What is an Evil Twin attack?
An Evil Twin attack is a Wi-Fi/wireless attack where an attacker creates a rogue access point with the same SSID (wireless network name) as a legitimate wireless network to coerce user devices into connecting to the malicious access point instead of the legitimate one.
Once connected, an attacker could potentially intercept communications, capture credentials, inject malicious content, perform man-in-the-middle attacks, or redirect users to phishing sites. Evil Twin attacks are particularly effective in public locations (coffee shops, airports, hotels) where users expect to connect to wireless “guest” networks.
Attackers may use a stronger signal strength to ensure the victim devices prefer their rogue access point, in combination with a deauthentication attack against the genuine access point SSID to force target devices to reauthenticate to a network.
This attack is effective because users often trust networks based on SSID alone without verifying authentication. Many devices will automatically connect to stored networks with stored SSIDs without user interaction, and users rarely validate their Wi-Fi connectivity for previously connected networks unless there are issues connecting to the network or internet.
How to mitigate Evil Twin Attacks?
Protection against Evil Twin attacks requires multiple defensive layers:
- Users should verify network legitimacy before connecting (confirm network names and security requirements)
- Utilise VPNs to encrypt traffic on untrusted or even trusted networks (protecting against traffic sniffing or manipulation)
- Verify website certificates before entering credentials (certificate warnings may indicate MitM attacks)
- Disable automatic connection to open networks (possibly even remembered networks)
For organisations that deploy 802.1X authentication, Evil Twin attacks can be significantly more impactful when they utilise credential-based authentication instead of certificate-based authentication (EAP-TLS). An example of this is an office wireless network that acts as an extension of the physical wired LAN. This is due how the authentication process could leave the user open to a credential based harvesting attack, where the attacker acts as a RADIUS server to capture the victim’s credentials for later re-use to provide them with direct access to the genuine network.
Wireless penetration testing often includes Evil Twin testing to identify potential vulnerabilities, within the deployment configuration, and assess whether users can be tricked into connecting to rogue access points.