WiFiHop - Mitigating the Evil Twin Attack through Multi-hop

Detection

D. Mónica, C. RibeiroINESC-ID / IST

Lisbon, Portugal

The Evil Twin Attack

The Evil Twin Attack

A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.

The Evil Twin Attack

A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.

Existing Techniques

Detection by the network Manual administrator detection (Netstumbler) AirDefense Wavelink RIPPS Yin et al. 2007 …

Existing solutions problems

Detection by the network Complete coverage is required They may flag a normal AP

(e.g. from a nearby coffee shop) They do not work for rogue APs with

authentication They may access unauthorised networks They are ineffective in detecting short time

attacks

Existing Techniques

Client-side detection ETSniffer

Use timing measurements Distinguishes one-hop from multi-hop

One-hop - OK

Multi-hop - Evil

Existing Techniques

Client-side detection ETSniffer

Use timing measurements Distinguish one-hop from multi-hop

WifiHop Does not use timing measurements Based on the behavior of the legitimate AP No AP authorization list is necessary User may test the network before using it No modification to the host network (cost-effective)

Objectives

Provide a convenient and usable technique to detect Evil Twin Attacks

Ensuring: User-sided operation Operation not detectable by the attacker Capable of operation in encrypted networks Non-disruptive operation

WiFiHop

Approach

Detect a multi-hop setting between the user’s computer and the connection to the internet.

Assumes that the rogue AP will relay traffic to the internet using the original, legitimate AP

Solution Overview

Solution Overview

Solution Overview

Solution Overview

Too late !!!

WiFiHop

Open WiFiHop

Covert WiFiHop

Encrypted link between Malicious and Legitimate AP We cannot access payloads of the exchanged packets

Encrypted

Covert WiFiHop

We modify our scheme not to require payloads Instead, we detect packets with certain lengths WEP/WPA have deterministic, predictable

packet lenghts

We create a watermark using a sequence of packets with pre-determined lengths

Covert WiFiHop

Analysis of the probability of random generation of the watermark

We looked at the SIGCOMM trace Total of 4 day sequence of packets Got the least observed packet length given different

analysis periods Measured the correlations between successive lengths Measured the amount of extraneous packets inserted

amongst the watermark sequence packets

Least observed packet length

Repeated packet lengths

Interleaved packets

Covert WiFiHop

Watermark is a sequence of packets with different lengths Detection is a k-state finite state machine

Progresses whenever a packet with the proper length is detected

Ignores extraenous packets (machine state never regresses) E.g. watermark of length 3, with packets of size a, b and c,

stops when those lengths are detected in that relative order Due to packet loss and miss-order, both the client and the

server repeat the requests several times

Testing network

Profile

DL Rate(Mbps)

ULRate (Mbps)

Low 2 1Medium

8 5

High 16 12

Automatic Configuration

WifiHop is able to estimate the parameters necessary for operation

Packet lengths for the watermark can be estimated by sampling the current network traffic for around 6 seconds

Both the clients and the echo-server conservatively operate assuming highest network load although for low traffic scenarios less repetitions could

mean faster detections

The echo-server delays the transmission of the watermark by 1 second

Effectiveness of WifiHop Neither Open nor Covert WifiHop exhibited false

positives (for a total of 1000 runs for each load scenario)

For medium and low traffic scenarios there were also no false negatives

For high traffic scenarios some false negatives occurred Consistent with the parameterization Each test took ~30 seconds to test all the channels Profile WifiHop Attacks

detectedLow Open

Covert100%100%

Medium OpenCovert

100%100%

High OpenCovert

98.44%98.05%

Summary

Final Remarks

User-sided detection of the evil twin attack is viable It can be done in useful time (under 1 minute) WifiHop can operate on open and encrypted networks

WEP/WPA and some VPNs Avoids server-side detection problems

Enough sniffers to ensure complete network coverage High false positive rate No real time detection/mitigation

WifiHop can be ran on off the shelf equipment Users do not need to trust the network

Thank You

carlos.ribeiro@ist.utl.pt