Evil Twin Attacks

Evil twin attacks are wireless network attacks where a malicious actor creates rogue WiFi access points that imitates legitimate access points.

Evil twin attacks are a type of wireless network attack where a malicious actor creates a rogue WiFi access point that imitates a legitimate access point. This rogue network connection is called the “evil sister” because it looks trustworthy and honest but is set up to intercept and manipulate communication.

2023 Global Mobile Threat Report

How an Evil Twin Attack Works 

  • Creation of Rogue Access Point: The attacker creates a wireless network with a name similar to or identical to a legitimate one. Users are likely to connect. If a WiFi network is called “CoffeeShopWiFi” in a public place, the attacker could create a rogue access point with the same name.
  • Signal Strength: An attacker will ensure that the rogue AP has a signal strength equal to or greater than the legitimate network. A stronger signal increases the likelihood of devices in the area automatically connecting to the rogue AP.
  • User Connection: Users in the vicinity could unknowingly connect to the evil network, thinking it is legitimate. Once connected, an attacker can intercept data sent between the user and the internet.
  • Man-in-the-Middle Attacks: By controlling the connection, the attacker can launch various attacks, including man-in-the-middle. These attacks allow them to intercept sensitive data such as usernames, passwords, or other data sent between the user and the internet.
  • Traffic Manipulation: The attacker may also manipulate traffic by redirecting users to malicious sites or injecting malicious content onto legitimate websites.
  • Social Engineering: Social engineering is used to trick users into connecting with the rogue access points. Users are often enticed by a familiar network name or the appearance of an open, free WiFi connection.

Users must be careful when connecting to WiFi networks, particularly in public places, to protect themselves from evil twin attacks. Virtual Private Networks (VPN), ensuring legitimacy, and avoiding open or unsecured WiFi networks can all help reduce the risk of being a victim of such attacks.

Rogue Access Points and Evil Twin Attacks

In network security, rogue access points and evil twin attacks are related concepts. However, they refer to different aspects of unauthorized and potentially harmful network activities.

  • Rogue Access Point (AP): A rogue AP is any WiFi network access point installed on a network but not authorized by the administrator. Visitors, employees, or attackers can install it to extend network coverage or provide unauthorized entry. For example, unintentional rogue access points are possible when employees install personal WiFi routers without IT approval.
  • Evil Twin Attack: The attacker uses a malicious WiFi network to mimic a legitimate one. In this case, the rogue access points are designed to trick users into connecting by imitating trusted networks. It is called an “evil twin” as it appears to be a malicious copy of a legitimate network.

Key Differences:

  • Intent: Rogue access points are a broad term that includes any unauthorized access point. An evil twin attack is an access point set up to deceive the users.
  • Deception: Rogue Access Points, in general, can or cannot involve deception. They can be installed without the users being aware. The evil twin attack is a deception involving creating a fake network to trick users into connecting.
  • Security Threat: While any rogue network access point could pose a potential security threat, evil-twin attacks are particularly concerning, as they are designed to intercept, manipulate, and disrupt the communication between users and the network. Intercepted communications can lead to security risks, such as eavesdropping or man-in-the-middle attacks.

A rogue WiFi access is an unauthorized access point. On the other hand, an evil twin attack is a specific kind of rogue WiFi that creates a deceptive copy of a legitimate network to manipulate and exploit user communications. Evil twin attacks are subsets of rogue access point scenarios focusing on malicious deception.

Spotting an Evil Twin Attack

Detecting an evil twin attack can be challenging, as attackers often design rogue access points to resemble legitimate networks closely. There are some signs and techniques that can help you to identify or reduce your risk of being a victim of an evil twin attack.

  • Check WiFi Network Names (SSIDs): Know the names of legitimate WiFi Networks in your usual places. If you see multiple networks with the same or similar names, this could indicate a malicious twin.
  • Verify Signal Strength: Check out the signal strength for known networks in your area. If you notice a network with a stronger signal, it could be an evil twin trying hard to attract connections.
  • Use WPA3 Encryption: Connect to networks using the latest encryption standards, such as WPA3.
  • Avoid Open Networks: Avoid connecting to WiFi networks in public places. Open networks are more accessible for hackers to target.
  • Enable Network Auto-Connect with Caution: Disable automatic connections to networks with weak security or open networks. Select trusted and known networks manually to connect to.
  • Use a VPN: Use a Virtual Private Network to encrypt all your internet traffic, even if connected to a secure network. A VPN can protect your data from being intercepted.
  • Check for HTTPS: When browsing the web, look for “https://” in the URL. Legitimate websites use HTTPS encryption to protect sensitive data during transmission.
  • Monitor Device Behavior: Regularly check your device’s list for known networks and remove any suspicious ones. Be careful if your device automatically joins a network you have yet to use previously.
  • Be Cautious in Public Places: Use caution when connecting to WiFi networks in public places, especially in crowded areas such as airports, shopping malls, and cafes.
  • Educate Yourself and Others: Stay informed on the latest cyber threats. Inform your family, friends, and co-workers about the dangers of connecting to untrusted or unsecured networks.

