As Wi-Fi has become increasingly abundant across many private and public spaces, it has become a breeding ground for malicious hackers and bad actors. One of these attacks is known as the evil twin attack, which takes advantage of individuals looking to connect to Wi-Fi via their devices.
Now that more and more companies are offering their employees the option to work remotely, organizations may find themselves unwittingly exposed to this type of attack. In this article, we’ll break down the evil twin attack and explain how to detect it and how to prevent it from doing damage.
What is an evil twin attack?
This is often done in public settings where people are most likely to look for or connect to freely available Wi-Fi. This can be in airports, cafes, large public parks, etc., but hackers can really leverage this attack anywhere, mainly because the fake Wi-Fi can be easily set up and deployed.
How an evil twin attack affects you
If successful, a hacker has essentially intercepted your internet connection, connecting you to them. This can mean the hacker can steal your login information, see sensitive details and info from the websites you visit, and even redirect certain commands and tasks.
For example, suppose you connect to a fake Wi-Fi, log into your bank account, and initiate a transfer. In that case, a hacker can see that, change the transaction details as it passes through their network, and return a legitimate receipt.
Because you don’t know you’re compromised, you wouldn’t necessarily scrutinize the receipt, and the hacker can take off with your funds.
How does an evil twin attack work?
Unfortunately, an evil twin attack is relatively easy to set up and difficult to detect due to the nature of how devices connect to Wi-Fi. Here’s how hackers do it.
Step one: Evil twin Wi-Fi setup
First, a hacker situates themselves in a prime location where people are looking to connect to free Wi-Fi networks.
Using a device like a hotspot or Wi-Fi Pineapple, they can set up their own Wi-Fi network. Using a tool like hostapd-wpe, they can impersonate any network and, given enough time, even obtain the network credentials.
To impersonate an existing connection, they’ll likely use the same SSID (the name of the network) as the one that already exists. Depending on how sophisticated they are, they can even replicate the MAC address.
Currently, devices often present only the SSID when you’re looking to connect, so it would be difficult to differentiate the real device from the impostor without looking for specific details that may flag the attack.
Step two: Captive portal setup
The captive portal is usually the separate web page or initial pop-up after connecting to a Wi-Fi network. Most often, it asks you for some details before letting you access the internet.
Hackers can set up their own captive portals to begin stealing sensitive information, so they can connect to the initial Wi-Fi network and further represent that the Wi-Fi connection is legitimate.
A tool like dnsmasq can be used to create captive portals and spoof DNS servers to increase the semblance of legitimacy.
Step three: Push victims to connect to the evil twin Wi-Fi connection
At this point, unsuspecting victims looking to connect to Wi-Fi will probably see two different connections with the same name. While they’re not likely to think twice about it (especially as most connections come in a 2G/5G pairing), a hacker still has about a 50-50 chance of successfully compromising an individual.
To increase their odds of success, they can physically move the hotspot or Wi-Fi-emitting device closer to the victims, so the connection appears first and is stronger than the real connection.
They can also flood the original connection with a denial of service (DoS) attack. This can kick off anyone connected to the real Wi-Fi while preventing others from connecting.
At this point, victims are much more likely to connect to the evil twin Wi-Fi network.
Step four: Individual, device & organizational compromise
Once the victim connects to the network, they’re shown the fake captive portal, which can be the beginning of data theft. Because the hacker can now monitor your connection, they can log keystrokes and see your activity as you browse the internet.
This can allow them to steal login details, view sensitive information, and potentially further compromise your device. Depending on the hacker’s level of sophistication, they can inject malware and ransomware that can give them remote access and control of your device even after you’ve logged off.
Existing MitM packets (created for legitimate and nefarious purposes) can be leveraged here. Hackers can deploy packet injections that can replace content on the site a victim is navigating to (for example, to direct them to a malicious website), or payload,s (in the form of malicious code, ransomware, or malware) can be deployed within downloaded files, without the victim ever knowing.
For organizations, this can be extremely concerning if the victim is using a company device or, more commonly, the device is connecting to any app, software, or is accessing any site that could then allow the hacker to infiltrate the organization.
How to detect an evil twin Wi-Fi connection
By design, evil twin Wi-Fi connections are pretty difficult to identify without specific sniffing tools. However, there are a couple of best practices to employ that can help you stay away from any fishy connections.
- Pay attention to Wi-Fi names: Not all hackers are savvy, and some are lazy enough to set up fake Wi-Fi connections with misspelled words, so look for any obvious errors as a sign of attack.
- Listen to any alerts: If your device warns you that a Wi-Fi connection is insecure, you’re better off not connecting to it, even if it looks legitimate.
How to prevent an evil twin Wi-Fi attack
Prevention is much more effective against this type of attack than just detection. Here are a couple of steps that can help:
- Use a VPN: VPNs were made to prevent hackers (and anyone) from monitoring your online activity. It’s a good tool to use to stay private and secure, even if you do connect to an evil twin Wi-Fi.
- Only browse HTTPS sites: Most browsers offer this by default, as HTTPS connections are encrypted to prevent onlookers from seeing your activity. If your browser notes that a site you’ve visited doesn’t have an HTTPS connection, navigate away from it as soon as possible.
One easy way to ensure you’re browsing on HTTPS sites is to install the HTTPS Everywhere browser extension found here. Nearly all browsers support it, and it’s a very effective way to ensure you’re browsing securely.
- Disable auto-connect: Devices with auto-connect often do so via a Wi-Fi’s SSID, meaning it can’t differentiate between legitimate Wi-Fi networks and evil twin ones.
- Stay away from public Wi-Fi: If possible, use a personal hotspot or one you’re sure isn’t compromised.
- Limit your online activities: If you can’t be sure you’re not connected to a compromised Wi-Fi connection, avoid visiting sites or taking actions that, if seen, can further compromise you. Don’t log in to accounts and don’t visit sites that contain any sensitive information.
Organizations can also employ or encourage the use of wireless intrusion prevention systems (WIPS), which are designed to keep hackers from monitoring activities over wireless connections.
Cybersecurity solutions can prevent further organizational damage
Evil twin attacks can be dangerous, particularly to organizations, via unsuspecting employees. Make sure your employees know the risks so they can avoid missteps whenever possible.
Organizations that use network-monitoring and detection tools, and leverage network segmentation, can either spot an attacker who has made their way in via an evil twin attack or prevent them from accessing critical assets altogether.
Varonis’ Edge can help shore up your data and protect your organization against a surprise evil twin attack.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers information security, tech and finance, consumer privacy, and B2B digital marketing. You can see his writing portfolio on https://josueledesma.com/Writing-Portfolio