Friday, January 29, 2016

What is Evil Twin in Wireless Networks ?

Nowadays we use Wi-Fi every now and then - in home, office or even in public places. But, how safe is it ?

Evil Twin is one very common recent threat that we need to consider before we use Wi-Fi, especially in public places.

What is Evil Twin

Evil Twin is basically a rogue Wi-Fi access point. It may look very similar to a legitimate one. But, it actually is a Wi-Fi access point controlled by attackers. Most of the time, it contains an SSID or Service Set Identifier of the access point very much similar to the legitimate one. Sometimes, it even provides signal stronger than the legitimate ones so that it can attract attention easily. But, it is actually controlled by the attackers. So, any data traveled through that Evil Twin Wi-Fi access point can be intercepted by attackers.

Purpose of Evil Twin

Attackers make Evil Twin mainly for stealing sensitive data or for other Phishing attacks. If a victim connects to an Evil Twin, any non-HTTPS data can be easily intercepted, as it travels through the attackers' equipment. So, if the user logs in to unprotected bank or email account, the attacker will have access to the entire transaction.

The victim may even be tricked with a login prompt of attacker's server, tempting him to provide sensitive information like usernames and password and resulting in a Phishing attack.

How is Evil Twin created

An Evil Twin can easily be created by an attacker with a smartphone or computer and with some easily available software. The attacker first places himself near a legitimate Wi-Fi hotspot and finds out the SSID or Service Set Identifier and signal strength of the access point. Now, he sends his radio signal using the same or very similar SSID. The attacker may even position himself near the potential victims so that his signal can lure the victims. Some attackers even use some software to deauthenticate the victims from legitimate Wi-Fi access point, so that when they connect back they would connect to the Evil Twin, as it provides stronger signal.


  • It is always a good idea to use VPN. It creates an encrypted tunnel before transmitting data. As a result, it is hard for the attacker to intercept that data.
  • Some software like EvilAP_Defender can be used by network administrator to detect Evil Twin. They try to find out :
          • Wi-Fi access points with similar SSID, but different BSSID or MAC address of wireless access point.
          • same BSSID as the legitimate one, but with different attributes like channel, cipher, privacy protocol, authentication etc.
          • Even with same BSSID and attributes as the legitimate access point, but with different tagged parameter like OUI or Organizationally Unique Identifier which is assigned by the IEEE registration authority.

  • Before connecting to a Wi-Fi do not just rely on the name of the wireless access point, instead verify whether it is a legitimate one.
  • It is always better to restrict browsing only to websites that do not require any sensitive data like login credentials while using a public Wi-Fi.
  • Avoid providing any sensitive information even any website or login screen asks for that while using public Wi-Fi.

So, beware of all the security vulnerabilities and recent threats and stay safe, stay secured.

No comments:

Post a Comment