'Evil Twin' WiFi Scare Stories Make A Comeback

from the missing-the-point dept

A few years ago, when stories hyping up the security risks of WiFi were commonplace, articles about "evil twin" access points were a favorite. "Evil twins" were access points given SSIDs that made them appear legitimate, only they were controlled by a malicious actor rather than a real hotspot provider. The FUD was then that these malicious actors could steal anything that went across the access point -- even though most sensitive information is transmitted with encryption, a point the articles never bothered to mention. It looks like the evil twin -- or at least hype about it -- is making a comeback, as the head of a trade group of IT security professionals says such attacks are on the rise. He says it's due to the growth in the use of WiFi, but doesn't offer up any real evidence that the attacks are a problem, just saying that they present a risk for people's passwords that are sent as clear text, skipping over the fact that any service provider worth their salt doesn't send passwords in the clear if they're protecting any sort of sensitive information. Instead of harping on about a largely mythical "problem" with WiFi, wouldn't this guy's energy be better spent drawing service providers' attention to the need to encrypt passwords, thereby cutting out the supposed problem?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Charlie, Apr 25th, 2007 @ 2:08pm

    Encryption should help

    So Techdirt has added the part of event with encryption themselves?

    Any well designed encryption scheme will authenticate both ends and protect against a man in the middle attack, so i am not sure I buy that part. Maybe with stupid users clicking ok certificate warnings, but I would hope that they wouldn't do that before divulging very sensitive data.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    squik, Apr 25th, 2007 @ 2:32pm

    passwords are only part of the story

    Of course, encryption helps. But, face it, most web-based systems protect login and then send information in the clear. Encrypting passwords is only half the problem. Do you feel any better than your password is protected for your web-access email, but all your mail is sent in cleartext? Maybe a little better, but you shouldn't feel comfortable.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Sea Man, Apr 25th, 2007 @ 2:44pm

    Protect Yourselves

    Data thieves don't hijack people's data.

    Data thieves hijack stupid people's data.

    Protect yourselves; don't rely on others to do so. Especially since protecting yourself is reeeaally easy if you take the time to do it.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Apennismightier, Apr 25th, 2007 @ 2:44pm

    What are you two working for the CIA? No one cares about your WoW passwords or what your BigButtBabes.com password is... well nevermind, i take that one back... but in any case you get my point. Most people who send sensitive info are on a protected network as it is and anything sent wirelessly that's worth a damn is encrypted.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Wyatt, Apr 25th, 2007 @ 2:48pm

    neh

    Who cares about email being in clear text.. Unless you’re sending sensitive info via email, it should not matter. I know I would NEVER send anything of any importance via email. It’s an open system. It’s hard to see many uses for this type of attack. There is very little someone can do to gather information while simply browsing through their gateway. Almost everything that is sensitive is encrypted before it’s sent.

    I think this is a way for the phone companies to get people worried about using free Wi-Fi. They are some sneaky and immoral bastards (Take Verizon for instance)...

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Apr 25th, 2007 @ 2:53pm

    kind of an ironic post considering a few days ago we saw one about Time Warner allowing users to broadcast there networks as hotspots. interesting.......

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Apr 25th, 2007 @ 3:22pm

    > as the head of a trade group of IT security professionals

    > just saying that they present a risk for people's
    > passwords that are sent as clear text

    The FUD he is spewing is laughable, but it's pretty scary that this person
    is in the 'security' industry. I wonder if this just goes to show that
    anyone can call themself a 'security professional' , after all, there
    are no credentials or experience required.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Casper, Apr 25th, 2007 @ 3:31pm

    Re: passwords are only part of the story

    While the email analogy is somewhat true, it doesn't really equate to wifi points. A wifi point requires the key to connect, but then encrypts the traffic between those connected so that eves dropping becomes virtually impossible (if they are setup correctly).

    The technology is not the weak point in the equation, the stupid users who pick the wrong access point are... although the people who's point they are attempting to connect with should be checking for such issues or at very least have a very specific name that people will be able to distinguish from illegitimate points.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    ether, Apr 25th, 2007 @ 3:46pm

    select infrastructure only

    While evil-twin access points may largely be urban legend, it still seems like a good idea to set the default connect for infrastructure only. Easy to set up in Windows XP.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Missing, Apr 25th, 2007 @ 3:55pm

    infrastructure

    its also pretty easy to sit in an appt building across from the starbucks with a dup ssid and pick up the idiots who do not know better.- directional antenna optional.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Kevin McKenzie, Apr 25th, 2007 @ 3:58pm

    free security

    JiWire has a free security client that helps users avoid the "evil-twin" scare. http://www.jiwire.com/hotspot-helper.htm

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Apr 25th, 2007 @ 3:58pm

    I would bet that a large number of people (at least non-tech people) would click on a cert popup without paying it much attention if they think they are at the correct website. Also, if the man in the middle is using a cert from a trusted authority then there's not even a popup for most people.

