Evil Twin Attacks Research Articles

A robust certificate management system to prevent evil twin attacks in IEEE 802.11 networks

A robust certificate management system to prevent evil twin attacks in IEEE 802.11 networks

BiRe: A client-side Bi-directional SYN Reflection mechanism against multi-model evil twin attacks

The evil twin attack (ETA) has been a persistent security threat for decades in wireless local area networks (WLANs). An ETA refers to a rogue access point (RAP) impersonating a legal access point (LAP) to allure wireless users’ connection. Such attacks give rise to serious privacy leakage and property damages, motivating intensive research on ETA detection in both academic and manufacturing communities. Among existing ETA detection methods, those deployed at client side are superior to the typical admin-side ones because of the particular requirements on dedicated equipments at admin side and the lack of real-time protection. Unfortunately, available client-side ETA detection mechanisms are simply targeted to specific evil twin model and fail to provide adequate detection rate. In this paper, we propose a multi-model ETA detection mechanism at client side, called BiRe. Inspired by the request-response reflection stated in TCP handshake process, BiRe employs a novel Bi-directional TCP SYN Reflection to determine the existence of an ETA and differentiate among various attack models. A pair of wireless adapters are employed to cooperatively initiate TCP handshakes and monitor the absence of the expected TCP SYN-ACK packets. The remarkable feature of BiRe is to make the number of such absences as a feasible indicator for the ETA model identification. The results from extensive real-world experiments demonstrate the distinguishing performance of BiRe, achieving as high as 100% detection rate in multi-model ETA scenarios. Moreover, a free lightweight Linux tool has been developed based on BiRe to automate client-side ETA detection.

SLFAT: Client-Side Evil Twin Detection Approach Based on Arrival Time of Special Length Frames

In general, the IEEE 802.11 network identifiers used by wireless access points (APs) can be easily spoofed. Accordingly, a malicious adversary is able to clone the identity information of a legitimate AP (LAP) to launch evil twin attacks (ETAs). The evil twin is a class of rogue access point (RAP) that masquerades as a LAP and allures Wi-Fi victims’ traffic. It enables an attacker with little effort and expenditure to eavesdrop or manipulate wireless communications. Due to the characteristics of strong concealment, high confusion, great harmfulness, and easy implementation, the ETA has become one of the most severe security threats in Wireless Local Area Networks (WLANs). Here, we propose a novel client-side approach, Speical Length Frames Arrival Time (SLFAT), to detect the ETA, which utilizes the same gateway as the LAP. By monitoring the traffic emitted by target APs at a detection node, SLFAT extracts the arrival time of the special frames with the same length to determine the evil twin’s forwarding behavior. SLFAT is passive, lightweight, efficient, hard to be escaped. It allows users to independently detect ETA on ordinary wireless devices. Through implementation and evaluation in our study, SLFAT achieves a very high detection rate in distinguishing evil twins from LAPs.

VOUCH-AP: privacy preserving open-access 802.11 public hotspot AP authentication mechanism with co-located evil-twins

Open-access 802.11 public Wi-Fi hotspots support rudimentary low-level authentication at the access-point link-layer but offers no authentication mechanisms for the clients. Hence, there is a fundamental information asymmetry at play, enabling an adversary to launch AP-based evil-twin attacks. In this paper, we address this information asymmetry problem and propose a simple yet powerful solution for identifying and eliminating malicious APs, thereby providing users safe and private 802.11 public hotspots. Our proposed VOUCH-AP is a portable, platform-independent AP authentication framework. VOUCH-AP is, to our best knowledge, the first work to consider digital certificate-based AP authentication. The proposed solution does not require any hardware upgrades or specialised hardware, unlike 802.11i (aka WPA2). Finally, through security analysis, we show the security robustness of the proposed VOUCH-AP framework to counter evil-twin attacks.

