wifihop - mitigating the evil twin attack through multi-hop detection
DESCRIPTION
WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection. D. Mónica, C. Ribeiro INESC-ID / IST Lisbon, Portugal. T he Evil Twin Attack. The Evil Twin Attack. - PowerPoint PPT PresentationTRANSCRIPT
WiFiHop - Mitigating the Evil Twin Attack through Multi-hop
Detection
D. Mónica, C. RibeiroINESC-ID / IST
Lisbon, Portugal
The Evil Twin Attack
The Evil Twin Attack
A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.
The Evil Twin Attack
A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.
Existing Techniques
Detection by the network Manual administrator detection (Netstumbler) AirDefense Wavelink RIPPS Yin et al. 2007 …
Existing solutions problems
Detection by the network Complete coverage is required They may flag a normal AP
(e.g. from a nearby coffee shop) They do not work for rogue APs with
authentication They may access unauthorised networks They are ineffective in detecting short time
attacks
Existing Techniques
Client-side detection ETSniffer
Use timing measurements Distinguishes one-hop from multi-hop
One-hop - OK
Multi-hop - Evil
Existing Techniques
Client-side detection ETSniffer
Use timing measurements Distinguish one-hop from multi-hop
WifiHop Does not use timing measurements Based on the behavior of the legitimate AP No AP authorization list is necessary User may test the network before using it No modification to the host network (cost-effective)
Objectives
Provide a convenient and usable technique to detect Evil Twin Attacks
Ensuring: User-sided operation Operation not detectable by the attacker Capable of operation in encrypted networks Non-disruptive operation
WiFiHop
Approach
Detect a multi-hop setting between the user’s computer and the connection to the internet.
Assumes that the rogue AP will relay traffic to the internet using the original, legitimate AP
Solution Overview
Solution Overview
Solution Overview
Solution Overview
Too late !!!
WiFiHop
Open WiFiHop
Covert WiFiHop
Encrypted link between Malicious and Legitimate AP We cannot access payloads of the exchanged packets
Encrypted
Covert WiFiHop
We modify our scheme not to require payloads Instead, we detect packets with certain lengths WEP/WPA have deterministic, predictable
packet lenghts
We create a watermark using a sequence of packets with pre-determined lengths
Covert WiFiHop
Analysis of the probability of random generation of the watermark
We looked at the SIGCOMM trace Total of 4 day sequence of packets Got the least observed packet length given different
analysis periods Measured the correlations between successive lengths Measured the amount of extraneous packets inserted
amongst the watermark sequence packets
Least observed packet length
Repeated packet lengths
Interleaved packets
Covert WiFiHop
Watermark is a sequence of packets with different lengths Detection is a k-state finite state machine
Progresses whenever a packet with the proper length is detected
Ignores extraenous packets (machine state never regresses) E.g. watermark of length 3, with packets of size a, b and c,
stops when those lengths are detected in that relative order Due to packet loss and miss-order, both the client and the
server repeat the requests several times
Testing network
Profile
DL Rate(Mbps)
ULRate (Mbps)
Low 2 1Medium
8 5
High 16 12
Automatic Configuration
WifiHop is able to estimate the parameters necessary for operation
Packet lengths for the watermark can be estimated by sampling the current network traffic for around 6 seconds
Both the clients and the echo-server conservatively operate assuming highest network load although for low traffic scenarios less repetitions could
mean faster detections
The echo-server delays the transmission of the watermark by 1 second
Effectiveness of WifiHop Neither Open nor Covert WifiHop exhibited false
positives (for a total of 1000 runs for each load scenario)
For medium and low traffic scenarios there were also no false negatives
For high traffic scenarios some false negatives occurred Consistent with the parameterization Each test took ~30 seconds to test all the channels Profile WifiHop Attacks
detectedLow Open
Covert100%100%
Medium OpenCovert
100%100%
High OpenCovert
98.44%98.05%
Summary
Final Remarks
User-sided detection of the evil twin attack is viable It can be done in useful time (under 1 minute) WifiHop can operate on open and encrypted networks
WEP/WPA and some VPNs Avoids server-side detection problems
Enough sniffers to ensure complete network coverage High false positive rate No real time detection/mitigation
WifiHop can be ran on off the shelf equipment Users do not need to trust the network
Thank You