ETGuard: Detecting D2D attacks using wireless Evil Twins

Abstract

In this paper, we demonstrate a realistic variant of wireless Evil Twins (ETs) for launching device to device (D2D) attacks over the network, particularly for Android. An ET can be defined as a rogue Access Point (AP) created by hackers to resemble the authentic AP in a network zone. The existing attacks that can be launched through ETs include sniffing, Man-in-the-Middle (MITM) attack, etc. However, these attacks affect the devices after their association and transmission of user traffic through an ET. We show an attack where an ET infects an Android device before the relay of network traffic through it, and disappears from the network immediately after inflicting the device. The attack leverages the captive portal facility of wireless networks to launch D2D attack. We configure an ET to launch a malicious component of an already installed app in the device on submission of the portal page. For example, the malicious component can be either a service which opens a port, or sends an SMS to premium number, or exfiltrates sensitive information to malicious server. Thus, the attack may lead to any number of consequences. The existing ET detection solutions on APs are incapable of preventing this attack due to two reasons – either they analyse an ET after the relay of user traffic through it, or they can detect this attack only for hardware ETs. In this paper, we present an online, incremental, automated, fingerprinting based pre-association detection mechanism named as ETGuard which works as a client-server mechanism in real-time. The fingerprints are constructed from the beacon frames transmitted by the wireless APs periodically to inform client devices of their presence and capabilities in a network. Once detected, ETGuard continuously transmits deauthentication frames to prevent clients from connecting to an ET. ETGuard outperforms the existing state-of-the-art techniques from various perspectives. Our technique does not require any expensive hardware, does not modify any protocols, does not rely on any network specific parameters such as Round Trip Time (RTT), number of hops, etc., can be deployed in a real network, is incremental, and operates passively to detect ETs in real-time. To evaluate the efficiency, we deploy ETGuard in 802.11a/b/g wireless networks. The experiments are conducted using 12 different attack scenarios where each scenario differs in the source used for introducing an ET. ETGuard effectively detects ETs introduced either through a hardware, software, or mobile hotspot with high accuracy, only one false positive scenario, and no false negatives.