Steps to take when being targeted by "Evil Twin" WiFi attack?

I'd like to ask for help, maybe steps on what to do, when being targeted by an "Evil Twin" attack.

My question is related to this: SSID with very similar name, is this an attempt of hacking? But I'm quite certain it is an attack in my case, and I rather need countermeasures, not just making certain on the fact that it is an attack.

I would also like to point out that I'm not a security/network professional, although I'm a software developer student. I merely noticed what is happening because I often read articles on various interesting IT topics.

The story:

About a month ago, I noticed a WiFi network with the exact same name as mine (Paternoszter), appearing on my laptop WiFi list when I'm home. It is an open network, unlike mine, which is password protected (only).

For the first few days I paid not much attention other than making sure I'm connecting to my own network, but then my network started "disconnecting" and reconnecting to the "fake" one, this is when I turned off my WiFi, and also my router.

At this point I reported the incident to the authorities, filled the forms, sent screenshots and all they asked for. I got a promise that "they will look into it". I used my computer only on LAN for a week after, but the duplicate network still persists. (It is there even when I unplug my router from electricity)

A month passed, nothing has changed, but I'm too afraid to use my own WiFi network. It is annoying because I have zero experience with things like this, I used 3 tutorials just to do my router settings. I don't know what I could do.

Are there any further steps a beginner like me take? I had hoped that they would give up by now.

UPDATE (2017.06.20.): Three days after this post the "twin" disappeared, but as I had no idea why, I haven't yet posted anything. It turned out authorities have looked into it, but I was told that they cannot tell me anything during the investigation. I want to hereby thank all the comments, it helped me calm my nerves!

Dragonturtle

Posted 2017-06-12T09:49:36.913

Reputation: 139

What OS are you using? Does changing the name help? (especially one that's hard to type,) Does the fake network provide any sort of Internet access? – user1686 – 2017-06-12T09:55:23.927

1Win10, I have tried changing "Paternoszter" to "Paternoszter2", in the first 3 days, but the fake was changed withing a few hours, so I changed it back. (fake changed back too) I was too afraid to even let my computer connect to the fake access, so I don't know if it provides internet or not. – Dragonturtle – 2017-06-12T09:58:44.650

Don't use WiFi. There isn't much you can do so just don't use WiFi. Locating the evil twin and shutting it down would be the solution. – Seth – 2017-06-12T10:34:09.313

my network started "disconnecting" and reconnecting to the "fake" one That is worrisome. Your computer should not connect to an open network unless you asked it do. What operating system is this? – David Schwartz – 2017-06-15T04:38:54.717

Answers

Your comment said that when you changed your SSID, then changed it back the 'evil twin' network did the same. Couple that with the fact that you admit not being terribly knowledgeable in networking leads me to believe this could possibly be a guest SSID or another SSID for a different frequency (2.4GHz vs 5GHz) as detailed in your linked question. Look for Guest or 5GHz in your router settings to confirm. If you can't understand feel free to post your router model & maybe one of us can

gregg

Posted 2017-06-12T09:49:36.913

Reputation: 2 025

3The user noted about the duplicate SSID that "It is there even when I unplug my router from electricity". If that's true, it is not a guest or alternative SSID that is being broadcast from the user's router. It might be user error in determining which SSIDs are broadcasting. – Sherlock Bytes – 2017-06-12T23:01:19.693

This is more on the "finding out what is going on" side rather than being a direct fix.

Grab your smartphone, go to the relavent appstore, and download one of the wifi analyser applications.

Turn off your wifi, or your whole router

Use the signal strenth reading from the wifi analyser to identify where the problem ssid is being broadcast from. This answerer found that his "duplicate SSID" was being broadcast from a local device, which he was able to locate. Even if you cannot gain access to where the device is, you should be able to narrow it's position down well enough to easily tell you who is doing this, i.e. which neighbour.

