Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2015: Financial Cryptography and Data Security pp 370–386Cite as

METDS - A Self-contained, Context-Based Detection System for Evil Twin Access Points

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8975))

Abstract

Mobile Evil Twin attacks stem from the missing authentication of open WiFi access points. Attackers can trick users into connecting to their malicious networks and thereby gain the capability to mount further attacks. Although some recognition and prevention techniques have been proposed, they have been impractical and thus have not seen any adoption. To quantify the scale of the threat of evil twin attacks we performed a field study with 92 participants to collect their WiFi usage patterns. With this data we show how many of our participants are potentially open to the evil twin attack. We also used the data to develop and optimize a context-based recognition algorithm, that can help mitigate such attacks. While it cannot prevent the attacks entirely it gives users the chance to detect them, raises the amount of effort for the attacker to execute such attacks and also significantly reduces the amount of vulnerable users which can be targeted by a single attack. Using simulations on real-world data, we evaluate our proposed recognition system and measure the impact on both users and attackers. Unlike most other approaches to counter evil twin attacks our system can be deployed autonomously and does not require any infrastructure changes and offers the full benefit of the system to early adopters.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    http://www.dd-wrt.com.

  2. 2.

    This is not a foolproof method, since GPS location is not always available and WiFi based positioning can be fooled by an attack of type C. However cell tower ID based positioning works in many cases and raises the bar for the attacker.

  3. 3.

    While it is also possible to mount evil twin attacks against Enterprise WPA networks, these would go beyond the scope of this paper.

References

  1. Bauer, K., Gonzales, H., McCoy, D.: Mitigating evil twin attacks in 802.11. In: 2008 IEEE International Performance, Computing and Communications Conference, pp. 513–516, December 2008

    Google Scholar 

  2. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)

    Google Scholar 

  3. Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 49–60. ACM (2013)

    Google Scholar 

  4. Gonzales, H., Bauer, K., Lindqvist, J., McCoy, D., Sicker, D.: Practical defenses for evil twin attacks in 802.11. In: 2010 IEEE Global Telecommunications Conference, pp. 1–6, December 2010

    Google Scholar 

  5. Kindberg, T., Mitchell, J., Grimmett, J., Bevan, C., O’Neill, E.: Authenticating public wireless networks with physical evidence. In: IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, WIMOB 2009, pp. 394–399, October 2009

    Google Scholar 

  6. Lanze, F., Panchenko, A., Braatz, B., Engel, T.: Letting the puss in boots sweat: detecting fake access points using dependency of clock skews on temperature. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 3–14. ACM (2014)

    Google Scholar 

  7. Mónica, D., Ribeiro, C.: WiFiHop - mitigating the evil twin attack through multi-hop detection. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 21–39. Springer, Heidelberg (2011)

    Google Scholar 

  8. Roth, V., Polak, W., Rieffel, E., Turner, T.: Simple and effective defense against evil twin access points. In: Proceedings of the First ACM Conference on Wireless Network Security, WiSec 2008, p. 220, March 2008

    Google Scholar 

  9. Song, Y., Yang, C., Gu, G.: Who is peeping at your passwords at starbucks? - to catch an evil twin access point. In: DSN 2010, pp. 323–332 (2010)

    Google Scholar 

  10. Szongott, C., Henne, B., Smith, M.: Evaluating the threat of epidemic mobile malware. In: WiMob, pp. 443–450. IEEE Computer Society (2012)

    Google Scholar 

  11. Szongott, C., Henne, B., Smith, M.: Mobile evil twin malnets – the worst of both worlds. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 126–141. Springer, Heidelberg (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Distributed Computing and Security Group, Leibniz Universität Hannover, Hannover, Germany

    Christian Szongott & Michael Brenner

  2. Department of Computer Science, Rheinische Friedrich-Wilhelms-Universität Bonn, Bonn, Germany

    Matthew Smith

Authors
  1. Christian Szongott
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Brenner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Matthew Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christian Szongott .

Editor information

Editors and Affiliations

  1. University of Innsbruck, Innsbruck, Austria

    Rainer Böhme

  2. NTT Laboratories, Tokyo, Japan

    Tatsuaki Okamoto

Appendices

A METDS Sample Configuration

In Table 1 the most important configuration parameters for our sample configuration are shown. These values have been used for the mentioned simulations from Sect. 6. As one can see the algorithm only reacts to connections to unencrypted networks. For future research other encryption schemes can be enabled to analyze similar attacks on encrypted wireless networks. The BSSID thresholds define, how often an access point needs to be detected or missed, until it is added to or removed from the according access point profile. The maximum distance threshold defines how close to each other two locations have to be at least, until the algorithm regards them as equal. The length of the learning period of an access point is defined by the next parameter. Within this period the algorithm learns the access points environment and adapts itself. The current value represents one week. The last two parameter enable the Jaccard index comparison of network environments and set the threshold to 0.7 as discussed in Sect. 5.

Table 1. Configuration parameters of the METDS
Full size table
Fig. 5.
figure 5

Amount of warnings a user would receive per 100 connections. In the first diagram only BSSID warning are shown, in the second all remaining warnings have been plotted.

Full size image

B User Perspective

Figure 5 shows the user’s perspective. Both diagrams show the number of warnings each user (along the Y-axis) sees on average per 100 connections. In the first graph only warning messages for unknown BSSIDs are shown. As stated above we believe these warnings are necessary since they definitively present an unknown access point and a connection should not be established without the users consent. The second graph only shows the false-positives at our current configuration of METDS. Also as stated above the number of warnings shown here is configurable and is down to user preferences.

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Szongott, C., Brenner, M., Smith, M. (2015). METDS - A Self-contained, Context-Based Detection System for Evil Twin Access Points. In: Böhme, R., Okamoto, T. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8975. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47854-7_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-47854-7_22

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-47853-0

  • Online ISBN: 978-3-662-47854-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation