The Evil Twin

Because transporter accidents happen…

By Steve Harrison

Screen Shot 2017-10-10 at 1.31.26 PM

Introduction

This is the third is a series of blog posts that focus on wireless security and technology.

Most of the devices we use every day, like smartphones, laptops, and tablets, use wireless LAN as their default mode of connectivity. WLAN also provides connectivity for the next generation of internet of things (IoT) devices, such as security cameras, smart home hubs, and connected speakers. This means that sensitive data others might want to access is being transmitted over the air.

This post will detail how an organization might be targeted and what they can do to combat these types of threats.

What is an Evil Twin?

In its simplest terms, an “evil twin” is a rogue access point masquerading as an access point that’s part of your corporate infrastructure. This is also sometimes referred to as a “honeypot.” There are a number of ways a device can act as an evil twin:

  • Spoofing – When an access point (or, more generally, a wireless station) that is not part of your corporate infrastructure masquerades as an access point that forms part of your corporate infrastructure. This can be done by “spoofing” the MAC address (BSSID) of the advertised SSIDs in your wireless network (like we discussed here).
  • Honeypot – When a wireless station listens for beacon frames from wireless clients in its vicinity and then spoofs the SSID those clients are looking for. This takes advantage of the fact that 802.11 clients with their WLAN adapters enabled but not connected to a wireless network will periodically beacon for all the SSIDs they have previously connected to and remember. This means that even if you are on a flight cruising at 35,000 feet, if you’ve left your WLAN radio on, your smartphone or tablet will be periodically “asking” if your corporate or home network is there. A honeypot wireless device will then respond to these frames pretending to be the SSID you are asking for. Depending on the configuration of the honeypot device and your wireless client, your wireless client could then authorize this network and attempt to gain access to data services.

Screen Shot 2017-10-10 at 1.31.41 PM

Should you be worried?

Well, yes!  These modes of operation are, for the most part, malicious in nature and incredibly disruptive to business. There are multiple wireless hacking/cracking tools that operate in the modes described above. They exist typically for the sole purpose of capturing/exfiltrating data either in clear text or encrypted format (to be worked on at a later time).

Next, I’ll walk you through the operation of such a tool, specifically the “WiFi Pineapple” from the HakShop, a California-based company offering penetration testing tools and techniques.

What’s a WiFi Pineapple?

Screen Shot 2017-10-10 at 1.32.00 PM

This is my WiFi Pineapple, there are many like it, but this one is mine.

A WiFi Pineapple is a common, easy to use tool wielded by wireless penetration testers. It leverages open-source software packages and runs using a custom version of the open-source Linux operating system, just like Cisco Meraki. However, a WiFi Pineapple puts them together in an intuitive package and includes a graphic user interface so they are easy to configure, kind of like the Meraki Dashboard does for wireless networks, meaning you don’t have to be a security expert to use it.

Screen Shot 2017-10-10 at 1.32.14 PM

In order to make the WiFi Pineapple act as a Honeypot all you need to do is follow these steps:

1. Connect the pineapple to a network – presuming you want to be able to offer data services to the clients you trick into connecting to your pineapple, you first have to give them a way of accessing those data services. With the pineapple you have three options:

A) Wireless Network – as the pineapple in the image below has two wireless radios, I can actually connect it to a wireless network, like a public one at a coffee shop.  

Screen Shot 2017-10-10 at 1.32.39 PM

B) Wired Network – the pineapple has a wired Ethernet connector, meaning this could be plugged directly into your switch or another switch infrastructure.

Screen Shot 2017-10-10 at 1.32.59 PM

C) Cellular Network – the pineapple has a USB port that can be used for cellular 3G/4G USB modems, similar to a Meraki security applianceThe pineapple can then “bridge” these wireless connections from unsuspecting clients to that SSID. This is very important, as your wireless device (e.g. your smartphone) can connect to what it thinks are known wireless networks while it’s still in your pocket. The device could then access the apps you have enabled on your device, like email and social networks, all without your knowledge.

2. Configure beacon frame behavior – the pineapple can be configured to look for and respond to all beacon frames, which can be thousands and thousands, or it can just respond to specific SSID beacon frames if the attack is more targeted.

Screen Shot 2017-10-10 at 1.33.13 PM

3. Decide what you want to do with the data you receive – finally, the pineapple can be configured to bridge this data with duplication if you are passively testing a network, or it can be configured to divert the encrypted flow of data off to a file or network location, using the tcpdump architecture that is present in all Meraki network devices:

Screen Shot 2017-10-10 at 1.33.28 PM

Screen Shot 2017-10-10 at 1.33.51 PM

What should you do?

Sounds bad, doesn’t it? The above details the trusting nature of network devices and the 802.11 protocol in general. But it’s not all doom and gloom: Meraki’s Air Marshal WIPS service that we’ve discussed here tells you when you see things like this happening in or near your corporate environment.  

Why can’t Air Marshal just block them?

If Air Marshal did block the SSIDs being advertised by these types of devices, then we could also potentially block legitimate corporate access points that are under someone else’s administrative control. Air Marshal shows you which access points in your infrastructure are being spoofed:

Screen Shot 2017-10-10 at 1.34.09 PM

The best solution from here is to go mobile and use a WiFi scanning application on either a laptop or Android smartphone/tablet, to ascertain where the offending device is.

Screen Shot 2017-10-10 at 1.34.20 PM

Screen Shot 2017-10-10 at 1.34.34 PM  

This will likely take multiple passes before you can authoritatively say what the source of this threat is. Once you have identified the threat, you can then choose the appropriate course of action to take. For most organizations, that means “eliminating” the threat. So, if it’s an unattended device disconnected from its network and power, or if it’s a person in or near the building, either escort them from the premises or contact the authorities.

Conclusion

The bad news is that there’s no silver bullet that fixes this problem. So, the tried and trusted advice is to be vigilant and leverage the techniques and tools we have highlighted in this post. The Meraki dashboard also allows you to configure alerts, so if your email starts to look like this…

Screen Shot 2017-10-10 at 1.52.36 PM

…then either you are undergoing a wireless penetration test or you need to do some investigating!

References https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal
https://meraki.cisco.com/lib/pdf/meraki_whitepaper_air_marshal.pdf
https://meraki.cisco.com/lib/pdf/meraki_datasheet_airmarshal.pdf
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal_Containment
https://documentation.meraki.com/MR/Monitoring_and_Reporting/Mitigating_a_Spoof