Evil Twin Attack

Evil Twin Attack

What is Evil Twin Attack?

An Evil Twin Attack is a type of WiFi-based cyberattack where a malicious actor creates a rogue access point that closely mimics a legitimate wireless network. By using the same SSID (network name) and similar configurations, the attacker tricks users into connecting to the fake network. In many cases, the rogue network is virtually indistinguishable from the genuine one, making it extremely difficult for users to spot the threat.

Once a victim connects to the evil twin network, the attacker can intercept their communications in what is known as a Man-in-the-Middle (MITM) attack. This allows the hacker to capture sensitive information such as login credentials, credit card details, or other private data. In some cases, attackers may even use the connection to commit fraud or launch further cyberattacks, all without the victim or the legitimate network operator realizing what has happened.

How to Create a Hotspot for an Evil Twin Attack

This step is fairly straightforward. In fact, you have probably already done it yourselves when you used your phone as a hotspot. In an evil twin attack, however, the rogue access point needs to mimic the legitimate one. That means changing the SSID to match that of the genuine access point. Again, this is a basic step and simply requires the attacker to change the name of the fake hotspot to that of the legitimate one so that when the unsuspecting victim sees it, they do not think anything of it.

A typical Evil Twin Attack example might occur at an airport, hotel, or café. The attacker sets up a rogue network with a stronger signal than the actual one. When users connect, the attacker gains full access to intercept and manipulate traffic.

Sometimes, attackers also spoof the legitimate access point’s BSSID to bypass firewalls and network security.

How is an Evil Twin Attack Carried Out?

An evil twin attack occurs when an attacker creates a fake wireless access point that mimics a legitimate access point. For devices that have not yet connected, the attacker can simply ensure that their signal is stronger than that of the genuine access point’s.

In a case where the device has already connected to the legitimate access point (a scenario often seen in targeting enterprise networks), the attacker can send deauthentication packets to the victim and the legitimate access point to block their connection. This prompts the user to reconnect. And, when doing so, will see the Evil Twin Attack under the disguise of the legitimate one. Thanks to SSID spoofing. This malicious access point is often configured to have the same name (SSID) as the legitimate one. Making it difficult for users to distinguish between the two.

Evil Twin Attack
Victim Connected to Legitimate Access Point
Evil Twin Attack
Victim Connected to Rogue Access Point – Evil Twin Attack

Techniques Used in Evil Twin Attacks

Eavesdropping

An evil twin attack on a public network, such as those found in coffee shops or airports, allows attackers to act as a Man in the Middle Attack (MiTM). By intercepting the communication between the victim and the legitimate access point, the malicious actor can eavesdrop on and/or alter the traffic between the two entities. This could allow attackers to exploit vulnerabilities and access encrypted passwords, potentially compromising information-systems and leading to data breaches.

Phishing

In an evil twin attack on an enterprise network, the attacker aims to bypass authentication by using phishing tactics. As mentioned, the perpetrator will likely have to block the already-established connection between the victim and the legitimate access point, prompting the victim to try and reconnect. This time to the Rogue access point (which, to the victim, appears legitimate due to the Evil Twin Attack). In doing so, the user will be directed to a fake Captive Portal page that requires login details. The same as those required for the legitimate access point.

However, when the victim enters those details, they are being sent directly to the hacker. Although the hacker will not know the correct network password, they will know when the correct password has been entered. This relies on the network handshake captured during the deauthentication process in the Evil Twin Attack. Once the victim enters the correct information, the hacker can use these credentials to access and control the target network, stealing valuable sensitive data.

Evil Twin Attacks and Remote Work

Since an evil twin attack can be carried out in public places, the attack surface increases significantly as remote work security (WFH) and bring your own device (BYOD) trends become more widely adopted among enterprises. However, the most dangerous characteristic of these attacks, which impacts both public and enterprise networks, is their covert nature. Besides appearing legitimate to the user due to a spoofed SSID, the rogue access point is able to bypass network security solutions. This includes NAC, by spoofing the legitimate access point’s BSSID.

Essentially, the victim and the device can see no evil. And it is especially worrying when an enterprise network is targeted… Once the network login details are obtained, the attacker can gain access to the network. From here, the bad actor can monitor network traffic, steal data, inject malware, and more. These cyber-attacks can compromise information-security and cause harmful consequences to the enterprise, including data breaches, denial-of-service attacks, and the potential for a ransomware outbreak.

Evil Twin Attack Prevention and Mitigation

The most effective approach to countering Evil Twin Attacks involves both preventive measures and responsive actions to limit damage if an attack occurs.

  • Disable auto-connect on devices to avoid unknowingly joining rogue networks.
  • Use VPNs, especially on public WiFi, to encrypt data and reduce the risk of interception.
  • Educate employees to verify network names before connecting, particularly in high-risk environments like airports or cafes.
  • Continuously monitor network traffic to detect anomalies or unauthorized access points.
  • React swiftly by identifying and shutting down rogue access points, forcing reauthentication, isolating compromised segments, and resetting affected credentials.

Together, these measures not only help prevent Evil Twin Attacks but also mitigate the risks when an attack is underway.

Strengthen Your Defense Against Evil Twin Attack

Sepio’s Asset Risk Management (ARM) provides a panacea to gaps in device visibility. Ensuring you are getting the most out of your cybersecurity investments. 

Sepio identifies all devices operating within the enterprise environment. It also reveals the BSSID of all Access Points, showing which networks those devices are connected to. With its policy enforcement mechanism, Sepio detects suspicious connections instantly. It triggers a mitigation process by integrating with existing Network Access Control products.

See Every Known and Shadow Asset

Speak with an expert today to discover how Sepio’s patented technology can help you take control of your asset risks. It will also protect your organization against Evil Twin Attacks and other hardware-based cyber threats.

May 18th, 2021