It's the title of a They Might Be Giants song, and also a meme gone round the world: A number of people sent me links to articles about "evil twins" in the last couple of days. These articles are coining a new term for what has been called "soft APs" (software-based access points), a real problem that's been found in the wild for some time. These evil twins use software that creates a rogue access point which has the same name as a nearby network. AirDefense detected a number of these starting during their ongoing scan of the June 2004 Wi-Fi Planet Conference.
Because most operating systems are promiscuous by default, they will join any network with the same name as one they have joined before. If you're warned about joining network "linksys" the first time, you won't be warned the next. And there's nothing that helps you differentiate between a good "linksys" and a bad "linksys." If you have WEP or WPA encryption enabled, however, you won't be able to join an evil network because the key won't match. Public hotspots are really the biggest place to become a victim. (Glynn Taylor wrote in to note that the demonstration of this attack, Airsnarf, also includes a beta of a detection tool that notes whether an access point's characteristics have changed.)
This is why I highly recommend that all users of public networks employ some level of protection for any passwords that may travel across their networks. If you use SSL email client connections for POP, IMAP, and SMTP or an SSL-enabled Webmail site, just for instance, you're secured because an "evil twin" can't provide false digital certificate information to capture those sessions.
Web designers should always use Secure FTP (SSH over FTP), which is an encrypted form of FTP. If you don't know how Secure FTP works, find an ISP that does.
VPNs are now cheap and plentiful for rent. I recommend HotSpotVPN.com all the time because it's cheap ($8.88 per month and cheaper for longer pre-paid periods) and simple, working with software pre-installed on almost all platforms shipped in the last five years. You can also buy and install a Buffalo secure Wi-Fi gateway on your home or office network that offers full VPN protection for a small office for less than $200.
The 802.1X standard also alleviates this problem. If you log in over 802.1X, you'll be warned if you can't authenticate to a network. There are potential man-in-the-middle attacks, but properly monitoring certificate warnings works there, too. For instance, if I try to connect to my office AP, for which I've already accepted and installed a digital certificate confirming its identity, and an "evil twin" gets in the way, my 802.1X client warns me.
This is one reason, I'm sure, that T-Mobile was so eager to roll out 802.1X on their networks. Their client software has the root authority for their 802.1X service preinstalled for out-of-band trust that allows you to reliably only connect to their networks. Anyone trying to spoof a T-Mobile 802.1X-enabled AP won't get far.
One factor holding back public hotspot 802.1X deployment is that many hotspots use inexpensive access points that lack (or used to lack) the ability to operate discrete VLANs coupled with separate broadcast SSIDs. What this means is that T-Mobile can operate two logical networks--one protected by 802.1X and the other with a gateway page--without having to install two pieces of hardware. That was a missing piece that's now available, and this evil twin problem is practically a call to arms to hotspot operators to take a stand and start an 802.1X migration for their customers' benefit.
All this to say that we're about to see a dramatic acceleration in authentication and encryption that will bypass the utility of evil twins. The biggest factor holding us back? A lack of free legacy 802.1X clients for Windows 98 and Me, as well as flavors of Mac OS X and Linux. You can purchase clients for most older operating systems from companies like Funk and Meetinghouse, but because only Windows XP and Mac OS X 10.3 have built-in 802.1X mean that we have a migration ahead rather than a simple switchover.
Excellent article!
There are a lot of locations that simply install a $30 access point and call it a hotspot. Granted configuring 802.1x would be a challenge for the non-technical person, but hotspotvpn.com is a no-brainer.
I think part of the problem is that wireless snooping or the use of "evil twins" is so non-invasive that people don't take seriously what they can't see or something that's not considered a tangible threat.
Hopefully they will read this article.
Greg