Remember that the effectiveness depends on the users’ vigilance. Adopting security best practices and being aware of potential threats can reduce the risk of becoming a victim of an evil twin attack.

What To Do if You are a Victim of an Evil Twin Attack

If you suspect an evil twin attack or have been a victim, it is crucial to act immediately to minimize potential damage and secure information. Here are some steps you can follow:

  • Disconnect from the Network: Immediately disconnect from the suspicious WiFi network. Disable WiFi to ensure that you are not connected to the rogue network.
  • Change Passwords: Change the passwords of any accounts you accessed when connected to a suspicious network. Password changes should include email, social networking, banking, and other sensitive accounts.
  • Enable Two Factor Authentication (2FA): If you haven’t done so already, enable it on your accounts. 2FA adds a layer of security to your account by requiring you to verify with a second method.
  • Run Security Scans: Use your computer’s security software to check for malware and other security threats thoroughly. Update your anti-malware and antivirus definitions.
  • Monitor Account Activity: Regularly check your account activity for unusual or unauthorized transactions or access.
  • Contact Financial Institutions: If you have conducted any financial transactions while connected to a suspicious network, please contact your financial institution to report the incident. They will also monitor your account for any fraudulent activity.
  • Reset Network Settings: Reset network settings on your device to remove any saved credentials and configurations related to rogue networks.
  • Check for Device Compromise: Be alert for signs of compromise, such as unusual behaviors, unauthorized access, or unexpected software installation. If you need clarification, contact a professional.
  • Report the Incident: If connected to the corporate network, report the incident to your IT department. They can take the appropriate measures to investigate and resolve the issue.
  • Educate Others: If the incident happened in a public area, inform the authorities and educate other people about the risks of connecting to unsecured networks.
  • Consider Using a VPN: In the future, consider using a Virtual Private Network, or VPN, to encrypt all your internet traffic and add a layer of security.
  • Update Firmware and Software: Ensure your device’s operating system, applications, and firmware are up-to-date with the latest security patches.

If you suspect your personal information has been compromised, monitor your credit report and consider placing a credit freeze or fraud alert with the relevant credit reporting agency.

Use security best practices when connecting to unfamiliar WiFi networks, particularly in public places.

What Might an Evil Twin Attack Look Like?

In a real-life scenario, an evil twin attack often involves a malicious actor setting up a rogue WiFi access point that imitates a legitimate network to trick users into connecting. Here’s how an evil twin attack might unfold:

  • Location Choice: The attacker selects a location where they expect to find a high volume of potential victims, such as a coffee shop, airport, hotel, or other public spaces where people commonly connect to public WiFi.
  • Creation of the Evil Twin: The attacker sets up a rogue WiFi access point with a name (SSID) identical to or similar to a well-known and trusted network. For example, if there’s a coffee shop with a WiFi network named “CoffeeShopWiFi,” the attacker might create an evil twin with the same name.
  • Signal Strength Manipulation: The attacker ensures that the rogue access point has a signal strength comparable to or stronger than the legitimate network. A strong signal increases the likelihood that nearby devices will automatically connect to the rogue AP.
  • Deceptive Connection: Users in the vicinity, unaware of the malicious intent, see a familiar or seemingly trustworthy network name in their available WiFi networks list. They may connect to the rogue access point, thinking it is the legitimate network they intended to join.
  • Traffic Interception: Once connected, the attacker can intercept and monitor the data transmitted between the user and the internet. Monitored data may include sensitive information such as login credentials, personal messages, or financial transactions.
  • Man-in-the-Middle Attacks: The attacker can launch man-in-the-middle attacks, allowing them to eavesdrop on communications, modify data packets, or redirect users to malicious websites.
  • Data Exploitation: The attacker can exploit the intercepted data for various malicious purposes, such as identity theft, financial fraud, or gaining unauthorized access to the victim’s accounts.
  • Persistence and Further Attacks: In some cases, the attacker may maintain persistence by continuously operating the evil twin access point, allowing them to target multiple users over an extended period.

An evil twin attack may go unnoticed by an unsuspecting user, as the rogue access point closely mimics a familiar network. Therefore, it’s crucial for individuals to be cautious when connecting to WiFi networks, especially in public places, and to adopt security best practices to mitigate the risk of falling victim to such attacks.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today