Hacker’s Toolbox: Detecting Software-Based 802.11 Evil Twin Access Points

The usage of public Wi-Fi hotspots has become
a common routine in our everyday life. They are ubiquitous
and offer fast and budget-friendly connectivity for various client
devices. However, they are exposed to a severe security threat:
since 802.11 identifiers (SSID, BSSID) can be easily faked, an
attacker can setup an evil twin, i.e., an access point (AP) that
users are unable to distinguish from a legitimate one. Once a user
connects to the evil twin, he inadvertently creates a playground
for various attacks such as collection of sensitive data (e.g.,
credit card information, passwords) or man-in-the-middle attacks
even on encrypted traffic. It is particularly alarming that this
security flaw has led to the development of several tools that are
freely available, easy to use and allow mounting the attack from
commodity client devices such as laptops, smartphones or tablets
without attracting attention. In this paper we provide a detailed
overview of tools that have been developed (or can be misused)
to set up evil twin APs. We inspect them thoroughly in order
to identify characteristics that allow them to be distinguished
from legitimate hardware-based access points. Our analysis has
discovered three methods for detecting software-based APs. These
exploit accuracy flaws due to emulation of hardware behavior
or peculiarities of the client Wi-Fi hardware they operate on.
Our evaluation with 60 hardware APs and a variety of tools
on different platforms reveals enormous potential for reliable
detection. Furthermore, our methods can be performed on typical
client hardware within a short period of time without even
connecting to a potentially untrustworthy access point.