eviltwinattack
Mitigating Evil Twin Attacks in 802.11
Kevin Bauer, Harold Gonzales, and Damon McCoy
Department of Computer Science
University of Colorado
{bauerk, gonzaleh, mccoyd}@colorado.edu
Abstract— Due to the prevalence of insecure open 802.11 access points, it is currently easy for a malicious party to launch a variety of attacks such as eavesdropping and data injection. In this paper, we consider a particular threat called the evil twin attack, which occurs when an adversary clones an open access point and exploits common automatic access point selection techniques to trick a wireless client into associating with the malicious access point. We propose two lines of defense against this attack. First, we present an evil twin detection strategy called context-leashing based upon recording the nearby access points when first associating with an access point. Using this contextual information, the client determines if an adversary has setup an evil twin access point at a different location. Next, we propose an SSH-style authentication method called EAP-SWAT to perform one-way access point authentication that fits into the extensible authentication protocol (EAP) framework.
I. I NTRODUCTION
According to a recent study, 42% of wireless 802.11 access points (APs) provide no security mechanisms — not even
WEP or WPA [1]. Often times, wireless APs are left open for convenience. For example, a coffee shop or bookstore may wish to offer a free wireless service, so there is no need to authenticate its wireless users. However, wireless clients that use these APs are vulnerable to a number of trivial threats such as eavesdropping and injection attacks. An additional and often over-looked vulnerability caused by using open APs is the access point impersonation attack. This is commonly referred to as the evil twin attack and occurs when a client is tricked into associating to a malicious rogue AP with the same identity (or SSID) as a previously-used open
Kevin Bauer, Harold Gonzales, and Damon McCoy
Department of Computer Science
University of Colorado
{bauerk, gonzaleh, mccoyd}@colorado.edu
Abstract— Due to the prevalence of insecure open 802.11 access points, it is currently easy for a malicious party to launch a variety of attacks such as eavesdropping and data injection. In this paper, we consider a particular threat called the evil twin attack, which occurs when an adversary clones an open access point and exploits common automatic access point selection techniques to trick a wireless client into associating with the malicious access point. We propose two lines of defense against this attack. First, we present an evil twin detection strategy called context-leashing based upon recording the nearby access points when first associating with an access point. Using this contextual information, the client determines if an adversary has setup an evil twin access point at a different location. Next, we propose an SSH-style authentication method called EAP-SWAT to perform one-way access point authentication that fits into the extensible authentication protocol (EAP) framework.
I. I NTRODUCTION
According to a recent study, 42% of wireless 802.11 access points (APs) provide no security mechanisms — not even
WEP or WPA [1]. Often times, wireless APs are left open for convenience. For example, a coffee shop or bookstore may wish to offer a free wireless service, so there is no need to authenticate its wireless users. However, wireless clients that use these APs are vulnerable to a number of trivial threats such as eavesdropping and injection attacks. An additional and often over-looked vulnerability caused by using open APs is the access point impersonation attack. This is commonly referred to as the evil twin attack and occurs when a client is tricked into associating to a malicious rogue AP with the same identity (or SSID) as a previously-used open