ETGuard: Detecting D2D Attacks using Wireless Evil Twins

Abstract In this paper, we demonstrate a realistic variant of wireless Evil Twins (ETs) for launching device to device (D2D) attacks over the network, particularly for Android. An ET can be defined as a rogue Access Point (AP) created by hackers to resemble the authentic AP in a network zone. The existing attacks that can be launched through ETs include sniffing, Man-in-the-Middle (MITM) attack, etc. However, these attacks affect the devices after their association and transmission of user traffic through an ET. We show an attack where an ET infects an Android device before the relay of network traffic through it, and disappears from the network immediately after inflicting the device. The attack leverages the captive portal facility of wireless networks to launch D2D attack. We configure an ET to launch a malicious component of an already installed app in the device on submission of the portal page. For example, the malicious component can be either a service which opens a port, or sends an SMS to premium number, or exfiltrates sensitive information to malicious server. Thus, the attack may lead to any number of consequences. The existing ET detection solutions on APs are incapable of preventing this attack due to two reasons – either they analyse an ET after the relay of user traffic through it, or they can detect this attack only for hardware ETs. In this paper, we present an online, incremental, automated, fingerprinting based pre-association detection mechanism named as ETGuard which works as a client-server mechanism in real-time. The fingerprints are constructed from the beacon frames transmitted by the wireless APs periodically to inform client devices of their presence and capabilities in a network. Once detected, ETGuard continuously transmits deauthentication frames to prevent clients from connecting to an ET. ETGuard outperforms the existing state-of-the-art techniques from various perspectives. Our technique does not require any expensive hardware, does not modify any protocols, does not rely on any network specific parameters such as Round Trip Time (RTT), number of hops, etc., can be deployed in a real network, is incremental, and operates passively to detect ETs in real-time. To evaluate the efficiency, we deploy ETGuard in 802.11a/b/g wireless networks. The experiments are conducted using 12 different attack scenarios where each scenario differs in the source used for introducing an ET. ETGuard effectively detects ETs introduced either through a hardware, software, or mobile hotspot with high accuracy, only one false positive scenario, and no false negatives.

[1]  Quincy Wu,et al.  A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal , 2010 .

[2]  Sachin Shetty,et al.  Rogue Access Point Detection by Analyzing Network Traffic Characteristics , 2007, MILCOM 2007 - IEEE Military Communications Conference.

[3]  Sneha Kumar Kasera,et al.  On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews , 2008, IEEE Transactions on Mobile Computing.

[4]  Chao Yang,et al.  Active User-Side Evil Twin Access Point Detection Using Statistical Techniques , 2012, IEEE Transactions on Information Forensics and Security.

[5]  Edgar R. Weippl,et al.  Browser History Stealing with Captive Wi-Fi Portals , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[6]  Andriy Panchenko,et al.  Hacker's toolbox: Detecting software-based 802.11 evil twin access points , 2015, 2015 12th Annual IEEE Consumer Communications and Networking Conference (CCNC).

[7]  Thomas Engel,et al.  Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11 , 2014, Q2SWinet '14.

[8]  Yu-Liang Hsu,et al.  A client-side detection mechanism for evil twins , 2017, Comput. Electr. Eng..

[9]  Rahmat Budiarto,et al.  Powering the Internet of Things With 5G Networks , 2017 .

[10]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[11]  Thomas Engel,et al.  Letting the puss in boots sweat: detecting fake access points using dependency of clock skews on temperature , 2014, AsiaCCS.

[12]  Carlos Ribeiro,et al.  WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection , 2011, ESORICS.

[13]  José Carlos Brustoloni,et al.  Detecting and Blocking Unauthorized Access in Wi-Fi Networks , 2004, NETWORKING.

[14]  Sergey Bratus,et al.  Active behavioral fingerprinting of wireless devices , 2008, WiSec '08.

[15]  Christoph Neumann,et al.  An Empirical Study of Passive 802.11 Device Fingerprinting , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[16]  Xiaojiang Chen,et al.  Exploiting Wireless Received Signal Strength Indicators to Detect Evil-Twin Attacks in Smart Homes , 2017, Mob. Inf. Syst..

[17]  Wenyuan Xu,et al.  CETAD: Detecting evil twin access point attacks in wireless hotspots , 2014, 2014 IEEE Conference on Communications and Network Security.

[18]  Zhuoqing Morley Mao,et al.  Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[19]  Frank Piessens,et al.  Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 , 2017, CCS.