Anyone know a good way to combat an evil twin attack on a public wifi cafe?

If you see two of the same SSIDs at the cafe and you know for sure that they only have one access point, chances are good that the second one is the evil twin.

Anyone with a laptop, Apache, OpenSSL, and a access point with a strong signal can create an evil twin to capture your login info or worse credit card registration info.

Install Zone Alarm (free). Once associated with the evil twin, you're on their network and they can scan your laptop. Zone Alarm will alert you to this.

Greg

yes but what if i am the network admin and the attack keeps taking out my wifi ?

Thanks,

Jonnyfive

What happens when he "takes out" your wifi?

Greg

The connection to the internet is blocked for all wifi users. The hardwired ports of the router allow inet access however, all wireless users are not able to access the internet until i reboot the router. Thus far, I've tried a two different 2wire wifi access points, a linksys, a netgear, two different zyxels, and a buffalo air station. I'm real sure that it's not the router. Somehow the ****er is ****ing up the dhcp and the routing to the internet. The users connected when it happens stay connected iwth an ip address but new users are not able to get an ip address even thought the signal strength is very high. I can see when he's in there and cloning other mac addresses of other wifi ap's around the coffee shop but have yet to locate his exact whereabouts. I called the fbi cybercrimes division here today and am waiting ona call back. It has cost me a lot of time and money and has left a very bad impression on every customer at the cafe which just opened. Funnily enough all this started happening in January when this news of the evil twin spread across all of the techie articles on the net. they're still going around. It seems to be all the rage???

Wow...

Funny how a little publicity brings the worst out of people.

Here's another suggestion and it may not be feasible but if you put some type of reflective material in your windows like the ones used to shade out the sun, it may deflect outside RF.

Greg

Hi,

You may also need to step up to an ap that has DoS protection such as the proxim ap 700. Also you may want to implement a simple wep key that your counter person gives out and change it frequently. Another thing to do is find out the violators mac and black list them from your ap. Good luck

I filed a report with the fbi and the local police department this morning. I've thought about the wep and MAC filtering but this person has the ability to use and clone any mac he sees? I'll let the fbi and the police look into it a bit and maybe scare the pants off of somebody or fine the shit out of them.

Fellas, I have to chime in here. I apologize for the intrusion, but I do not believe the problem has anything to do with the evil twin thing.

As golfnut described the evil twin gets unsuspecting users to associate to it. Losing DHCP is happening on your network.

In my opinion, as well as a few collegues here at the office, the assclown is sitting in your coffee shop or nearby parking lot with an Orinoco card connected to your network. He has gotten into the router and periodically turns DHCP off.

First I would buy a real AP or two and ensure no signal could be picked up outside.

Second, I would change the default security on the router you are using and I believe your issue will stop.

Thirdly, (is that a word?) I would peruse the place and if I saw anyone running kismet or airmagnet with an Orinoco card I would bash his skull with an ashtray.

Let us know what happens....

Very good and funny post Spider...

Jonny, please let us know the outcome.

Thanks!

It happens daily which leads me to believe that him turning off the dhcp is not happening. Everytime it's screwed up and i go into the settings, everything is configured as normal. Also, it's not an assclown that is in the cafe because I would be in jail for hitting him in the head with several ashtrays. how would i ensure that the signal does not go past my front porch?

First, you have to be able to turn the power down or attenuate the signal. On many SOHO devices all you get is wide open, usually 100mW or higher depending on model. To attenuate the signal, you have to be able to disconnect the antenna and install something such as a large length of low loss cable. Which is not possible on SOHO stuff usually.

Bear with me..I deduce that if all the people who were on the network prior to the incident can still be on the network during and after the incident, while new people cannot connect via DHCP, you have lost that ability. If the IP of the gateway had been changed – nobody would connect. Suddenly no one would work. If he hasn’t changed the IP then the network hasn’t changed leaving everyone with a valid lease still able to connect, while new users cannot.

This is not the purpose of the evil twin thing nor could you do it this way. The only way to maliciously interfere is to actually be on your network and gain access to the box.

You know that he can spoof mac addresses. How? You know which one is him but you can’t track him down (correct?).

Rather than find him just shut him down…much easier.

I would do this in this order.

Cough up for a real AP (cisco 1230, Proxim whatever etc…) you can turn the AP power down to as low as 1 mW if you have to. I’m not averse to directional antennas instead of omni’s to further shape the signal..like raining down from above instead of blasting around 360 degrees.

Do a site survey and see what the lowest power setting is that you can use to get coverage where you need it and not be ‘visible’ past the sidewalk. You may discover you need to move the AP further away from the front or need another to make up the slack. This is not a bad thing.

Then I would change the security settings on the router/gateway thingy. There are websites that list all default settings for all products sold and every thirteen year old knows them. Just for kicks I would change the IP range to something not so obvious like 192.168. x.x or 10.x.x.x…I like 127. x.x.x because, well just because. I would also turn the logs on to record who goes in and out of it.

