Evil twin (wireless networks)

From Wikipedia, the free encyclopedia
Jump to: navigation, search
For other uses, see Evil twin (disambiguation).

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.[1]

An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.

This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.[2]


The attacker uses a bogus wireless access point, purporting to provide wireless Internet services, but snooping on the traffic. When the users log into unprotected (non-HTTPS) bank or e-mail accounts, the attacker has access to the entire transaction, since it is sent through their equipment.

Unwitting web users are invited to log into the attacker's server with bogus login prompts, tempting them to give away sensitive information such as usernames and passwords. Often users are unaware they have been duped until well after the incident has occurred.

Users think they have logged on to a wireless hotspot connection when in fact they have been tricked into connecting to its evil twin by it sending a stronger signal within proximity to the wireless client.

Rogue access points are easy to set up, for example using a laptop with a wireless card that acts as an access point (known as "host-ap"), but are hard to trace since they can suddenly be shut off. An attacker can make his own wireless networks that appear to be legitimate by simply giving their access point a similar SSID name to the Wi-Fi network on the premises. The rogue access point can be configured to pass the traffic through to the legitimate access point while monitoring the victim's traffic, or it can simply say the system is temporarily unavailable after obtaining a username and password.[3]


Virtual private networks or end-to-end encryption (such as TLS/SSL/HTTPS) may be used to protect passwords, e-mail and other sensitive information.[citation needed]

Most existing evil twin detection solutions can be classified into two categories. The first kind of solution approaches monitor Radio Frequency (RF) airwaves and/or additional information gathered at routers/switches and then compare with a known authorized list. The second kind of approaches monitor traffic at the wired side (a traffic aggregation point such as a gateway), and determine whether a machine uses wired or wireless connections. Such information is further compared with an authorization list to detect if the associated AP is a rogue one. These approaches are limited because they all require the knowledge of an authorization list of APs and/or users/hosts.[citation needed]

See also[edit]


  1. ^ Smith, Andrew D. (9 May 2007). ""Strange Wi-Fi spots may harbor hackers: ID thieves may lurk behind a hot spot with a friendly name". The Dallas Morning News (Washington, DC: Knight Ridder Tribune Business News). p. 1. Retrieved 6 June 2007. 
  2. ^ Wolfe, Daniel; "Security Watch", American Banker, New York, NY: February 14, 2007, vol. 172, no. 31, p. 7 (A security firm used an evil twin as a test to obtain passwords from attendees at an RSA security conference) (Source type: Newspaper; ISSN: 00027561; ProQuest document ID: 1219496681; Text Word Count: 1097; Document URL: [1] (subscription)) Retrieved June 6, 2007
  3. ^ Crossman, Craig (24 August 2005). "Computer Column". Washington, DC: Knight Ridder Tribune Business News. 
  • Kirk, Jeremy; ′Evil Twin′ Hotspots Proliferate, IDG News Service, April 25, 2007

External links[edit]