'Evil Twin' WiFi Scare Stories Make A Comeback

from the missing-the-point dept

Wed, Apr 25th 2007 1:58pm — Carlo Longino

A few years ago, when stories hyping up the security risks of WiFi were commonplace, articles about "evil twin" access points were a favorite. "Evil twins" were access points given SSIDs that made them appear legitimate, only they were controlled by a malicious actor rather than a real hotspot provider. The FUD was then that these malicious actors could steal anything that went across the access point -- even though most sensitive information is transmitted with encryption, a point the articles never bothered to mention. It looks like the evil twin -- or at least hype about it -- is making a comeback, as the head of a trade group of IT security professionals says such attacks are on the rise. He says it's due to the growth in the use of WiFi, but doesn't offer up any real evidence that the attacks are a problem, just saying that they present a risk for people's passwords that are sent as clear text, skipping over the fact that any service provider worth their salt doesn't send passwords in the clear if they're protecting any sort of sensitive information. Instead of harping on about a largely mythical "problem" with WiFi, wouldn't this guy's energy be better spent drawing service providers' attention to the need to encrypt passwords, thereby cutting out the supposed problem?

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

18 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Charlie, 25 Apr 2007 @ 2:08pm

Encryption should help
So Techdirt has added the part of event with encryption themselves?

Any well designed encryption scheme will authenticate both ends and protect against a man in the middle attack, so i am not sure I buy that part. Maybe with stupid users clicking ok certificate warnings, but I would hope that they wouldn't do that before divulging very sensitive data.
[ link to this | view in chronology ]
squik, 25 Apr 2007 @ 2:32pm

passwords are only part of the story
Of course, encryption helps. But, face it, most web-based systems protect login and then send information in the clear. Encrypting passwords is only half the problem. Do you feel any better than your password is protected for your web-access email, but all your mail is sent in cleartext? Maybe a little better, but you shouldn't feel comfortable.
[ link to this | view in chronology ]
- Casper, 25 Apr 2007 @ 3:31pm
  
  Re: passwords are only part of the story
  While the email analogy is somewhat true, it doesn't really equate to wifi points. A wifi point requires the key to connect, but then encrypts the traffic between those connected so that eves dropping becomes virtually impossible (if they are setup correctly).
  
  The technology is not the weak point in the equation, the stupid users who pick the wrong access point are... although the people who's point they are attempting to connect with should be checking for such issues or at very least have a very specific name that people will be able to distinguish from illegitimate points.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Apr 2007 @ 7:06pm
  
  Re: passwords are only part of the story
  I think squik has read the same article I saw only a few days ago, and I'm surprised at Mike's post: I've read some marginally hare-brained knee-jerkity stuff written by Mike, but this is borderline irresponsible.
  
  With stories posted like this one, my mom's gonna be wanting wireless now. Like Mike talk her down this time.
  [ link to this | view in chronology ]
Sea Man, 25 Apr 2007 @ 2:44pm

Protect Yourselves
Data thieves don't hijack people's data.
Data thieves hijack stupid people's data.
Protect yourselves; don't rely on others to do so. Especially since protecting yourself is reeeaally easy if you take the time to do it.
[ link to this | view in chronology ]
Apennismightier, 25 Apr 2007 @ 2:44pm

What are you two working for the CIA? No one cares about your WoW passwords or what your BigButtBabes.com password is... well nevermind, i take that one back... but in any case you get my point. Most people who send sensitive info are on a protected network as it is and anything sent wirelessly that's worth a damn is encrypted.
[ link to this | view in chronology ]
Wyatt, 25 Apr 2007 @ 2:48pm

neh
Who cares about email being in clear text.. Unless you’re sending sensitive info via email, it should not matter. I know I would NEVER send anything of any importance via email. It’s an open system. It’s hard to see many uses for this type of attack. There is very little someone can do to gather information while simply browsing through their gateway. Almost everything that is sensitive is encrypted before it’s sent.

I think this is a way for the phone companies to get people worried about using free Wi-Fi. They are some sneaky and immoral bastards (Take Verizon for instance)...
[ link to this | view in chronology ]
- Anonymous Coward, 25 Apr 2007 @ 5:05pm
  
  Re: neh
  those "click here to reset your password" links are sent via e-mail and often times require no more authentication than the unique reset URL. this type of e-mail is read over public wifi, its just a matter of the frequency.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Apr 2007 @ 2:53pm

kind of an ironic post considering a few days ago we saw one about Time Warner allowing users to broadcast there networks as hotspots. interesting.......
[ link to this | view in chronology ]
Anonymous Coward, 25 Apr 2007 @ 3:22pm

> as the head of a trade group of IT security professionals

> just saying that they present a risk for people's
> passwords that are sent as clear text