If the problem still persists after these minimal changes, then you probably do not have an intruder. This would present to much work to crack and hackers are like burglars, they don’t like to work too hard. But at least you know where to concentrate your efforts.

You can even go in steps. Do one thing at a time and see what happens. If you turn the signal down and it still happens, then he is inside. Then change the security, etc….

Past that, I don’t know enough about networking to be of any use, but when you figure it out, you can post the results here…

Peace….

One more thing...

You mentioned that this happens daily and resetting the router fixes the problem.

You also mentioned that this never affects the wired connections and that the users connected when it happens stay connected with an ip address but new users are not able to get an ip address even though the signal strength is very high.

How many people use your wireless network daily? Does this usually happen in the afternoon? What's the DHCP range?

Greg

great guess but there are 200 ip addresses that can be handed out but we are only typically using 50 or so a day. the timeout is for a day. they are refreshing. however fyi the 2wire from sbc was not releasing the ips at the appropriate time and was one problem i fixed by getting a new one from sbc. great guess though.

Ok I feel stupid..the last two posts went over my head..

what was the guess?

what did I miss from all that ????

Take a brother to school would ya...

dhcp servers will only give out the number of ip's that you specify. they will lease out an ip and you have to set a lease time for that ip to expire. if a customer comes in and gets an ip address, the router has to release it so that there will be addresses left over for other peoplewho want to get an ip address.

Okay,

This is what I think is happening and there are some things that will limit this...

The hacker has a list of MAC IDs from users that frequent the cafe
or he just has a list of common MACs.

He associates to the network, each time rotating through the list of MAC IDs. Each MAC ID is assigned an IP address which stays active until lease timeout.

A user with the same MAC ID attempts to associate which creates
a conflict in the router and the user doesn't get an IP. This would explain why users already associated aren't affected.

Router is reset, clearing the DHCP pool and everyone is happy.

There are a few ways to prevent this.

One is to use WEP or WPA like Oceans mention. This will create more resource time to assist with user configuration but after the learning curve is over, it should be easy to manage until you have to change your WEP keys.

Reducing the signal strength like you mentioned is another good idea. In addition, use an external ceiling mount antenna or two (DLink makes some). This forces the RF signal down instead of the radius pattern on the omni antenna that comes with the router.

Third is to walk around with a bat instead of an ash tray :-)

Greg

here's an interesting note. the ssid's have all been from local shops that have wifi access. i've seen five different coffee bars ssid's on my net stumbler logs which tells me that someone is either trying to misdirect my search, o ris just being a clever assclown. one of the ssid's had a log of like ten different mac addresses, and i know for certain that the particular coffee shop only has two different mac's and is about ten miles away. ?? what explains this?

Ok guys,

I think we should step back and just think about this for a minute. there are two things going on here.

One. Someone is using an AP with the same ssid as your own and brodcasting in your shop, right?

Second. Someone is doing a DoS attack on your AP?

These two things are mutually exclusive meaning that these cannot be done in with one keystroke or so, however they can be done by the same person.

To stop the EVIN TWIN which is problem One, you can locate them and report them (like you did), DoS them, or change your ssid and hope they dont follow suit. Also you havent told us if you are using authentication or a wide open system. If its wide open which I am guessing you may want to use a gateway that has a splash page (which usually has DoS protection) so your customers know they are on your network.

Overall when providing a commercial service such as this you should use commercial grade products. If you do you will be able to prevent these type of attacks, if not good luck.

To stop number two you will need an ap the does DoS protection.

I have been experimenting with a linux distro called smoothwall and have looked into a couple of others which will run on an old pc. Do you have any suggestions for what to use to implement the splash page? do you have any experience with nocat auth? could it be used to prevent the DoS attack?

Also to answer your ? it is wide open. I need it to be as easy as possible for the assclowns who don't know what wifi stands for and just lucky they can even turn on their computers. If I use a WEP key and change it every few days, would that help? I woudl somehow have to print them up and give a keycode to each user with a laptop? pain in the ass, but I might could benefit from it by saying that it's a safe place to surf, and most of all it could be up all of the time?

Hi Rick,

Your original idea of using WEP is probably the best thing to do.

Even if he used a gateway with a splash page, that can easily be spoofed. There is a major wifi company that has an inexpensive AP with a hotspot feature that forces redirection to a web server (i.e. Apache). You can easily make someone think that they're logging into a hotspot. I won't mention the product but it's really easy to spoof a login page and capture key strokes. You could also add SSL to make it look more real.

The gateway is also going to assign him an IP address prior to authentication so the MAC ID overload is still a problem unless he used 802.1x.

With WEP, the hack can't associate nor obtain an IP.

Greg

Whats up Greg,

I agree, simple WEP is a great way to get started. Just change it weekly. Then print it and hand it out or have the counter person hand it out. And it is more secure than wide open.

The idea of the redirect was more of branding/recognition than authentication. Redirects can be spoofed, but like spider says hackers will usually go after the lame or wounded and that takes a little more time and effort. Which it appears that this nerd has unlimited supplies of.

try the WEP and make the key relativly easy, remember its just a lock if they really want to break it they can and will. Let us know if that stops your problem..

