Beware your 'evil twin'

Robert Vamosi CNET

Published: 31 Jan 2005

• 
• 
• 
• 
• 

There's a TV ad that shows two young men in an Internet cafe, one using a friend's debit card to purchase a latte, while the debit card owner, sitting beside a wireless notebook logged in to his bank account, repeatedly hits the refresh button on his Internet browser. The advert illustrates how quickly debit purchases post to your online bank account. Unfortunately, the ad also illustrates a new vector for criminal hackers (crackers): impersonating access points in public wireless hot spots to steal personal information by overpowering the legitimate signals.

Evil twin attacks
Dubbed 'evil twin attacks', they occur when a cracker sets up an attack computer as a duplicate public access point in a cafe or airport, mirroring the actual settings but with a much stronger signal. An unsuspecting patron then simply logs in to the stronger but fraudulent signal. The user still connects to the Internet, but through the cracker's system. This allows the cracker to sniff or read any data that the victim is sending via the Internet, such as the login ID and password for an online bank account.

If you're just surfing the Web, looking for sports scores or weather in a foreign city, you aren't risking too much. But if you're logging on from an Internet cafe or airport waiting area to order a present for your wife online, you could find yourself a potential identity theft victim. Not all e-commerce sites are secure.

Not something new
Evil twin attacks, recently mentioned during a conference in Cranfield University, are not new. The security company Internet Security Systems first mentioned this practice in a 2002 paper called BaseStation Clone (Evil Twin) Intercept Traffic. Also back in 2002, I wrote about wireless man-in-the-middle attacks, which are a similar concept. The recent media buzz coming out of the Cranfield conference is that these attacks are very similar to email phishing attacks.

Traditional phishing attacks involve email pretending to be from EarthLink, eBay, PayPal or even your bank, directing you to a fraudulent Web site where you are then asked to 'update' your account info. In these cases, the account info is quite intrusive, requesting personal information such as your mother's maiden name and your social security number. The attacker then uses this information for identity theft.

Evil twin phishing attacks take advantage of people's blind trust in free hot spots. Like clicking an email link and ending up on some cracker's look-alike Web site, the wireless phishing experience is also transparent: most wireless users won't know that they've associated with a cracker's look-alike access point or base station. Meanwhile, the attacker is collecting personal data from their Internet session.

Perspective
So what are the chances you could become an evil twin victim? Not that great. Seriously, you stand more of a chance of identity theft from someone standing nearby and reading your ID and password from over your shoulder (particularly in a crowded airport lounge). But the point of this and other wireless advisories is to remind you that practically every public hot spot available today is wide open and unsecured. Always proceed with caution. Just because it's unlikely that someone's sniffing your wireless session doesn't mean that it could never happen.

Prevention
You can take steps to secure your own networks, such as using Wired Equivalent Privacy (WEP) encryption or the new Wi-Fi Protected Access (WPA) standard. You can also use Secure Socket Layer (SSL) sessions, Virtual Private Networks (VPN), and Digital Certificates to keep third parties from sniffing your wireless sessions.

But when you're out on the road, what do you do? Given that the fraudulent evil twin signal must be stronger than the legitimate signal, your attacker might be nearby: in a parked car, a flat above the establishment, or a lounge seat over by the window. I don't recommend approaching every notebook user you happen to see, however.

I know of only one commercial product, Trend Micro's PC-cillin Internet Security 12, that monitors wireless connections, alerting you whenever someone new tries to join your network or your network changes suddenly. That's one reason PC-cillin is our current antivirus Editors' Choice. A good firewall, such as ZoneAlarm Pro, will also alert you to new networks and ask whether you wish to trust them.

Short of software, the only sure way to avoid this nightmare is to abstain from transmitting passwords, financial data or other sensitive personal information via public wireless networks. And whatever you do, don't imitate what you see on TV.

Related articles

• 
• 
• 
•