Wi-Fi is the most popular wireless networking protocol in the world and has existed for almost 20 years, but in that time, the layer two surface has remained largely undefended from many wireless attacks. Our Director of Product Management and resident Wi-Fi expert Ryan Orsi recently wrote a guest blog for Dark Reading, which explains how Wi-Fi security is lagging across the wireless industry and digs into the details of one particularly dangerous Wi-Fi threat – the Evil Twin AP.
The Evil Twin AP works by using 802.11 radios to broadcast the same SSIDs as legitimate Wi-Fi access points, tricking victims’ devices into associating with the attacker’s device instead of the intended AP. Now the victim’s traffic flows through the attacker’s AP and they can manipulate or spy on the victim’s internet activities. Here’s an excerpt from Ryan’s article about the consequences of this attack:
“This entire process is used to allow attackers to establish MitM positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you’ve simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.”
The Evil Twin is widely known in hacking communities and it’s very effective. In fact, the US Department of Justice recently charged agents from the Russian military hacking group GRU with using an Evil Twin attack to steal credentials and force malware onto targets like anti-doping organizations and chemical testing labs.
So how do you prevent this kind of attack? As an individual, you can use a Virtual Private Network (VPN) while connected to Wi-Fi in order to conceal your traffic from an Evil Twin attack. Businesses should use Wi-Fi solutions that leverage Wireless Intrusion Prevention System (WIPS) capabilities to detect and prevent wireless attacks, but be aware that these products vary widely in their effectiveness. As a matter of fact, according to a recent Miercom test of APs from major networking vendors, only WatchGuard’s Secure Wi-Fi access points proved capable of automatically detecting and preventing every known Wi-Fi threat category.
This is part of a larger issue with security in the Wi-Fi industry. Most of the R&D in the past several years has gone toward improving the range, throughput and connectivity of APs, while security has been neglected. That’s why WatchGuard developed the Trusted Wireless Environment Framework, a guide to building complete Wi-Fi networks that are fast, easy to manage, and most importantly, secure. Without more education on what Wi-Fi security threats exist and how to design networks that protect against them, threats like the Evil Twin attack will persist.