BTW - Nomadix, valuepoint and zyxel sell ap/gateways around $700 that will work if you go the redirect route.

i have a zyxel that i've tried to install with a printer that issues out the username and password to get authorized but ran into problems my guys are looking into. there's a small problem getting connected while running a firewall. shouldn't be too big of an issue but i can't walk every user through how to configure their firewall.... so the hits just keep coming, I'm going to leave the network the way it is until the police come check it out so i can nail the muther_f*cker. Many thanks to you guys for lending your knowledge, I'll keep you posted.

Hello,
You might want to make sure that this is an Evil Twin attack. Run netstumbler and see if there is more than one AP broadcasting your ssid. You should be able to recognize yours by the MAC address. If there is another, try to triangulate its location by walking around with your laptop and checking the signal strength. I had this same situation happen to me at an apartment complex and the assclown had not done this deliberately, he had just accidentally changed his bridge from bridging mode to AP mode.

Well that has happened. The odd thing is that it will not happen for long. I've logged net stumbler in ther and noticed my ssid showing up with different mac addresses. However when i began trying to triangulate, it dropped off the radar. Somebody is having a great time screwing with me. I've since learned of all kinds of ways that you can jam a wifi signal. It turns out that this is not exactly an evil twin in the sense that you cannot connect to the rogue ap. I have some guys from the Austin Wireless city project working with me on it and as of yet, this problem is still a mystery. The solution I've come up with is rather expensive, but it works for now... I have one line with SBC DSL and another with roadrunner business class. I've set up two access points, ssid and ssid #2 . Whatever is causing our problem, cannot cause it for both connections at the same time, so if my customers can't get to the internet through my main ssid, they just connect to the #2 and so far it's working. But.. two business class connections cost around the sum of $250.,00 a month......

Hello,
After running netstumbler, check what type of hardware the other ssid's are coming from. You can check this here: http://www.coffer.com/mac_find/
You might also want to try a AP that can broadcast several different ssid's. The initial cost will be higher for the AP, but you could get rid of the high monthly costs of running 2 business class connections.

Hey jonny,

By Austin you mean Texas?


I'll be in san Antonio in about two weeks...I could bring my airmagnet just to see what we can see...if you'd like?

I would like that very much. Dinner and drinks are on me.
call me when you get an oppurtunity. 512 507 3678

Cup of coffee is all i need, bro...I'll call you when I get set up

well you're coming to the right place, it's a coffee house.

It's about an hour and fifteen to SanAntonio from Austin. Do you have any other plans here? drop me a line at jonathan at cobbwebsolutions dot com

Originally posted by rigbyorange
Hello,
After running netstumbler, check what type of hardware the other ssid's are coming from. You can check this here: http://www.coffer.com/mac_find/
You might also want to try a AP that can broadcast several different ssid's. The initial cost will be higher for the AP, but you could get rid of the high monthly costs of running 2 business class connections.

Having one or more fake AP will accomplish little if ethereal or another packet snifffer is used. All the traffic will be noticed on one ip network but limited on the others. The only implementation of this that I have seen offer (limited at best) protection was one for linux called "fakeAP" which is available but no longer updated/supported by the developer. I don't recall the exact number but it emulated some thing like 53,000 AP's. See details a http://www.blackalchemy.to/project/fakeap/ but it old....

Note on mac address lookups as you need to be familiar with addresss blocks that were bought by one company but that company was bought out by another. Example is linksys and cisco. Unless someone works inside of them, it could belong to either of these two companies. Then their are company names that no longer exist but were bought by another that is now using those blocks. Its fine for a general lookup but not a absolute determination.

If you really would like to try several AP's then buy them used and on the cheap. Then decide if you wish to pursue a more costly approach. I would suggest linksys only due to volume of free firmware available for them for in general.

Good luck,

To all:

Thanks for the feedback - but its not an evil twin.

I stopped through Austin last week and paid a visit.

Without putting the mans business in the street, I did an airmagnet sweep found some "suspect" users.

One of the main issues is every AP in the area is on Channel 6.

Bandwidth utilization is heavy and spikes to half the pipe quite a bit.

He's going to change that, and I am going to try and donate some Cisco AP's if I can find some. Gotta be a 350 collecting dust somewhere.

Most of the issue pertains to DHCP. and since I dont know how to fix it, I'm not going to discuss it. But my house works and maybe we can copy that.

By the way if your ever in Austin - such a cool town - look this cat up...real good people...

Thanks to all of you for the input. Spiderbite, thanks a million for popping by to cehck it out. Quite a situation I have isn't it. It's just weird...

I've since put up two Airport Extremes with the interference robustness feature and they serve as the only connection to the internet. The roaming situation is handled by the Airports so that problem might be aleviated, and the signal strength is adjustable (and weak at it's highest setting) .

Keep in touch and let me know what you find out about those AP's.
Next time your in town, give me a call.


~J

DHCP issue?

I'm decently familiar with DHCP...what are the symptoms / enviornment?