Fabian Lanze
ABSTRACT
Commonly used identifiers for IEEE 802.11 access points (APs), such as network name (SSID), MAC (BSSID), or IP address can be trivially spoofed. Impersonating existing APs with faked ones to attract their traffic is referred to in the literature as the \emph{evil twin attack}. It allows an attacker with little effort and expenditure to fake a genuine AP and intercept, collect, or alter (potentially even encrypted) data. Due to its severity, the topic has gained remarkable research interest in the past decade. In this paper, we introduce a differentiated attacker model to express the attack in all its facets. We propose a taxonomy for classifying and structuring countermeasures and apply it to existing approaches. We are the first to conduct a comprehensive survey in this domain to reveal the potential and the limits of state-of-the-art solutions. Our study discloses an important attack scenario which has not been addressed so far, i.e., the usage of specialized software to mount the attack. We propose and experimentally validate a novel method to detect evil twin APs operated by software within a few seconds.
- C. Arackaparambil, S. Bratus, A. Shubina, and D. Kotz. On the Reliability of Wireless Fingerprinting Using Clock Skews. In Third ACM Conference on Wireless Network Security (WiSec'10), 2010. Google Scholar
Digital Library
- K. Bauer, H. Gonzales, and D. McCoy. Mitigating Evil Twin Attacks in 802.11. In 1st IEEE International Workshop on Information and Data Assurance (WIDA 2008) in conjunction with the 27th IEEE International Performance Computing and Communications Conference (IPCCC 2008), Austin, TX, USA, December 2008.Google ScholarCross Ref
- S. Bratus, C. Cornelius, D. Kotz, and D. Peebles. Active Behavioral Fingerprinting of Wireless Devices. In Proceedings of the First ACM Conference on Wireless Network Security (WiSec'08), 2008. Google ScholarDigital Library
- V. Brik, S. Banerjee, M. Gruteser, and S. Oh. Wireless device identification with radiometric signatures. In 14th ACM International Conference on Mobile Computing and Networking (MobiCom '08), 2008. Google ScholarDigital Library
- T. Cross and T. Takahashi. Secure Open Wireless Access. In Black Hat USA 2011.Google Scholar
- R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. In SIGCHI Conference on Human Factors in Computing Systems (CHI '06). ACM, 2006. Google ScholarDigital Library
- J. Franklin, D. McCoy, P. Tabriz, V. Neagoe, J. Van Randwyk, and D. Sicker. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. In 15th Conference on USENIX Security Symposium (Usenix Sec 2006), 2006. Google ScholarDigital Library
- K. Gao, C. L. Corbett, and R. A. Beyah. A passive approach to wireless device fingerprinting. In 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010), 2010.Google ScholarCross Ref
- H. Gonzales, K. Bauer, J. Lindqvist, D. McCoy, and D. Sicker. Practical Defenses for Evil Twin Attacks in 802.11. In IEEE Globecom Communications and Information Security Symposium (Globecom 2010), Miami, FL, December 2010.Google ScholarCross Ref
- H. Han, B. Sheng, C. c. Tan, and S. Lu. A Measurement Based Rogue AP Detection Scheme. In 28th Conference on Computer Communications (INFOCOM 2009), 2009.Google ScholarCross Ref
- IEEE Computer Society. Standard 802.11--2012: IEEE Standard for Information technology -- Telecommunications and information exchange between systems, Local and metropolitan area networks -- Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. http://standards.ieee.org/findstds/standard/802.11--2012.html.Google Scholar
- IETF. RFC 2865: Remote Authentication Dial In User Service (RADIUS), June 2000. http://www.rfc-editor.org/rfc/rfc2865.txt.Google Scholar
- S. Jana and S. K. Kasera. On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews. In 14th ACM International Conference on Mobile Computing and Networking (MobiCom '08), 2008. Google ScholarDigital Library
- T. Kim, H. Park, H. Jung, and H. Lee. Online Detection of Fake Access Points Using Received Signal Strengths. In 75th IEEE Vehicular Technology Conference (VTC Spring 2012), 2012.Google Scholar
- F. Lanze, A. Panchenko, B. Braatz, and T. Engel. Letting the Puss in Boots Sweat: Detecting Fake Access Points using Dependency of Clock Skews on Temperature. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (AsiaCCS 2014), 2014. Google ScholarDigital Library
- F. Lanze, A. Panchenko, B. Braatz, and A. Zinnen. Clock Skew Based Remote Device Fingerprinting Demystified. In IEEE Global Telecommunications Conference (GLOBECOM 2012), 2012.Google Scholar
- L. Ma, A. Y. Teymorian, and X. Cheng. A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks. In 27th Conference on Computer Communications (INFOCOM 2008), 2008.Google ScholarCross Ref
- D. Mónica and C. Ribeiro. WiFiHop - Mitigating the Evil Twin Attack Through Multi-hop Detection. In 16th European Conference on Research in Computer Security (ESORICS'11), 2011. Google ScholarDigital Library
- M. R. Moxie Marlinspike, David Hulton. Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2. In DEFCON'20 Hacking Conference, 2012.Google Scholar
- K. N. N. Asokan, Valtteri Niemi. Man-in-the-Middle in Tunneled Authentication Protocols. http://eprint.iacr.org/2002/163.pdf, 2002.Google Scholar
- C. Neumann, O. Heen, and S. Onno. An Empirical Study of Passive 802.11 Device Fingerprinting. In 32nd International Conference on Distributed Computing Systems Workshops (ICDCS 2012 Workshops), 2012. Google ScholarDigital Library
- N. T. Nguyen, G. Zheng, Z. Han, and R. Zheng. Device fingerprinting to enhance wireless security using nonparametric Bayesian method. In 30th IEEE International Conference on Computer Communications (INFOCOM 2011), 2011.Google ScholarCross Ref
- B. Sieka. Active Fingerprinting of 802.11 Device by Timing Analysis. In 3rd IEEE Consumer Communications and Networking Conference (CCNC 2006), 2006.Google ScholarCross Ref
- Y. Song, C. Yang, and G. Gu. Who Is Peeping at Your Passwords at Starbucks? - To Catch an Evil Twin Access Point. In 40th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010), Chicago, IL, USA, 2010.Google ScholarCross Ref
- J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In 18th USENIX Security Symposium (SSYM '09), 2009. Google ScholarDigital Library
Index Terms
- Undesired relatives: protection mechanisms against the evil twin attack in IEEE 802.11
Recommendations
Letting the puss in boots sweat: detecting fake access points using dependency of clock skews on temperature
ASIA CCS '14: Proceedings of the 9th ACM symposium on Information, computer and communications securityThe only available IEEE 802.11 network identifiers (i.e., the network name and the MAC address) can be easily spoofed. Consequently, an attacker is able to fake a real hotspot and attract its traffic. By this means, the attacker can intercept, collect, ...
An attack scenario and mitigation mechanism for enterprise BYOD environments
The recent proliferation of the Internet of Things (IoT) technology poses major security and privacy concerns. Specifically, the use of personal IoT devices, such as tablets, smartphones, and even smartwatches, as part of the Bring Your Own Device (BYOD)...
Fragility of the Robust Security Network: 802.11 Denial of Service
ACNS '09: Proceedings of the 7th International Conference on Applied Cryptography and Network SecurityThe upcoming 802.11w amendment to the 802.11 standard eliminates the 802.11 deauthentication and disassociation Denial of Service (DoS) vulnerabilities. This paper presents two other DoS vulnerabilities: one vulnerability in draft 802.11w ...
Comments