An Evil Twin, or rogue access point, is a WLAN access point that mimics a legitimate access point. Its goal is to get unsuspecting users to connect to it. Subsequently, an attacker can read the transmitted data and gain possession of user data or passwords and other secret or critical information.
What is An Evil Twin Attack?
An Evil Twin is an evil twin in a wireless network. It is also referred to as a rogue access point. The twin mimics a real, legitimate access point by broadcasting the same SSID. Users’ endpoints connect to the rogue access point automatically or after requesting credentials.
An attacker is then able to read all transmitted data. Personal data, user IDs and passwords or payment information, and other data can be stolen in this way. Due to the easy availability of mobile access points and existing tools for setting up an evil twin, it is relatively easy to implement an Evil Twin. Even a normal smartphone can be sufficient for this.
The sequence of an attack via Evil Twin in the wireless network
First, an attacker analyzes the WLAN into which he wants to introduce an evil twin. The most important information is the SSID (Service Set Identifier). The attacker then configures a usually mobile device such as a laptop, tablet, or smartphone as an access point with this SSID and places the device in the immediate vicinity of the users.
Since the signal strength of the false access point is very high from the user’s point of view, the end devices prefer to connect to the rogue access point. If it is a case of open hotspots without a password, the login is in many cases completely automatic and without the user being aware of it. In order to attack WLANs with access passwords as well, the Evil Twin can mimic the authentication process. The user enters his password and the fake access point accepts it. Methods such as mimicking a login page on the Evil Twin and other methods are also possible.
Software is installed on the Evil Twin that can record and read all data traffic. This makes it possible to steal data that the user transmits unencrypted.
Possible protective measures against an Evil Twin in the WLAN
Basically, users should only use public hotspots that are not under their own sovereignty if there are no other options for Internet traffic. Since it is almost impossible for normal users to determine whether a legitimate public hotspot or an Evil Twin is broadcasting the SSID, they pose a high-risk potential for this attack method.
Only non-critical applications such as surfing the Internet should be run via a public hotspot. Online shopping, e-mail retrieval, or online banking should be avoided. It is important to encrypt all communication in the WLAN end-to-end, such as when using HTTPS pages or encrypted IMAP and POP accounts. The use of VPN connections provides good protection.
