2008 Woodie Awards
Evil twin wi-fi networks snare unknowing users
Bitter Bytes
By Brandon Himes
Rocket Web Editor
Issue date: 2/24/06 Section: Life
| |
|
The evil twin attack is carried out by a seedy individual going to a public wi-fi hotspot and creating a second "evil twin" hotspot. This hotspot is made to look exactly so that even under examination it is indistinguishable from the well-intentioned public hotspot. The rogue wi-fi network now serves as a trap for unsuspecting users.
As users enter the hotspot, only the most diligent of them will examine the available connections and attempt to select the correct connection. Most users won't bother and their devices will automatically pick up the strongest signal, the rogue network. The diligent users may also fall victim to the rogue network, as a duplicate network may not seem overtly nefarious and since the networks are indistinguishable, even well-seasoned users may log onto the black hat's trick network.
Logging on to the wrong network seems benign at first glance. Why is this even a problem if users are still accessing the Internet? The answer is that logging on to a compromised network of any sort, wired or wireless, is dangerous. A compromised network opens the door for a devious attack called "pharming." But before you can understand "pharming" you must understand "phishing." I'm not talking about cows and trout here. As funny and unprofessional as those terms sound, they are the industry standard in this age of Internet chat lingo.
Phishing is an attack that focuses more on deception than technical black magic. Phishing describes when a shameful individual pretends to be a legitimate agency or source and asks a user to send personal information that the phisher can then exploit. The most common version of this kind of attack is in the form of an email. This email will present itself as a friendly reminder from eBay, CitiBank or any organization that a potential victim might presently be an accountholder. The email requests that the recipient (only the very best will be addressed by name) follow a hyperlink to update their account information. Unbeknownst to the victim, the destination of the hyperlink is really a web site created by the phisher for the sole purpose of stealing the victim's information.
Under examination, the web address of the phisher site is exposed as it will only look like the correct address at first glance. The web address will be "www1.ebay.com", "a.www.ebay.com" or some other such mutilation of the correct address. Diligent users who suspect an email is a phishing attempt quickly debunk such attempts by examining the address. Pharming presents a far worse threat as it is not easily debunked by simple examination.
Pharming exploits a Domain Name Server (DNS). A DNS is a computer on your network or that of your internet service provider that translates domain names into IP (internet protocol) addresses. Boiled down, that means that Google's address is really "64.233.179.99," but since no normal human being can remember that and because it is subject to change, so somewhere a DNS server somewhere translates "www.google.com" into "64.233.179.99" so that Google can be located.
A pharming attack causes a DNS server to wrongly translate a web address. This is useful to someone who practices the black arts because now a phishing attack can be combined with this. Now a phishing site doesn't have to be distinguishable by an incorrect web address because instead of "www.google.com" being translated to the correct "64.233.179.99," it is translated to a different address where a phishing site is located. A phishing site combined with pharming can be a perfect clone of the true version, with no way for the user to tell the difference. So, someone using an evil twin attack can make false versions of popular sites like eBay and CitiBank, betting that someone that logs onto their rogue wi-fi network will visit them. When the deed is done the treacherous black hat slips away without a trace, personal information in hand.
If that part doesn't scare you, let me paint a picture that is a little closer to home. First however, I want to absolve myself of any responsibility. If anyone carries out this hypothetical situation, you are just plain stupid. I would never do anything like this nor should anyone else. Our networking staff knows what they're doing; they'll catch you and make you sorry. That being said, using these techniques, anyone with the prerequisite depravity of soul, ill-used technical knowledge, and a wireless router could pop into the library or anywhere else where students expect there to be public wi-fi access and launch their own evil twin attack.
If our malevolent attacker implements his evil correctly library wi-fi users would not notice a difference. Rockmail would function normally, Rocktalk would do its thing, those lost in the pit of despair that is Facebook would still be lost there and shopping and banking would go on as normal. Then, the vile owner of the evil twin packs up shop and no one is the wiser. Weeks later the credit card numbers he stole are all maxed out, innocent people have credit cards under their name that they don't even know about, bank accounts are hijacked, and the very worst of all: people are getting their Facebook friends messed with. The horror!
So now that the threat hits a little closer to home, there's cause for concern. What can be done to foil the attempts of those who would do harm to unknowing wi-fi users? Well, before you can defend yourself, you need to understand what your wireless devices are doing. Wireless devices can be configured to automatically use the strongest signal, automatically use a specified network, or only to log onto a network that is chosen. When using wi-fi in public, it is probably best to always choose a network. In the case of a home network, which is also vulnerable to such an attack, the configuration to log onto a specified network is probably alright.
Other than this, the only real protection from such an attack is to be meticulous about which wireless networks you log on to in public. If you should happen to see two twin wi-fi networks you'll want to ask someone or be certain that you're logging onto the right network. Also, though it may be stating the obvious, never log onto a network that you just stumble onto. It may not be an evil twin; it could be just plain evil. Be smart about your wireless people. That's the only real protection from any attack.
