Rogue AP/Evil Twin Overview

Summary

Excerpt From Wi-fi Vulnerabilities part 1 Webinar
CTO Dr. Brett Walkenhorst Elaborates on Authentication Cracking Rogue AP/Evil Twin.
The video below is an explanation of network security’s use of rogue access points and evil twin attacks, as well as an example of their effects through a real-world event in the financial services sector. Dr. Brett Walkenhorst, CTO, clarifies the differences between evil twins and rogue access points. See overviews of mitigating techniques in the video below. These techniques include using a VPN, updating devices, implementing good security practices, HTTPS encryption, mutual authentication, and keeping an eye on Wi-Fi traffic for detection and reaction

Video Transcript

Rogue access points, and evil twins. Now these two terms have often been used synonymously, and there's nothing wrong with that. But I am gonna differentiate them a little bit. In my little diagram on the bottom of this slide, I've got rogue access point at the top. This is the overarching concept that I'm trying to get at with this threat category.

So rogue access point is any unauthorized access point. The most common one that we often talk about is an evil twin, which is a device that pretends to be an access point of a network that is my target. So I you have a client that typically connects to this network you trust it.

Now I'm gonna come in and say, I'm that network. That's me. I'll help you, and I'll try to get you to connect to me so I can provide services and act as a man in the middle and compromise your device and or steal credentials or whatever it is.

But the other category that I would break out is maybe not as obviously nefarious and may not even be malicious at all, but it's the idea that there's opportunistic access points that are being set up within your environment. This could be like somebody turns on a hot spot or they plug in an access point that they brought in from somewhere else.

And whatever it is that they're doing, whoever's setting that up is creating a path for the data to flow that bypasses all of your security infrastructure. May or may not be malicious, but it represents a vulnerability. So going back to the evil twin now, there's all kinds of things that we can do there.

We can emulate a hotspot and try to capture devices that would trust that hot spot's SSID. We can implement a captive portal to try to get credentials. We can capture a handshake in order to attack an encrypted network. We can do an EAP relay attack, which is an attack on an enterprise network.

And then there's a family of attacks that seeks to get clients to connect to us that are called karma slash manna. So what's the impact? Well, this is kinda big. Right? And we didn't talk much about the opportunistic APs except at the beginning. But, again, the impact of that could be you're diverting all this traffic around your security protocols, and you're likely to get yourself in more trouble because you've got some insecure entry point into your network.

But for an evil twin that's able to capture a client device in a position as a person in the middle, There's lots of things you can do to compromise the device, to compromise credentials, to infiltrate a network, and establish a persistent presence. And then you can also borrow credentials and ultimately potentially crack the credentials for an enterprise Wi Fi network using the EAP relay attack.

So here's an example of this kind of an attack. I've got a Wi Fi pineapple and a laptop, and I mount these devices on a drone. I fly that drone over some target facility, and the Wi Fi pineapple, which is a device that's used to instantiate evil twins typically, emulates the corporate network with an evil twin.

D auth attacks a bunch of clients and kicks them off the network, gets some of those clients to connect to the evil twin. The evil twin serves up a spoof splash page, and all it needs to do is trick one user into giving up their credentials. They get the credentials.

They connect to the corporate network, and they begin to infiltrate, establish persistence, etcetera, etcetera. So here's the crazy part. This actually happened in October of last year to a financial services industry company. This is not hypothetical. And these kinds of evil twin attacks, like I said, they're fairly straightforward to implement, but they are extremely effective and could be hugely impactful in terms of compromising networks and or clients.

So what can you do? Well, there are several things that you can consider doing. First of all, just good behavior. Don't connect to open networks. If you are gonna connect to open networks, at least use a VPN, and at the very least, make sure you're running everything over HTTPS.

Keep your devices up to date to mitigate the risk of some of those lower hanging fruit types of attacks. For mitigating evil twin attacks on enterprise networks, mutual authentication, particularly client side validation of certificates. If you can do that, now an evil twin that is seeking to capture your client's device as part of the enterprise authentication scheme, it has to provide a certificate.

It won't be able to provide you an authentic one. And so if you ensure client side validation of those certificates is done, and if there's no way for a user to automatically click through, then you're pretty well securing your network against those kinds of attacks. We talked about PMF for mitigating DOS attacks because that can be a prelude to an evil twin.

This can help mitigate evil twin attacks by preventing them from coercing clients off of their network and connecting to them. And just, you know, pay attention to alerts and pop ups. Most of the kinds of things that are gonna occur with a low level evil twin might be things like I'm typically gonna connect to a a secure network, and all of a sudden there's an AP offering that same ESSID, but it's open.

The OS is probably gonna alert you to that discrepancy. Don't just click through it. And finally, like the DOS attacks, there's traffic flowing that makes this thing work. There are many different dimensions by which you can identify an evil twin in a certain area. So if you can monitor the Wi Fi traffic, you can detect those, you can alert on those.

And, again, the great thing about it is if you can package the location of the offending device in the alert, now an operator can go and actually do something about it.