News broke this week highlighting the use of a nearly two-decade old Wi-Fi hacking technique called an Evil Twin attack. Despite being a known attack vector, Evil Twin attacks remain difficult to prevent without the proper protections in place. In the following article, we’ll detail how Russian hackers used this technique to infiltrate Wi-Fi networks, and how to defend against attacks like this.
Wi-Fi Spies Caught
The US Department of Justice charged hackers within the Russian military agency, GRU, with implementing Evil Twin access point (AP) attacks to pull sensitive data right out of the air. From the details provided so far, the Russian GRU members would park a car nearby target buildings from organizations including anti-doping agencies in Colorado, Brazil, Canada, Monaco, and Switzerland, the Westinghouse Electric Company’s nuclear power operations, the Spiez chemical testing laboratory in Switzerland, and the Organization for the Prohibition of Chemical Weapons in the Netherlands to perform their Evil Twin attacks. Inside the car was:
- Batteries to power their gear
- A Wi-Fi Pineapple to become the Evil Twin AP, broadcasting the same or similar SSID as inside the target building
- A high gain directional Wi-Fi antenna to boost the signal all the way into the building
- A 4G modem to provide internet access to the Wi-Fi pineapple and all victims connected to it
- A small computer with storage to collect information stolen from victims
Anatomy of the Evil Twin AP Attack
The Evil Twin AP attack takes advantage of a fundamental problem in Wi-Fi security that has existed since the very beginning of Wi-Fi. Devices connecting to a Wi-Fi network — like laptops, tablets, and smart phones — have no way to distinguish between two APs broadcasting the same SSID name. This enables hackers to set up malicious APs that can eavesdrop on the traffic and extract sensitive information.
Attackers initiate the attack by boosting their signal strength using Wi-Fi power amplifiers and high gain antennas, and then send deauthentication frames to momentarily disconnect the target client from the legitimate AP. The client device immediately attempts to re-connect to the same SSID to preserve a seamless connection experience for the end-users. Because the Evil Twin AP is broadcasting the same SSID, but with a higher signal strength, the client auto-connects to it and re-establishes internet access. Now, the attacker can intercept the all the traffic flowing through the device. Also, malicious payloads like malware, botnets, and backdoors can also be loaded onto the victims devices while connected to the Evil Twin AP.
Fig. 1 – What a normal Wi-Fi connection looks like with a person’s Wi-Fi client connected to a legitimate AP and accessing the internet.
Fig. 2 – Evil Twin attack: a malicious AP broadcasts the same SSID name (and sometimes even spoofs the MAC address of the legitimate AP).
Fig 3. – Actual photos from one of the GRU member’s rental cars (source: Wired)
Fig 4. – Actual photos from one of the GRU member’s rental cars (Source: BBC)
Can Evil Twin AP Attacks Be Stopped?
If you find it shocking that a nearly 20 year old Wi-Fi attack is still this effective, you should be! The hard truth is that the Wi-Fi vendor community has found solving these layer 2 Wi-Fi security issues difficult and has since focused on optimizing things such as throughput, range, and client density. All very important to making Wi-Fi the successful service we are all used to today at work, home, and on the road, but the security has been left in the dust for far too long. The good news is there are companies like WatchGuard that are focused on solving this problem with their secure cloud-managed Wi-Fi access points running patented Wireless Intrusion Prevention System (WIPS) software on them to automatically detect and prevent Evil Twin AP attacks.
What other Wi-Fi security risks are there and will these affect me?
As Wi-Fi security is a difficult technology area, and security-related messaging coming from many vendors creates more confusion than clarity. To remedy this industry challenge, WatchGuard has introduced the Trusted Wireless Environment Framework. This is a technology agnostic framework for building a complete Wi-Fi solution that is fast, easy to manage, and most importantly, detects and prevents attacks coming from the six known Wi-Fi threat categories:
- Rogue APs– bypass perimeter security
- Evil Twin APs– Lure users to connect to it so as to spy on traffic, steal data, and infect systems
- Neighbor APs– Risks infection from connecting to other SSIDs while in range of the Authorized APs
- Rogue Clients– Delivers malware payloads to the network after connecting to malicous APs
- Ad-Hoc Networks– Uses peer-to-peer connections to evade security controls and risk exposure to malware
- Misconfigured APs– Opens network to attack as a result of configuration errors
Previously, there was no industry-standard method for testing the security efficacy of Wi-Fi APs, but independent IT and security testing company, Miercom, recently performed the industry’s first Wi-Fi security testing against popular AP vendors: Cisco Meraki, Aruba, Ruckus, and WatchGuard. Download the report here and ask your security colleagues or service providers to make sure that your Wi-Fi network meets the security standards defined by the Trusted Wireless Environment Framework.
An ‘Evil’ Crystal Ball?
As I couldn’t end this article without mentioning that WatchGuard filmed a plain language cinema style educational video involving an Evil Twin AP attack from a car in a parking garage. Watch the video here and see for yourself the shocking similarities to the GRU members’ Evil Twin attack.