'Evil Twin' WiFi Scare Stories Make A Comeback

from the missing-the-point dept

A few years ago, when stories hyping up the security risks of WiFi were commonplace, articles about “evil twin” access points were a favorite. “Evil twins” were access points given SSIDs that made them appear legitimate, only they were controlled by a malicious actor rather than a real hotspot provider. The FUD was then that these malicious actors could steal anything that went across the access point — even though most sensitive information is transmitted with encryption, a point the articles never bothered to mention. It looks like the evil twin — or at least hype about it — is making a comeback, as the head of a trade group of IT security professionals says such attacks are on the rise. He says it’s due to the growth in the use of WiFi, but doesn’t offer up any real evidence that the attacks are a problem, just saying that they present a risk for people’s passwords that are sent as clear text, skipping over the fact that any service provider worth their salt doesn’t send passwords in the clear if they’re protecting any sort of sensitive information. Instead of harping on about a largely mythical “problem” with WiFi, wouldn’t this guy’s energy be better spent drawing service providers’ attention to the need to encrypt passwords, thereby cutting out the supposed problem?

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Evil Twin' WiFi Scare Stories Make A Comeback”

Subscribe: RSS Leave a comment
Charlie says:

Encryption should help

So Techdirt has added the part of event with encryption themselves?

Any well designed encryption scheme will authenticate both ends and protect against a man in the middle attack, so i am not sure I buy that part. Maybe with stupid users clicking ok certificate warnings, but I would hope that they wouldn’t do that before divulging very sensitive data.

squik says:

passwords are only part of the story

Of course, encryption helps. But, face it, most web-based systems protect login and then send information in the clear. Encrypting passwords is only half the problem. Do you feel any better than your password is protected for your web-access email, but all your mail is sent in cleartext? Maybe a little better, but you shouldn’t feel comfortable.

Casper says:

Re: passwords are only part of the story

While the email analogy is somewhat true, it doesn’t really equate to wifi points. A wifi point requires the key to connect, but then encrypts the traffic between those connected so that eves dropping becomes virtually impossible (if they are setup correctly).

The technology is not the weak point in the equation, the stupid users who pick the wrong access point are… although the people who’s point they are attempting to connect with should be checking for such issues or at very least have a very specific name that people will be able to distinguish from illegitimate points.

Anonymous Coward says:

Re: passwords are only part of the story

I think squik has read the same article I saw only a few days ago, and I’m surprised at Mike’s post: I’ve read some marginally hare-brained knee-jerkity stuff written by Mike, but this is borderline irresponsible.

With stories posted like this one, my mom’s gonna be wanting wireless now. Like Mike talk her down this time.

Apennismightier says:

What are you two working for the CIA? No one cares about your WoW passwords or what your BigButtBabes.com password is… well nevermind, i take that one back… but in any case you get my point. Most people who send sensitive info are on a protected network as it is and anything sent wirelessly that’s worth a damn is encrypted.

Wyatt says:


Who cares about email being in clear text.. Unless you’re sending sensitive info via email, it should not matter. I know I would NEVER send anything of any importance via email. It’s an open system. It’s hard to see many uses for this type of attack. There is very little someone can do to gather information while simply browsing through their gateway. Almost everything that is sensitive is encrypted before it’s sent.

I think this is a way for the phone companies to get people worried about using free Wi-Fi. They are some sneaky and immoral bastards (Take Verizon for instance)…

Anonymous Coward says:

> as the head of a trade group of IT security professionals

> just saying that they present a risk for people’s
> passwords that are sent as clear text

The FUD he is spewing is laughable, but it’s pretty scary that this person
is in the ‘security’ industry. I wonder if this just goes to show that
anyone can call themself a ‘security professional’ , after all, there
are no credentials or experience required.

Anonymous Coward says:

I would bet that a large number of people (at least non-tech people) would click on a cert popup without paying it much attention if they think they are at the correct website. Also, if the man in the middle is using a cert from a trusted authority then there’s not even a popup for most people.

I know quite a few people who use neighbors wifi points because they dont have to pay for internet that way. Also, I still see quite a few network thats are security free, and those are subject to arp poisoning attacks which would provide the same access as an “evil-twin” access point.

Matthew Dippel says:

I’m sure it’s not common enough to warrant the scare coverage, but here’s a scenario that is regularly ignored when the assumption is that “all sensitive data is generally sent encrypted”.

Most folks have a POP3 e-mail account that does not require (or even allow) encryption to login. And most people fail to realize that an identity is generally as secure as that user’s e-mail account.

Process to rip off a user via an “Evil Twin” (or by simply monitoring an unencrypted or weakly encrypted wireless network):
1) Harvest POP3 authentication, use a script to analyse a packet dump to correlate user ID, password and account name.
2) Monitor the POP3 account for e-mail from sites of interest (retailers, banks, credit card companies)
3) Visit said site, attempt to login with password used for e-mail account. If that fails, click the “Forgot my Password” link. Chances are good the password will be sent to the comprimised e-mail account without asking a “validation” question (and even that could probably be guessed).

I don’t have a problem with an occasional scare story. I like it when my mother calls and asks questions now that someone in “the news” told her what I’ve been telling her for years.
For technical and security minded people these stories are an overreaction. I don’t use the same password on more than one site. I don’t use e-mail services that require “in-the-clear” login. And when I’m working on an open AP, I use an SSH tunnel to my home PC as added protection (I’d rather the guy on the other side of Panera with the Kismet screen up not read my Instant Messages)

While you’re generally right, most sensitive data is sent encrypted, *some* isn’t, and for many users it only takes one unencrypted authentication to give up their “universal password”. And that e-mail client that’s checking for new messages every 5 minutes creates traffic that is an easy target.
I can’t tell you of a single person outside of my line of work that has more than three different passwords, knows that their home wireless AP is “wide open” or is even concerned that someone could be collecting their traffic while they’re working at a coffee shop.

Kyros (profile) says:

It’s a scare story, yes, but, alot of credit card fraud does happen pre-ssl. You get a guy that sits there with his laptop in the cafe, sits around with ethereal or packet capture program of your choice, waits for someone to hit up say paypal.com, then starts ARP poisening, fakes DNS and issues a false SSL certificate. It’s not hard, and the tools come as a precompiled package on linux available through rpm.
Is it a problem? Yeah – don’t manage your banking from starbucks, but, not that big of an issue. It’d be better to tell people common sense things then to have weird security freakouts, but, security experts always have and will have the need to feel technical.

Joel D says:

They Ask For Billing Info Via SSL

I’ve heard of (but not observed) WiFi captive portals which advertise hourly internet access at a reasonable price. The user enters their data via SSL (including Credit Card # and Billing info) and viola, they are scammed! Encryption only makes sense if you know the endpoint you’re communicating with.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...