• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Russian Wi-Fi Hacking – Evil Twin attacks EXPLAINED

October 7, 2018 By Ryan Orsi

News broke this week highlighting the use of a nearly two-decade old Wi-Fi hacking technique called an Evil Twin attack. Despite being a known attack vector, Evil Twin attacks remain difficult to prevent without the proper protections in place. In the following article, we’ll detail how Russian hackers used this technique to infiltrate Wi-Fi networks, and how to defend against attacks like this.

Wi-Fi Spies Caught

The US Department of Justice charged hackers within the Russian military agency, GRU, with implementing Evil Twin access point (AP) attacks to pull sensitive data right out of the air. From the details provided so far, the Russian GRU members would park a car nearby target buildings from organizations including anti-doping agencies in Colorado, Brazil, Canada, Monaco, and Switzerland, the Westinghouse Electric Company’s nuclear power operations, the Spiez chemical testing laboratory in Switzerland, and the Organization for the Prohibition of Chemical Weapons in the Netherlands to perform their Evil Twin attacks.  Inside the car was:

  • Batteries to power their gear
  • A Wi-Fi Pineapple to become the Evil Twin AP, broadcasting the same or similar SSID as inside the target building
  • A high gain directional Wi-Fi antenna to boost the signal all the way into the building
  • A 4G modem to provide internet access to the Wi-Fi pineapple and all victims connected to it
  • A small computer with storage to collect information stolen from victims

Anatomy of the Evil Twin AP Attack

The Evil Twin AP attack takes advantage of a fundamental problem in Wi-Fi security that has existed since the very beginning of Wi-Fi. Devices connecting to a Wi-Fi network — like laptops, tablets, and smart phones — have no way to distinguish between two APs broadcasting the same SSID name. This enables hackers to set up malicious APs that can eavesdrop on the traffic and extract sensitive information.

Attackers initiate the attack by boosting their signal strength using Wi-Fi power amplifiers and high gain antennas, and then send deauthentication frames to momentarily disconnect the target client from the legitimate AP.  The client device immediately attempts to re-connect to the same SSID  to preserve a seamless connection experience for the end-users. Because the Evil Twin AP is broadcasting the same SSID, but with a higher signal strength, the client auto-connects to it and re-establishes internet access. Now, the attacker can intercept the all the traffic flowing through the device. Also, malicious payloads like malware, botnets, and backdoors can also be loaded onto the victims devices while connected to the Evil Twin AP.

Fig. 1 – What a normal Wi-Fi connection looks like with a person’s Wi-Fi client connected to a legitimate AP and accessing the internet.

Fig. 2 – Evil Twin attack: a malicious AP broadcasts the same SSID name (and sometimes even spoofs the MAC address of the legitimate AP).

 

Fig 3. – Actual photos from one of the GRU member’s rental cars (source: Wired)

 

Fig 4. – Actual photos from one of the GRU member’s rental cars (Source: BBC)

Can Evil Twin AP Attacks Be Stopped?

If you find it shocking that a nearly 20 year old Wi-Fi attack is still this effective, you should be! The hard truth is that the Wi-Fi vendor community has found solving these layer 2 Wi-Fi security issues difficult and has since focused on optimizing things such as throughput, range, and client density. All very important to making Wi-Fi the successful service we are all used to today at work, home, and on the road, but the security has been left in the dust for far too long.  The good news is there are companies like WatchGuard that are focused on solving this problem with their secure cloud-managed Wi-Fi access points running patented Wireless Intrusion Prevention System (WIPS) software on them to automatically detect and prevent Evil Twin AP attacks.

What other Wi-Fi security risks are there and will these affect me?

As Wi-Fi security is a difficult technology area, and security-related messaging coming from many vendors creates more confusion than clarity. To remedy this industry challenge, WatchGuard has introduced the Trusted Wireless Environment Framework. This is a technology agnostic framework for building a complete Wi-Fi solution that is fast, easy to manage, and most importantly, detects and prevents attacks coming from the six known Wi-Fi threat categories:

  1. Rogue APs– bypass perimeter security
  2. Evil Twin APs– Lure users to connect to it so as to spy on traffic, steal data, and infect systems
  3. Neighbor APs– Risks infection from connecting to other SSIDs while in range of the Authorized APs
  4. Rogue Clients– Delivers malware payloads to the network after connecting to malicious APs
  5. Ad-Hoc Networks– Uses peer-to-peer connections to evade security controls and risk exposure to malware
  6. Misconfigured APs– Opens network to attack as a result of configuration errors

Previously, there was no industry-standard method for testing the security efficacy of Wi-Fi APs, but  independent IT and security testing company, Miercom, recently performed the industry’s first Wi-Fi security testing against popular AP vendors: Cisco Meraki, Aruba, Ruckus, and WatchGuard. Download the report here and ask your security colleagues or service providers to make sure that your Wi-Fi network meets the security standards defined by the Trusted Wireless Environment Framework.

An ‘Evil’ Crystal Ball?

As I couldn’t end this article without mentioning that WatchGuard filmed a plain language cinema style educational video involving an Evil Twin AP attack from a car in a parking garage.  Watch the video here and see for yourself the shocking similarities to the GRU members’ Evil Twin attack.

Share This:

Related

Filed Under: Editorial Articles Tagged With: evil twin, evil twin ap, Hacking, pineapple, pineapple nano, Russia wi-fi, russia wi-fi hack, russia wifi, Wi-Fi, wi-fi hacking, WiFi

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use