Mitigating Evil Twin Attacks in Wireless 802.11 Networks at Jordan

Mitigating Evil Twin Attacks in Wireless 802.11 Networks at Jordan

Secure Device Pairing Methods: An Overview

The procedure of setting up a secure communication channel among unfamiliar human-operated devices is called “Secure Device Pairing”. Secure binding of electronic devices is a challenging task because there are no security measures and commonly trusted infrastructure. It opens up the doors for many security threats and attacks e.g. man in middle and evil twin attacks. In order to mitigate these attacks different techniques have been proposed; some level of user participation is required in decreasing attacks in the device pairing process. A comparative and comprehensive evaluation of prominent secure device pairing methods is described here. The main motive of this research is to summarize the cryptographic protocols used in pairing process and compare the existing methods to secure the pairing devices. That will help in selecting best method according to the situation, as the most popular or easy method, instead they choose different methods in different circumstances.

Exploiting Wireless Received Signal Strength Indicators to Detect Evil-Twin Attacks in Smart Homes

Evil-Twin is becoming a common attack in smart home environments where an attacker can set up a fake AP to compromise the security of the connected devices. To identify the fake APs, The current approaches of detecting Evil-Twin attacks all rely on information such as SSIDs, the MAC address of the genuine AP, or network traffic patterns. However, such information can be faked by the attacker, often leading to low detection rates and weak protection. This paper presents a novel Evil-Twin attack detection method based on the received signal strength indicator (RSSI). Our approach considers the RSSI as a fingerprint of APs and uses the fingerprint of the genuine AP to identify fake ones. We provide two schemes to detect a fake AP in two different scenarios where the genuine AP can be located at either a single or multiple locations in the property, by exploiting the multipath effect of the Wi-Fi signal. As a departure from prior work, our approach does not rely on any professional measurement devices. Experimental results show that our approach can successfully detect 90% of the fake APs, at the cost of a one-off, modest connection delay.

Active User-Side Evil Twin Access Point Detection Using Statistical Techniques

In this paper, we consider the problem of “evil twin” attacks in wireless local area networks (WLANs). An evil twin is essentially a rogue (phishing) Wi-Fi access point (AP) that looks like a legitimate one (with the same SSID). It is set up by an adversary, who can eavesdrop on wireless communications of users' Internet access. Existing evil twin detection solutions are mostly for wireless network administrators to verify whether a given AP is in an authorized list or not, instead of for a wireless client to detect whether a given AP is authentic or evil. Such administrator-side solutions are limited, expensive, and not available for many scenarios. Thus, a lightweight, effective, and user-side solution is highly desired. In this work, we propose a novel user-side evil twin detection technique that outperforms traditional administrator-side detection methods in several aspects. Unlike previous approaches, our technique does not need a known authorized AP/host list, thus it is suitable for users to identify and avoid evil twins. Our technique does not strictly rely on training data of target wireless networks, nor depend on the types of wireless networks. We propose to exploit fundamental communication structures and properties of such evil twin attacks in wireless networks and to design new active, statistical and anomaly detection algorithms. Our preliminary evaluation in real-world widely deployed 802.11b and 802.11 g wireless networks shows very promising results. We can identify evil twins with a very high detection rate while maintaining a very low false positive rate.

A comparative study of secure device pairing methods

“Secure Device Pairing” or “Secure First Connect” is the process of bootstrapping a secure channel between two previously unassociated devices over some (usually wireless) human-imperceptible communication channel. Absence of prior security context and common trust infrastructure open the door for the so-called Man-in-the-Middle and Evil Twin attacks. Mitigation of these attacks requires some level of user involvement in the device pairing process. Prior research yielded a number of technically sound methods relying on various auxiliary human-perceptible out-of-band channels, e.g., visual, acoustic and tactile. Such methods engage the user in authenticating information exchanged over the human-imperceptible channel, thus defending against MiTM attacks and forming the basis for secure pairing. This paper reports on a comprehensive and comparative evaluation of notable secure device pairing methods. This evaluation was obtained via a thorough analysis of these methods, in terms of both security and usability. The results help us identify methods best-suited for specific combinations of devices and human abilities. This work is an important step in understanding usability in one of the rare settings where a very wide range of users (not just specialists) are confronted with modern security technology.