Baldrickk

Posted 2017-06-12T09:49:36.913

Reputation: 521

I was going to suggest the same thing – Magnus – 2017-06-15T13:54:47.787

The best way defend against an "evil twin" attack is to configure a new SSID and disable broadcast. When you disable broadcast on your SSID, you will no longer see it on your PC/MAC WiFi network lists. You'll have to physically type it in along with the WPA2-PSK passphrase. This way, no one will see your SSID. When configuring an new SSID, try sometime totally different than "Paternoszter" or "Paternoszter2" or "Paternoszter3". Make it a new SSID name. Hope this helps.

pythonian

Posted 2017-06-12T09:49:36.913

Reputation: 899

1There's a major downside to this method. Rather than your device looking around, seeing 'Dave' & connecting to it, instead it will be constantly shouting, "Hey, Dave, are you there?" – Tetsujin – 2017-06-12T18:54:49.460

Those are called probe requests and are coded in the driver of the wireless device to get sent at specific intervals. It will not "constantly shout", unless the device is at the edge of the wireless boundary. The way it works, is that the probe requests will increase in frequency as the wifi signal gets weaker. This happens so that another AP in the area can respond with a probe response and the device has a chance to roam to the new AP and not lose connectivity. Hope this helps @Tetsujin – pythonian – 2017-06-12T21:10:58.783

1& that SSID can be sniffed from anywhere the device can't see it, because it's shouting 'Dave, where are you?' on a timer. – Tetsujin – 2017-06-13T18:08:19.360

2You are correct - Even though the SSID will have a blank in the SSID IE, the sniffer can capture the directed probe request which includes the SSID the station is looking for. Similarly, a probe response from the AP will include the SSID. I guess, he'll have to purchase an AP with 802.11w suppport. Encryption of management packets. – pythonian – 2017-06-13T18:38:49.527

While it's probably legal to match the SSID, it appears quite risky to me. If someone decides to provide an "open evil twin" network, it can backfire in at least two ways:

others could simply use it (with strong crypto) and exhaust monthly data quota/trigger speed throttling,
unknown users could use it for illegal things (file sharing, sending blackmail letters, whatever), which would be traced back to the "evil twin" operator.

With this in mind, you could just put up "free WLAN" signs to attract other (anonymous) users. This might make the rogue access point operator think twice :)

jvb

Posted 2017-06-12T09:49:36.913

Reputation: 1 697

Locating the offending device is the #1 thing you should be doing. I would also use Wi-Fi analyzer as Baldrickk suggested.

If this is something that is scaring you to the point where you don't want to use Wi-Fi the #2 thing you need to do is protect yourself from future attacks.

WIPS\WIDS technology is new enough that it could be difficult for you to set-up manually and expensive to buy a commercial solution.

More information about Wireless Intrusion Prevention Systems:

https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system

There is a, low cost, home solution I am aware of but, unfortunately, it's not out yet. It's called the FingBox and it has numerous features to give you control and information about your wireless network. It can also detect some attacks, like the Evil Twin and a de-auth flood.

https://www.fing.io/home-network-security-device/#

If you want to try your hand at rolling your own system here is the opensource solution:

http://openwips-ng.org/

Even if you had a WIDS system capable of detecting the Evil Twin you would still need to track down the device physically and confront the owner. The good news is that it's likely within walking distance.

HackSlash

Posted 2017-06-12T09:49:36.913

Reputation: 3 174

http://www.ebay.com/itm/Faraday-Cage-ESD-EMP-7-0MIL-Thick-Material-5-Yards-X-36-Survivalists-Preppers-/141855276714?_trksid=p2385738.m2548.l4275

Above is some shielding material. It is kind of pricey and it blocks cell phone and etc reception.

If you can find the approximate location, and place this on your walls temporarily all outside signals will be blocked.

Your own wi-fi signal is on the inside so it will be unaffected.

cybernard

Posted 2017-06-12T09:49:36.913

Reputation: 11 200

-1

The most likely attack (and i don't know the tech details, i kinda suck at hacking) has something to do with devices automatically submitting passwords trying to connect.
The best way to check if they succeed is to get the mac addres of all your devices and monitor the connected mac addresses. If you are suspecting that there are unauthorized devices, there is a solution, but it has a downside.

You could use mac-address filtering. Mac addres is an unique address for every network device. You could create a list in the router to whitelist certain mac addresses.

The downside is that you have to add every addres manually. If there are a lot of one-time users, it could be that it's not worth the effort.

Another thing you could do is blacklisting devices that you already found on your network. This is less efficient because it's rather easy to change your mac addres, but it becomes a lot harder if you have to match a specific list of maybe 20 addresses

Nick Dewitte

Posted 2017-06-12T09:49:36.913

Reputation: 110

Dude... That's really bad advice. In every version of backtrack and Kali Linux you can have it randomly generate a mac-address. Or clone a devices Mac. You should delete this answer. – Tim_Stewart – 2018-02-09T03:59:19.480