The FUD he is spewing is laughable, but it's pretty scary that this person
is in the 'security' industry. I wonder if this just goes to show that
anyone can call themself a 'security professional' , after all, there
are no credentials or experience required.
[ link to this | view in chronology ]
ether, 25 Apr 2007 @ 3:46pm

select infrastructure only
While evil-twin access points may largely be urban legend, it still seems like a good idea to set the default connect for infrastructure only. Easy to set up in Windows XP.
[ link to this | view in chronology ]
Missing, 25 Apr 2007 @ 3:55pm

infrastructure
its also pretty easy to sit in an appt building across from the starbucks with a dup ssid and pick up the idiots who do not know better.- directional antenna optional.
[ link to this | view in chronology ]
Kevin McKenzie, 25 Apr 2007 @ 3:58pm

free security
JiWire has a free security client that helps users avoid the "evil-twin" scare. http://www.jiwire.com/hotspot-helper.htm
[ link to this | view in chronology ]
Anonymous Coward, 25 Apr 2007 @ 3:58pm

I would bet that a large number of people (at least non-tech people) would click on a cert popup without paying it much attention if they think they are at the correct website. Also, if the man in the middle is using a cert from a trusted authority then there's not even a popup for most people.

I know quite a few people who use neighbors wifi points because they dont have to pay for internet that way. Also, I still see quite a few network thats are security free, and those are subject to arp poisoning attacks which would provide the same access as an "evil-twin" access point.
[ link to this | view in chronology ]
Matthew Dippel, 25 Apr 2007 @ 4:51pm

I'm sure it's not common enough to warrant the scare coverage, but here's a scenario that is regularly ignored when the assumption is that "all sensitive data is generally sent encrypted".

Most folks have a POP3 e-mail account that does not require (or even allow) encryption to login. And most people fail to realize that an identity is generally as secure as that user's e-mail account.

Process to rip off a user via an "Evil Twin" (or by simply monitoring an unencrypted or weakly encrypted wireless network):
1) Harvest POP3 authentication, use a script to analyse a packet dump to correlate user ID, password and account name.
2) Monitor the POP3 account for e-mail from sites of interest (retailers, banks, credit card companies)
3) Visit said site, attempt to login with password used for e-mail account. If that fails, click the "Forgot my Password" link. Chances are good the password will be sent to the comprimised e-mail account without asking a "validation" question (and even that could probably be guessed).

I don't have a problem with an occasional scare story. I like it when my mother calls and asks questions now that someone in "the news" told her what I've been telling her for years.
For technical and security minded people these stories are an overreaction. I don't use the same password on more than one site. I don't use e-mail services that require "in-the-clear" login. And when I'm working on an open AP, I use an SSH tunnel to my home PC as added protection (I'd rather the guy on the other side of Panera with the Kismet screen up not read my Instant Messages)

While you're generally right, most sensitive data is sent encrypted, *some* isn't, and for many users it only takes one unencrypted authentication to give up their "universal password". And that e-mail client that's checking for new messages every 5 minutes creates traffic that is an easy target.
I can't tell you of a single person outside of my line of work that has more than three different passwords, knows that their home wireless AP is "wide open" or is even concerned that someone could be collecting their traffic while they're working at a coffee shop.
[ link to this | view in chronology ]
Kyros, 25 Apr 2007 @ 6:37pm

It's a scare story, yes, but, alot of credit card fraud does happen pre-ssl. You get a guy that sits there with his laptop in the cafe, sits around with ethereal or packet capture program of your choice, waits for someone to hit up say paypal.com, then starts ARP poisening, fakes DNS and issues a false SSL certificate. It's not hard, and the tools come as a precompiled package on linux available through rpm.
Is it a problem? Yeah - don't manage your banking from starbucks, but, not that big of an issue. It'd be better to tell people common sense things then to have weird security freakouts, but, security experts always have and will have the need to feel technical.
[ link to this | view in chronology ]
|333173|3|_||3, 27 Apr 2007 @ 5:01am

It is somewhat excessive to use a different password for every site, ratehr all that is necessary is to have a password for each thing you care about, and a few passwords for things that you don't give a damn about if they get hacked (Wikipedia accoutns, the tenth gmail accoutn, that sort of thing.)
[ link to this | view in chronology ]
Joel D, 15 May 2007 @ 2:21pm

They Ask For Billing Info Via SSL
I've heard of (but not observed) WiFi captive portals which advertise hourly internet access at a reasonable price. The user enters their data via SSL (including Credit Card # and Billing info) and viola, they are scammed! Encryption only makes sense if you know the endpoint you're communicating with.
[ link to this | view in chronology ]