are multiple good routers, this will identify at least one. The same tactic can be used to identify the others ( Hey it's not working still, is that the only wifi box? All this tech is so confusing, maybe you need to do it to all of them? ).

Alternatively, once you identify a good AP, connect a device to it, and then using a second device, connect to the other AP's and attempt to locate the first device over the network. Unless the good AP has been compromised, any AP that finds the original device is a good AP. If it has been compromised however, then all AP's are bad

Another alternative being that if you can see the make of the router, try to log in to its admin panel. If the login prompt doesn't match the make/brand then you have found the evil twin.

The best solutions here are mostly going to involve simply talking to the provider of the legitimate AP rather than running an extensive comparison with questionable results.

In the meantime, if the AP in question is open, it is insecure, evil twin attacks are unnecessary. A public network with a shared password is also insecure. If you're concerned about the security of a public wifi network for any reason, do not use it.

Tom J Nowell
  • 339
  • 1
  • 5
  • as for login screens, I've seen setups where the Evil Twin will simply copy the login page of the real router – schroeder Apr 03 '15 at 04:27
  • 1
    This answer also assumes there is only one router. – Matthew Peters Apr 06 '15 at 11:16
  • If there are 10 evil twins, and the barrista power cycles the router, it still works. If there are 2 routers, and the barrista power cycles both, it still works. Consequently if there are multiple routers, and you identify 1 good router via power cycling, you can join every AP and ping a device connected to a known good router as a basic test – Tom J Nowell Apr 06 '15 at 11:19
  • Exposing the Evil Twin in this manner would work only if it's not evil enough to also appear to go down for the same duration. What if it's very evil and will mirror the state of the good router? In this case you may need to introduce a pseudo-evil triplet to outdo the twin. – Asclepius Aug 04 '15 at 22:11
  • All of that can be deduced from latency and timing measurements. First AP to go down is clearly the one the barrista just pulled the plug on, the one that dropped 20ms later is not – Tom J Nowell Aug 05 '15 at 04:43
  • 1
    Or you could tell them they have an evil twin. – PyRulez Jan 16 '16 at 01:52
14

There is one thing an evil twin can't copy: location. Set up three computers, then triangulate it. Or have some sort of time detector. If one of them is responding fast enough that you know, according to the speed of light, they must be within the store, then you know that it will be in the store, which is helpful if delays make triangulation harder.

Note: If you somehow find out that the routers aren't moving through some other source, you can use one moving distance detector. This will give you a lot of data points to work with, which may help if your detector isn't accurate.

Note: If you somehow find out that the routers have the same signal power and detection capabilities, and that the good one is closer, one practical method is to simply filter out weaker packets.

PyRulez
  • 2,937
  • 4
  • 15
  • 29
  • 8
    The speed of light is too fast for standard hardware to be useful in determining distance. The response time (and variation thereof) will be dominated by processing delays. But signal strength could be used with one computer you can move. – Rick Apr 03 '15 at 15:26
  • @Rick Taking a bunch of samples gets the variation down. It is also just generally harder for the twin to attempt to copy the originals location (which your triangulating) the closer you are. – PyRulez Apr 03 '15 at 15:29
6

For detecting an Evil Twin attack with a standard setup, the only information you really have and the SSID, The MAC address of the wireless access point, and the DHCP IP address, gateway, and DNS server that it hands out. Apart from that, you might find the evil twin using a different frequency than the original, like the true AP being on 2.4GHz and the evil AP being on 5GHz. Many Access Points are configured via web interface, whcih means if you have a Linksys AP, you might be able to access a page at http://192.168.1.1/Managment.asp , but not on the evil AP.

An Evil Twin will probably not bother to clone that detailed level of configuration because it is far easier to just clone the SSID and MAC (if they even bother with that).

Therefore, if you know the expected DHCP config setup or expected configuration URL, you could tell if the AP you are connecting to is false.

Nik Roby
  • 390
  • 1
  • 6
3

One really simple way, if you're the network administrator, is to have a host that is attached to your physical network. So a quick ping to it, will reveal if you've been sidelined to another network.

In the use case of you being in a public area, then using a vpn might be a good idea.

munchkin
  • 393
  • 1
  • 5
  • 2
    Unless the rogue AP is a proxy for the proper one. – Cees Timmerman Apr 20 '15 at 12:05
  • Well the ping endpoint is not the same as the access point. Though really the fundamental problem is WIFI to begin with. – munchkin Apr 20 '15 at 12:28
  • WLAN is no different than LAN with strange devices. How does your solution mitigate a MITM attack? – Cees Timmerman Apr 20 '15 at 13:44
  • One of the wlan attacks is the use of a fake ap, which in essence is what an evil twin is. If you have had the unfortunate luck to encounter this, then pinging to a host attached to the lan would reveal this. Also with wpa2 enterprise with radius, you'd also be able to do this, but only because most home routers don't do radius authentication and you'd have to set one of those up separately. – munchkin Apr 20 '15 at 16:44
  • 1
    Couldn't the fake AP relay your ping to the real AP, thus rendering your solution void? – Cees Timmerman Apr 21 '15 at 06:51
  • The fake AP is not connected to the AP. – munchkin Apr 21 '15 at 11:33
  • 1
    The real AP is obviously not secure, so there is no reason why the fake AP could not connect to it for LAN requests. – Cees Timmerman Apr 21 '15 at 11:36
-2

The good AP should have a trusted fingerprint of its self-signed* certificate. I think that's automated as "certificate pinning" - What is certificate pinning?

*: Self-signed because not all CAs are trustworthy.

UPDATE: I don't know your AP, but putting a simple webserver on there should be trivial (flash open source firmware). Anyway, here's proof that an AP can have a certificate.