EvilScout: Detection and Mitigation of Evil Twin Attack in SDN Enabled WiFi

Abstract

Spoofing the identity of a WiFi access point (AP) is trivial. Consequently, an adversary can impersonate the legitimate AP (LAP) by mimicking its network name (SSID) and MAC address (BSSID). This fake AP is called the evil twin. An evil twin can perform multiple attacks such as man-in-the-middle (MITM) attack between the LAP and a wireless client as well as service blocking of LAP. Existing solutions rely on the collection and calculation of information with the AP and/or client for finding evidence of evil twins in the WiFi network. Some of them require additional hardware to acquire further information that cannot be provided by the AP/client. In this paper, we propose “EvilScout,” an evil twin detection and mitigation framework that utilizes the information of the IP-prefix distribution by the LAP. EvilScout exploits the SDN potential for detection of an evil twin without the need of any additional hardware or modifications at the AP or client. Additionally, the information that becomes available at the SDN controller enables simplified and more accurate evil twin detection. This paper presents the implementation of EvilScout over a real SDN WiFi testbed with an actual evil twin. We verify the successful detection of the evil twin with high accuracy and low processing cost at the SDN WiFi. We perform a rigorous analysis of the evil twin in different WiFi setups and discover a new “AP Service Blocking” attack by the evil twin adversary in the WPA2 protected WiFi for the first time.