Wireless security experts have been bemused in the last few days by a storm of publicity about a new wireless attack: the so-called "Evil Twin" exploit. They puzzle is, why the sudden fuss? The attack is not new; it has been well-known for some time, and there are well-known defences.
Evil twin fever extended to news bulletins in the BBC's Today programme (see the BBC news site) on 20 January. Wireless security companies duly hailed it. "The evil twin menace means that users can no longer assume that if they enter a wireless hot spot that they are connecting to a bona fide wireless internet connection," warned Aruba's David Callisch, never one to miss a good security scare.
Others were more measured: "I believe this is a long-standing set of attacks and exploits, simply wrapped in a new label," said Rich Mironov, vice president of marketing at wireless IDS vendor AirMagnet.
The source seems to have been publicity for a lecture at London's Science Museum, given by Phil Nobles of the University of Cranfield. The man who set the meme off was Ardi Kolah, director of communications at Cranfield: he admits the exploit was known and the term was in circulation before Noble's lecture, but is quietly pleased: "The story's gone as far as New Zealand and India," he said. "I'm entering it for an award."
What is it?
The attack has also been called the "soft AP" attack in the past, and is based on a hacker creating a wireless network with the same name as a nearby wireless network. They have been detected at wireless trade shows and other places.
Once a user is logged onto the Evil Twin network, the hacker can use "man in the middle" attacks to gather passwords when the user connects to commerce sites, or even set up whole duplicates of public web sites.
The attack works because operating systems are "promiscuous": they remember the names of networks they have joined and join them again.
How to avoid it
In fact, it is quite easy to stay clear of evil twins, and the security applications we routinely apply already should keep us clear of them. The latest scare simply a reminder to actually perform the security checks we should be doing anyway.
Firstly, use encryption. Encrypting the wireless part of the connection is always a good idea, using the WEP or WPA standards. "If you have WEP or WPA encryption enabled, , you won’t be able to join an evil network because the key won’t match," says Glenn Fleishman of W-Fi Networking News
However, even without WEP and WPA, routine security methods applied by websites and mail servers should be adequate. They are, after all, designed to secure traffic over an insecure medium - the Internet - and apply equally to an insecure wired connection.
Commerce websites and email sites should allow the option of encryption: "If you use SSL email client connections for POP, IMAP, and SMTP or an SSL-enabled Webmail site, just for instance, you’re secured because an “evil twin” can’t provide false digital certificate information to capture those sessions," says Fleishman.
Linking to corporate email and applications should always be done over VPNs anyway - all IT departments should be able to provide this for mobile workers.
Beyond this, authentication will be a boon. Intended to allow networks to prove users are who they say they are, they are also useful to prove networks are authentic: "If you log in over 802.1X, you’ll be warned if you can’t authenticate to a network," says Fleishman. Your laptop will have a digital certificate installed to confirm the identity of any network it attaches to using 802.1x
802.1x is still not widely implemented, but it is available on most enterprise WLAN systems, and is being added to some public hotspot services, although in most cases this will mean upgrading the hardware at the hotspot, since they have been put up with cheap access points, and any upgrade will take some justification given the low revenues at most public hotspots.
Because not everyone has 802.1x in their client software, a hotspot can only put in 802.1x if it can support two wireless networks - one for those who can't do 802.1x (follow this link for more on multiple SSIDs).
However, T-Mobile is rolling out 802.1x to its US hotspots, and including 802.1x in the software it provides for users (it is also built into Windows XP).
"This evil twin problem is practically a call to arms to hotspot operators to take a stand and start an 802.1X migration for their customers’ benefit," comments Fleishman.