Attacks/Breaches

11/14/2018
02:30 PM
Ryan Orsi
Ryan Orsi
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Understanding Evil Twin AP Attacks and How to Prevent Them

The attack surface remains largely unprotected from Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops.

It's been nearly 20 years since IEEE 802.11b was released and the world got the first Wi-Fi-branded products. And yet the Layer 2 attack surface remains largely unprotected from dangerous Wi-Fi threats that can result in stolen credentials and sensitive information as well as backdoor/malware payload drops. Attackers have been exploiting a fundamental issue with Wi-Fi: Laptops, smartphones, and connected devices aren't equipped to distinguish between two radios broadcasting the same SSID name. This allows hackers to use malicious access points (APs) that eavesdrop on traffic, establish "man-in-the-middle" (MitM) positions, and extract sensitive information, often without leaving any traces behind.  

One of the most dangerous Wi-Fi threat categories is undoubtedly "evil twin" APs, an attack technique nearly two decades old. In fact, the US Department of Justice recently charged hackers within the Russian military agency GRU with implementing evil twin AP attacks to steal credentials and "plant espionage-oriented malware" targeting organizations such as anti-doping agencies, nuclear power operations, and chemical testing laboratories.

How did these GRU attacks work? The threat actor used 802.11 radios to broadcast the same SSIDs as offices and hotels in order to trick victims' devices into associating, thereby establishing their MitM position and supplying Internet service through 4G LTE connections to evade network security. Let's take a closer look at evil twin attacks to better understand defense best practices and techniques.

Analyzing Evil Twin AP Attacks
In a normal Wi-Fi connection, a person's client device (image below) associates with a legitimate AP. 

Source: Ryan Orsi, WatchGuard
Source: Ryan Orsi, WatchGuard



When an evil twin AP is present, a threat actor broadcasts the same SSID as the legitimate AP (and often the same BSSID or MAC address of the SSID) to fool the device into connecting (image below).

Source: Ryan Orsi, WatchGuard
Source: Ryan Orsi, WatchGuard

In the case of the GRU evil twin attacks, hackers reportedly used a popular pen-testing tool — the Wi-Fi Pineapple from Hak5 — connected to high-gain antennas, battery packs, and a mobile 4G LTE WAN backhaul connection located in the trunks of their cars or carried within backpacks into buildings. The Wi-Fi Pineapple automates much of the labor required to set up an evil twin attack.

While within range of the target SSID, attackers begin by broadcasting the same SSID. This is straightforward and can even be done on smartphones with data plans that allow mobile Wi-Fi hotspot tethering. Attackers looking to avoid drawing suspicion toward antennas and battery packs typically opt for a popular tool called bettercap, which can run natively on Linux, Mac, Windows, and Android systems.

The bettercap command used to configure a fake SSID to be broadcasted natively from a laptop or other client is "wifi.ap.ssid."

Source: Ryan Orsi, WatchGuard
Source: Ryan Orsi, WatchGuard

 

Additionally, it's important to note that evil twin attackers need to use clients with a radio capable of "monitoring mode."

If the target SSID is a busy open hotspot, victim clients will connect to the evil twin AP within seconds. If the target is a private, PSK-encrypted SSID, then the attacker would need knowledge of the PSK (a service offered online that requires packet capture files of the WPA/WPA2 handshake sequence).

Most Wi-Fi clients and their human operators choose to "auto join" previously saved Wi-Fi networks. If the attacker can't successfully trick the victim into connecting to the evil twin, he can simply break the connection between the victim and any legitimate AP he or she is using by flooding a client and/or associated AP with spoofed de-authentication frames in what's called a de-authentication attack. This means that the target device and AP are informed that their connection has been dropped.

Once a client is connected to the evil twin AP, the attack is over. This entire process is used to allow attackers to establish MitM positions from which they can siphon packets and inject malware or backdoors onto victim devices for remote access. Once in a MitM position, the attacker has complete control over the Wi-Fi session. These cybercriminals can leverage well-known tools to duplicate popular login forms for social sites or email hosting platforms, intercept the credentials in plain text, forward them to the real websites, and log in the user. As the target, you might believe you've simply logged in to your email account as always — but in reality, you have handed your credentials over to an attacker.

Preventing Evil Twin AP Attacks
Businesses offering Wi-Fi to their employees and customers can use wireless intrusion prevention systems (WIPS) to detect the presence of an evil twin AP and prevent any managed corporate clients from connecting to them. (Full disclosure: WatchGuard is one of a number of companies that provide such services.) 

For Wi-Fi users, an evil twin AP is nearly impossible to detect because the SSID appears legitimate and the attackers typically provide Internet service. In most cases, the best way to stay safe on unfamiliar Wi-Fi networks is to always use a VPN to encapsulate the Wi-Fi session in another layer of security.

Unfortunately, much of the innovation in the Wi-Fi space has been limited to elements like radio range, throughput, and connectivity rather than security. Without a greater industrywide emphasis on Wi-Fi security, or set criteria for evaluating Wi-Fi security in general, many networking and security professionals lack the clarity they need to successfully prevent Wi-Fi threats. Education is key, as is a broader conversation about the level of security and protection we expect and demand from Wi-Fi solutions today.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Ryan Orsi is Director of Product Management at WatchGuard Technologies, a global leader in network security providing products and services to more than 80,000 customers worldwide. Ryan leads the Secure Wi-Fi solutions for WatchGuard. He has experience bringing disruptive ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ryanorsi
50%
50%
ryanorsi,
User Rank: Author
11/15/2018 | 9:04:54 PM
Re: Tunnel Through the Evil Twins
Great advice here, particularly the one about not letting your devices auto-connect to previously joined SSIDs.  Take note everyone, clear your saved Wi-Fi network SSID names from your client devices.  I know it can be a pain, but if you want to see the consequences, just do a quick web search for 'Ryan Orsi Pineapple' and you'll get the picture.  Pineapples are great pen-testing tools by the way, helping push the industry in the right direction towards a safer Wi-Fi experience for users.
ddvzlnz
100%
0%
ddvzlnz,
User Rank: Apprentice
11/15/2018 | 9:37:04 AM
Tunnel Through the Evil Twins
Nice article on a subject it seems like people don't think about anymore.

 

I always use a TinyHardwareFirewall when I'm on open networks.  My laptop talks to the THF and it talks to the Acesss Point. The first thing I do is start the VPN and then go about my business.  I expect all of my zeros and ones to be viewable on an open network so I make sure they are all ecrypted.

Also, don't let your devices automaticly connect to any SSID it recognizes.  That is like having your house automaticly open the door whenever someone rings the doorbell.

 

 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-15031
PUBLISHED: 2018-12-18
In all versions of ARM Trusted Firmware up to and including v1.4, not initializing or saving/restoring the PMCR_EL0 register can leak secure world timing information.
CVE-2018-19522
PUBLISHED: 2018-12-18
DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input.
CVE-2018-1833
PUBLISHED: 2018-12-18
IBM Event Streams 2018.3.0 could allow a remote attacker to submit an API request with a fake Host request header. An attacker, who has already gained authorised access via the CLI, could exploit this vulnerability to spoof the request header. IBM X-Force ID: 150507.
CVE-2018-4015
PUBLISHED: 2018-12-18
An exploitable vulnerability exists in the HTTP client functionality of the Webroot BrightCloud SDK. The configuration of the HTTP client does not enforce a secure connection by default, resulting in a failure to validate TLS certificates. An attacker could impersonate a remote BrightCloud server to...
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.