    I know quite a few people who use neighbors wifi points because they dont have to pay for internet that way. Also, I still see quite a few network thats are security free, and those are subject to arp poisoning attacks which would provide the same access as an "evil-twin" access point.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Matthew Dippel, Apr 25th, 2007 @ 4:51pm

    I'm sure it's not common enough to warrant the scare coverage, but here's a scenario that is regularly ignored when the assumption is that "all sensitive data is generally sent encrypted".

    Most folks have a POP3 e-mail account that does not require (or even allow) encryption to login. And most people fail to realize that an identity is generally as secure as that user's e-mail account.

    Process to rip off a user via an "Evil Twin" (or by simply monitoring an unencrypted or weakly encrypted wireless network):
    1) Harvest POP3 authentication, use a script to analyse a packet dump to correlate user ID, password and account name.
    2) Monitor the POP3 account for e-mail from sites of interest (retailers, banks, credit card companies)
    3) Visit said site, attempt to login with password used for e-mail account. If that fails, click the "Forgot my Password" link. Chances are good the password will be sent to the comprimised e-mail account without asking a "validation" question (and even that could probably be guessed).

    I don't have a problem with an occasional scare story. I like it when my mother calls and asks questions now that someone in "the news" told her what I've been telling her for years.
    For technical and security minded people these stories are an overreaction. I don't use the same password on more than one site. I don't use e-mail services that require "in-the-clear" login. And when I'm working on an open AP, I use an SSH tunnel to my home PC as added protection (I'd rather the guy on the other side of Panera with the Kismet screen up not read my Instant Messages)

    While you're generally right, most sensitive data is sent encrypted, *some* isn't, and for many users it only takes one unencrypted authentication to give up their "universal password". And that e-mail client that's checking for new messages every 5 minutes creates traffic that is an easy target.
    I can't tell you of a single person outside of my line of work that has more than three different passwords, knows that their home wireless AP is "wide open" or is even concerned that someone could be collecting their traffic while they're working at a coffee shop.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Apr 25th, 2007 @ 5:05pm

    Re: neh

    those "click here to reset your password" links are sent via e-mail and often times require no more authentication than the unique reset URL. this type of e-mail is read over public wifi, its just a matter of the frequency.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Kyros, Apr 25th, 2007 @ 6:37pm

    It's a scare story, yes, but, alot of credit card fraud does happen pre-ssl. You get a guy that sits there with his laptop in the cafe, sits around with ethereal or packet capture program of your choice, waits for someone to hit up say paypal.com, then starts ARP poisening, fakes DNS and issues a false SSL certificate. It's not hard, and the tools come as a precompiled package on linux available through rpm.
    Is it a problem? Yeah - don't manage your banking from starbucks, but, not that big of an issue. It'd be better to tell people common sense things then to have weird security freakouts, but, security experts always have and will have the need to feel technical.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Apr 25th, 2007 @ 7:06pm

    Re: passwords are only part of the story

    I think squik has read the same article I saw only a few days ago, and I'm surprised at Mike's post: I've read some marginally hare-brained knee-jerkity stuff written by Mike, but this is borderline irresponsible.

    With stories posted like this one, my mom's gonna be wanting wireless now. Like Mike talk her down this time.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    |333173|3|_||3, Apr 27th, 2007 @ 5:01am

    It is somewhat excessive to use a different password for every site, ratehr all that is necessary is to have a password for each thing you care about, and a few passwords for things that you don't give a damn about if they get hacked (Wikipedia accoutns, the tenth gmail accoutn, that sort of thing.)

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Joel D, May 15th, 2007 @ 2:21pm

    They Ask For Billing Info Via SSL

    I've heard of (but not observed) WiFi captive portals which advertise hourly internet access at a reasonable price. The user enters their data via SSL (including Credit Card # and Billing info) and viola, they are scammed! Encryption only makes sense if you know the endpoint you're communicating with.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This