Hacker's toolbox: Detecting software-based 802.11 evil twin access points

The usage of public Wi-Fi hotspots has become a common routine in our everyday life. They are ubiquitous and offer fast and budget-friendly connectivity for various client devices. However, they are exposed to a severe security threat: since 802.11 identifiers (SSID, BSSID) can be easily faked, an attacker can setup an evil twin, i.e., an access point (AP) that users are unable to distinguish from a legitimate one. Once a user connects to the evil twin, he inadvertently creates a playground for various attacks such as collection of sensitive data (e.g., credit card information, passwords) or man-in-the-middle attacks even on encrypted traffic. It is particularly alarming that this security flaw has led to the development of several tools that are freely available, easy to use and allow mounting the attack from commodity client devices such as laptops, smartphones or tablets without attracting attention. In this paper we provide a detailed overview of tools that have been developed (or can be misused) to set up evil twin APs. We inspect them thoroughly in order to identify characteristics that allow them to be distinguished from legitimate hardware-based access points. Our analysis has discovered three methods for detecting software-based APs. These exploit accuracy flaws due to emulation of hardware behavior or peculiarities of the client Wi-Fi hardware they operate on. Our evaluation with 60 hardware APs and a variety of tools on different platforms reveals enormous potential for reliable detection. Furthermore, our methods can be performed on typical client hardware within a short period of time without even connecting to a potentially untrustworthy access point.

[1]  Xiuzhen Cheng,et al.  A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[2]  Chrisil Arackaparambil,et al.  On the reliability of wireless fingerprinting using clock skews , 2010, WiSec '10.

[3]  Christoph Neumann,et al.  An Empirical Study of Passive 802.11 Device Fingerprinting , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[4]  Bo Sheng,et al.  A Measurement Based Rogue AP Detection Scheme , 2009, IEEE INFOCOM 2009.

[5]  Thomas Engel,et al.  Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11 , 2014, Q2SWinet '14.

[6]  Matthew S. Gast,et al.  802.11 Wireless Networks: The Definitive Guide , 2002 .

[7]  B. Sieka,et al.  Active fingerprinting of 802.11 devices by timing analysis , 2006, CCNC 2006. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006..

[8]  Heejo Lee,et al.  Online Detection of Fake Access Points Using Received Signal Strengths , 2012, 2012 IEEE 75th Vehicular Technology Conference (VTC Spring).

[9]  Sergey Bratus,et al.  Active behavioral fingerprinting of wireless devices , 2008, WiSec '08.

[10]  Sneha Kumar Kasera,et al.  On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews , 2010, IEEE Transactions on Mobile Computing.

[11]  Thomas Engel,et al.  Letting the puss in boots sweat: detecting fake access points using dependency of clock skews on temperature , 2014, AsiaCCS.

[12]  Rong Zheng,et al.  Device fingerprinting to enhance wireless security using nonparametric Bayesian method , 2011, 2011 Proceedings IEEE INFOCOM.

[13]  Carlos Ribeiro,et al.  WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection , 2011, ESORICS.

[14]  Marco Gruteser,et al.  Wireless device identification with radiometric signatures , 2008, MobiCom '08.

[15]  Douglas C. Sicker,et al.  Practical Defenses for Evil Twin Attacks in 802.11 , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[16]  Damon McCoy,et al.  Mitigating Evil Twin Attacks in 802.11 , 2008, 2008 IEEE International Performance, Computing and Communications Conference.

[17]  Eric Mayer,et al.  80211 Wireless Networks The Definitive Guide , 2016 .

[18]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[19]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).