The MAC layer of 802.11 protocol possess inherent weakness making it vulnerable to various security attacks like denial of service, deauthentication attack, flooding attacks, rogue access point (RAP) etc. In this manuscript we focus on evil twin attack. An evil twin is a RAP setup by cloning the MAC address and the Service Set IDentifier of an existing wireless access point (AP). An evil twin is setup so that the client(s) unknowingly connect to them under the pretext that they are connected to a genuine AP. Once a client is connected, an attacker eavesdrops on its communication to hijack client’s communication, re-direct clients to malicious websites, steal credentials of the clients connecting to it. Existing methods to detect the evil twin include maintaining white lists, patching AP/client, timing based solutions, protocol modifications etc. These methods usually require extensive setup and maintenance, have scalability and compatibility issues, require changes in protocol stack making them expensive to deploy and manage. The network conditions under normal and evil twin attack are almost similar thereby crafting a signature or defining an anomaly pattern usually leads to large amount of false positives. In this manuscript, we propose an IDS for detecting the evil twin attack, which addresses most of these issues associated with the existing detection mechanisms. Further the scheme is also proved to detect a single evil twin, multiple evil twins for single AP and multiple evil twins for multiple APs. The proposed IDS has been deployed in a lab environment and its detection rate exceeds 92% mark and the accuracy is 100% in all the runs.
Read full abstract