Wi-Fi hot-spot users should be on their guard for malicious wireless access points that steal data.
Researchers at Cranfield University, are claiming "Evil Twin" hot spots, networks set up by hackers to resemble legitimate hot-spots, present the "latest security threat" to Web users.
The hacker's wireless network jams the connection to the legitimate network by sending a stronger signal within close proximity to the wireless client and turns itself into an "Evil Twin".
"Evil twin hot spots present a hidden danger for Web users," explained Dr Phil Nobles, wireless Internet and cybercrime academic. "Because wireless networks are based on radio signals they can be easily detected by unauthorised users tuning into the same frequency."
Once an unknowing user has connected to an evil twin, a hacker can intercept transmitted data. Users are invited to log into the evil twin with bogus login prompts and can be lured into passing sensitive data such as user names and passwords.
"Users can also protect themselves by ensuring that their Wi-Fi device has its security measures activated because in the vast majority of cases base stations taken out of the box direct from the manufacturer are automatically configured in the least secure mode possible," said head of information systems professor Brian Collins.
Cranfield University believes this is a new area of cyber crime where more research is required. However, in October 2002, security company ISS published details of base-station cloning, otherwise known as an evil twin traffic interception. If true, this would mean that the idea is almost two-and-a-half years old.
In its 2002 document, ISS defines the technique as:
"BaseStation Clone (Evil Twin) intercept traffic -- An attacker can trick legitimate wireless clients to connect to the attacker's honeypot network by placing an unauthorised base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's honeypot servers. With false login prompts, the user unknowingly can give away sensitive data like passwords."
Nobles and Collins are set to give a talk on evil twins tonight at London's Science Museum.
Talkback
Do you not think statements such as there are just spreading fear, uncertainly and doubt? That is, confusion and FUD over how public HotSpots vs. corp. Access Points, vs Secure Web sites work?
Typical HotSpot service users are authenticated on a secure (https) web
page. So that provides reasonable levels of security for passing user credentials through a mutual authentication mechanism.
Conducting financial transactions or anything that is of a sensitive or personal nature is today done via secure web sites or over VPN connections. These deliver end to end security, regardless of the networks involved, be they wired, wireless, or wet string! If there's education to be done here, is it not that users need to know if they're
on a secured connection, or not? To say 'don't use/be careful using a particular type of connection' is just plain missleading, isn't it?
So back to the the "evil twin"... It may look like a HotSpot access point, even with a login page that looks like a HotSpot behind it. This
would be the same as the "evil twin owner" trying to capture bank details by making their web page on an Internet site somewhere look like a Bank's page. This is 'phishing', and not really an issue associated with public wireless HotSpots, other than their connection to the Internet at large.
ONCE authenticated at a HotSpot, and with a connection to the Internet at large, the user is really no more at risk than connecting over any other type of ISP connection. It MUST be considered insecure and hackable. That's why we have secure web sites for banking, a VPN industry etc., for secure transmission of sensitive data for the public and corporates.
Point is, this is an issue of phishing of secure web sites, NOT pretending to be an Access Point.
In a corporate environment it's different - the Access Points themselves are often connected right to the corp. network (no secure login page, no secure web sites or VPNs on the internal network, etc.) so the access points themselves have to secured from these type of attacks, using WPA/802.11i or whatever is the flavour of the day.
VPN and HTTPS might give secure communications but they don't say anything about the security of the original sender and the ultimate receiver itself.
VPN, nor HTTPS, will stop an infected, zombied or otherwise remotely controlled workstation from doing unwanted things.
Having control of the main access point that gives Internet access or other means of communications would give a black hat hacker/cracker many possibilities to do just about anything.
Also, trusting security on VPN alone is equivelant to having an uncontrolled, unmanaged and unchecked workstation connected directly to your internal network. Not something you would want.
The article was hard to understand. Please let us know how to avoid problems and how to detect them. What type, what do they look like, and in plain language.