evil twin (wireless networks)

The attacker snoops on Internet traffic using a bogus wireless access point. Unwitting web users may be invited to log into the attacker's server, prompting them to enter sensitive information such as usernames and passwords. Often, users are unaware they have been duped until well after the incident has occurred.

When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the transaction, since it is sent through their equipment. The attacker is also able to connect to other networks associated with the users' credentials.

Fake access points are set up by configuring a wireless card to act as an access point (known as HostAP). They are hard to trace since they can be shut off instantly. The counterfeit access point may be given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection,{{cite web|title=Evil Twin with internet access via legitimate access point : Proof of concept|url=http://www.kalitutorials.net/2014/07/evil-twin-tutorial.html|website=kalitutorials.net}} or it can simply say the system is temporarily unavailable after obtaining a username and password.{{cite news|author=Crossman, Craig|title=Computer Column|publisher= Knight Ridder Tribune Business News|location= Washington, DC|date= 24 August 2005}}{{cite news|url=https://www.networkworld.com/article/831134/lan-wan-evil-twin-wi-fi-access-points-proliferate.html|author=Kirk, Jeremy|title=′Evil Twin′ Hotspots Proliferate|work=Network World|publisher=IDG News Service|date= April 25, 2007}}{{cite news|work=CNN|url=http://www.cnn.com/2005/TECH/internet/01/20/evil.twins/ |title='Evil twin' threat to Wi-Fi users|date= January 20, 2005}}{{cite news|url=http://www.pcworld.com/news/article/0,aid,120054,00.asp|title=Does Your Wi-Fi Hotspot Have an Evil Twin?|date=March 15, 2005|author=Biba, Erinwork|work=PC World|access-date=February 4, 2010|archive-date=August 20, 2008|archive-url=https://web.archive.org/web/20080820182656/http://www.pcworld.com/news/article/0,aid,120054,00.asp|url-status=dead}}

One of the most commonly used attacks under evil twins is a captive portal. At first, the attacker would create a fake wireless access point that has a similar ESSID to the legitimate access point. The attacker then might execute a denial-of-service attack on the legitimate access point which will cause it to go offline. From then on, clients would connect to the fake access point automatically. The clients would then be led to a web portal that will be requesting them to enter their password, which can then be misused by the attackers.

In July 2024 a man was charged by Australian Federal Police with running a fake WiFi network to steal credentials of passengers on at least one commercial flight.{{Cite news |title=Police allege ‘evil twin’ of in-flight Wi-Fi used to steal passenger’s credentials |url=https://www.theregister.com/2024/07/01/australia_evil_twin_wifi_airline_attack/ |last=Sharwood |first=Simon |date=2024-07-01 |access-date=2024-07-02 |work=The Register}} An airline had reported that employees had concerns about a suspicious WiFi network identified during a domestic flight.

• KARMA attack, a variant on the evil twin attack
• Snarfing
• Wireless LAN Security

{{reflist}}

{{Commonscat}}

• {{cite web|url=http://www.digininja.org/jasager |title=Jasager – Karma on The Fon|website=digininja.org}} Rogue AP software.
• {{cite web|url=https://kalitut.com/wifiphisher-evil-twin-attack/ |title=Wifiphisher a tool for Evil Twin Attack|date=29 May 2019 }}

{{DEFAULTSORT:Evil Twin (Wireless Networks)}}

Category:Web security exploits