BiRe: A client-side Bi-directional SYN Reflection mechanism against multi-model evil twin attacks

Abstract

The evil twin attack (ETA) has been a persistent security threat for decades in wireless local area networks (WLANs). An ETA refers to a rogue access point (RAP) impersonating a legal access point (LAP) to allure wireless users’ connection. Such attacks give rise to serious privacy leakage and property damages, motivating intensive research on ETA detection in both academic and manufacturing communities. Among existing ETA detection methods, those deployed at client side are superior to the typical admin-side ones because of the particular requirements on dedicated equipments at admin side and the lack of real-time protection. Unfortunately, available client-side ETA detection mechanisms are simply targeted to specific evil twin model and fail to provide adequate detection rate. In this paper, we propose a multi-model ETA detection mechanism at client side, called BiRe. Inspired by the request-response reflection stated in TCP handshake process, BiRe employs a novel Bi-directional TCP SYN Reflection to determine the existence of an ETA and differentiate among various attack models. A pair of wireless adapters are employed to cooperatively initiate TCP handshakes and monitor the absence of the expected TCP SYN-ACK packets. The remarkable feature of BiRe is to make the number of such absences as a feasible indicator for the ETA model identification. The results from extensive real-world experiments demonstrate the distinguishing performance of BiRe, achieving as high as 100% detection rate in multi-model ETA scenarios. Moreover, a free lightweight Linux tool has been developed based on BiRe to automate client-side ETA detection.