Overview
- Evil Twin: Malicious wireless access point that mimics a legitimate network to intercept user traffic and credentials
- Rogue WAP: Unauthorized wireless access point installed on a network (either malicious or accidental)
- Both create security vulnerabilities by bypassing network perimeter defenses and exposing internal resources
Evil Twin Attack Mechanics
- Attacker sets up WAP with identical or similar SSID to legitimate network (e.g., “Company WIFI” vs “Company WIFI”)
- Often uses stronger signal strength to force client association
- Performs man-in-the-middle attacks by capturing all traffic passing through the fake AP
- Can harvest login credentials, session tokens, and sensitive data
- May use captive portals requesting credentials for “network access”
Rogue Access Point Types
| Type | Description | Risk Level | Common Scenarios |
|---|---|---|---|
| Malicious Rogue | Intentionally placed by attackers | Critical | External threat actors gaining network access |
| Shadow IT Rogue | Employee-installed for convenience | High | Personal routers, travel routers, hotspots |
| Misconfigured AP | Legitimate AP with poor security | Medium | Default passwords, open authentication |
| Compromised AP | Legitimate AP taken over by attacker | Critical | Firmware exploits, weak credentials |
Attack Vectors & Techniques
- SSID Spoofing: Copying legitimate network names exactly or with minor variations
- MAC Address Cloning: Duplicating legitimate AP MAC addresses to avoid detection
- Captive Portal Abuse: Creating fake login pages that harvest credentials
- WPS Exploitation: Targeting vulnerable WiFi Protected Setup implementations
- Deauthentication Attacks: Forcing clients to disconnect and reconnect to malicious AP
Detection Methods
- Wireless Intrusion Detection Systems (WIDS): Monitor RF spectrum for unauthorized APs
- Regular Site Surveys: Physical and RF audits to identify unexpected wireless signals
- MAC Address Monitoring: Track authorized AP MAC addresses and alert on duplicates
- Signal Strength Analysis: Detect APs with unusually strong signals in unexpected locations
- Network Traffic Analysis: Monitor for suspicious traffic patterns or destinations
Prevention & Mitigation Strategies
- 802.1X Authentication: Implement enterprise authentication to prevent unauthorized network access
- Certificate-Based Authentication: Use digital certificates instead of PSK (Pre-Shared Key) methods
- Wireless Client Education: Train users to verify network legitimacy before connecting
- Regular Security Audits: Periodic assessments of wireless infrastructure and policies
- Physical Security Controls: Restrict physical access to areas where rogue APs could be installed
Vocabulary
- SSID (Service Set Identifier): Network name broadcast by wireless access points
- WIDS (Wireless Intrusion Detection System): Security system monitoring wireless networks for threats
- PSK (Pre-Shared Key): Shared password authentication method (WPA2-Personal)
- Captive Portal: Web page requiring authentication before network access
- WPS (WiFi Protected Setup): Simplified connection method often vulnerable to attacks
Notes
- Evil twins are most effective in high-traffic areas like airports, coffee shops, and hotels where users expect open networks
- Always verify network legitimacy with IT staff before connecting to corporate networks, especially if prompted for credentials
- Rogue APs can bypass all perimeter security controls (firewalls, IPS) by creating new entry points into the network
- Modern enterprise wireless controllers can automatically detect and contain rogue APs, but require proper configuration
- Certificate warnings should never be ignored when connecting to wireless networks - often indicates evil twin attacks
- Consider using VPN connections even on trusted networks to add encryption layer against potential evil twin attacks