'Evil Twin' Threat to Wireless Security

BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"

Yes

[lachlan76]

Is there, therefore, anything (other than the cute name 'evil twin') to this story?

Yes. If they control the gateway they now have the capability to perform a man-in-the-middle attack.

Re:Yes

[Delirium+Tremens]

It is actually easy once you also spoof the DNS servers -- which is a piece of cake when you already own the gateway and the DHCP server.

Re:Yes

[Allen+Zadr]

Not even necessary...

Open web browser (usually defaults to google or MSN).
418 Connection Refused; Your <link...>router is having an encryption problem. Click <link...>router for more information.
User clicks on link, which installs Certificate Authority (with the requisite warnings). Seems simple to most users. There's an error about Wireless Encryption - and it wants to install a certificate. Since the user wasn't trying to hit a secure site at the time, it doesn't seem as immediately suspicious.

No, the "one percent"ers around here know the diff between a Cert and a C.A. But the other 99% don't. Hopefully, by the time they hit their online banking - they will have forgotten about the previous "router issue".

As usual, a small shaking of social engineering in a technical issue can turn a seemingly trivial security issue a very real security issue.

Be careful

[drivinghighway61]

So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this? This is about the same parallel as "Don't take candy from strangers."

Thist article misses the point....

[Ajmuller]

The security lapse isn't with bad software, it's with bad policy and hapless users. If you connect to a fraudlent base station, then you can intercept banking passwords even on with connections that use end-to-end encryption. Why, and why isn't this protected. Simple. If you connect to a website, even the most-secure site in the world using SSL. If there is something wrong with the SSL certificate you will be presented with a dialog asking you if you want to accept the certificate. 99% of people blindly click yes, because clicking no means that it "wont work" and clicking yes means it "will work". So to the average user there is no downside to clicking yes and a large downside to clicking no. Enough with the psychology though. Once you have clicked yes on this dialog the entire chain of communication is now suspect. You cannot be sure that there is not someone sniffing your connection. Even if you check the certificate and everything looks OK (Sane information in text fields) you still can't be sure that it's valid unless you compare the signature of the SSL certificate with a known-good one. So, the real danger here lies in unsigned SSL certificates and hapless users. This type of attack is just as easy to orchestrate (if not easier) by associating with any wireless access point and spoofing dns or even on a wired network.

Re:The real threat...

[BrakesForElves]

Well of course you're dead on about slashdot readers. But what about the kid who makes one extra click to surf the new, secure https://disney.com in the morning, whose dad surfs his bank that evening? Hell, with 80% of the wireless routers in residences running default SSID's and no WEP or WAP, one could even launch this attack on a stationary target, where the likelihood of eventual compromise over a period of hours or days would approach certainty. Good luck associating that cause and effect!