Forfusion Logo

Cyber-Security: Do You Have an Evil Twin? Part 2

Part 2

An Engineer’s perspective:

In Part 1 of our series of blogs we discussed common WI-FI exploits, we received quite a lot of interest in this and in particular “Evil Twin”. This blog aims to provide an overview on what Evil Twin is, why it is used, what it exploits and a brief overview of typical mitigations.

An Evil Twin attack is when unsuspecting wireless users are duped in to connecting to a Rogue AP (one that does not belong to your network) believing it to be part of their network. It could then be used to obtain user credentials, user financial information or be used for a Man-In-The-Middle (MITM) attack.

During the Information Gathering stage of any attack, the attacker will use devices to identify the Service Set Identifiers (SSIDs) that are being used by a network, even if they are not broadcast. This could be your corporate network if it’s a targeted attack, but also regularly known of public free hotspots. They will then configure the same SSID on the Evil Twin AP in an attempt to fool clients into associating with this AP believing it to belong to your network.

They would also require connectivity to your corporate network or the Internet to perform a MITM attack. The AP can be either hardware, or more commonly software based as it’s easier to manipulate the MAC address and conceal the attacker’s presence. The MAC address of the AP can be modified to replicate an actual AP to bypass any potential MAC Based Access Control Lists and create a “Base Station Clone”.

Depending on the complexity of the attack; the attacker could also set up fake DHCP/ DNS servers along with fake websites to obtain user credentials or financial details. This type of attack has become easier due to such tools as Karmetasploit which is readily available and easily configurable to automatically carry out an Evil Twin attack.

Typical mitigations against an Evil Twin attack are server and AP authentication, from 802.1X authentication to application server certificate verification. The process is similar to wired 802.1X authentication with a supplicant (client), authenticator (switch) and authentication server which will prevent Rogue APs from being connected to your network. Server certificate verification is done using X.509 digital certificates and Extensible Authentication Protocol (EAP) with mutual authentication (EAP-TLS, EAP-TTLS or PEAP) to ensure the users are connecting to the server they intended to – Of course, training to ensure your users don’t routinely accept unexpected certificate warnings is also important.

If users are using freely available public hotspots for remote access to your corporate network then VPNs and secure protocols such as SSL must be used to provide end-to-end encryption preventing the MITM from being able to view your information.

There are a significant number of attacks available against wireless systems and in the next few weeks we will be posting another blog discussing an alternate attack method.

Forfusion practices (including GSS) have significant experience in deploying, securing and managing wireless solutions from multiple vendors. If you would like further information visit the Forfusion Homepage, GSS Homepage or contact us at

Categorised Under: Government Secure Services

2nd Jul 2014