NEWS
Wi-Fi hotspot users should be on their guard for malicious wireless access points that steal data.
Researchers at Cranfield University, are claiming "Evil Twin" hotspots, networks set up by hackers to resemble legitimate hotspots, present the "latest security threat" to Web users.
The hacker's wireless network jams the connection to the legitimate network by sending a stronger signal within close proximity to the wireless client and turns itself into an "Evil Twin".
Dr Phil Nobles, wireless internet and cybercrime academic, explained: "Evil twin hotspots present a hidden danger for web users. Because wireless networks are based on radio signals they can be easily detected by unauthorised users tuning into the same frequency."
Once an unknowing user has connected to an evil twin, a hacker can intercept transmitted data. Users are invited to log into the evil twin with bogus login prompts and can be lured into passing sensitive data such as user names and passwords.
Cranfield's head of information systems, professor Brian Collins, said: "Users can also protect themselves by ensuring that their Wi-Fi device has its security measures activated because in the vast majority of cases base stations taken out of the box direct from the manufacturer are automatically configured in the least secure mode possible."
Cranfield University believes this is a new area of cyber crime where more research is required. However, in October 2002, security company ISS published details of base-station cloning, otherwise known as an evil twin traffic interception. If true, this would mean that the idea is almost two-and-a-half years' old.
In its 2002 document, ISS defines the technique as:
"BaseStation Clone (Evil Twin) intercept traffic - An attacker can trick legitimate wireless clients to connect to the attacker's honeypot network by placing an unauthorized base station with a stronger signal within close proximity of the wireless clients that mimic a legitimate base station. This may cause unaware users to attempt to log into the attacker's honeypot servers. With false login prompts, the user unknowingly can give away sensitive data like passwords."
Comments
There is 1 comment. Join the discussion
1. anonymous
Do you not think statements such as there are just spreading fear, uncertainly and doubt? That is, confusion and FUD over how public HotSpots vs. corp. Access Points, vs Secure Web sites work? Typical HotSpot service users are authenticated on a secure (https) web page. So that provides reasonable levels of security for passing user credentials through a mutual authentication mechanism.
Conducting financial transactions or anything that is of a sensitive or personal nature is today done via secure web sites or over VPN connections. These deliver end to end security, regardless of the networks involved, be they wired, wireless, or wet string! If there's education to be done here, is it not that users need to know if they're
on a secured connection, or not? To say 'don't use/be careful using a particular type of connection' is just plain missleading, isn't it?
So back to the the "evil twin"... It may look like a HotSpot access point, even with a login page that looks like a HotSpot behind it. This
would be the same as the "evil twin owner" trying to capture bank details by making their web page on an Internet site somewhere look like a Bank's page. This is 'phishing', and not really an issue associated with public wireless HotSpots, other than their connection to the Internet at large.
ONCE authenticated at a HotSpot, and with a connection to the Internet at large, the user is really no more at risk than connecting over any other type of ISP connection. It MUST be considered insecure and hackable. That's why we have secure web sites for banking, a VPN industry etc., for secure transmission of sensitive data for the public and corporates.
Point is, this is an issue of phishing of secure web sites, NOT pretending to be an Access Point.
In a corporate environment it's different - the Access Points themselves are often connected right to the corp. network (no secure login page, no secure web sites or VPNs on the internal network, etc.) so the access points themselves have to secured from these type of attacks, using WPA/802.11i or whatever is the flavour of the day.
For the record, there are all sorts of other Wi-Fi attack profiles with other weird and wonderful names - wlan-jack, essid-jack, monkey-jack, & kracker-jack.