Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Evil Twin' Threat to Wireless Security

Posted by michael on from the lives-in-the-attic-and-eats-fish-heads dept.

BarryNorton writes "The BBC are currently reporting on research from Cranfield University on the ability of unscrupulous third parties to spoof wireless networking clients into believing they are connected to a 'valid base station' and compromising their passwords for Internet banking etc. Of course the rest of the connection through the Internet, even from a trusted router, is insecure in any case and such sites should be using end-to-end security like SSL. Is there, therefore, anything (other than the cute name 'evil twin') to this story?"

3 of 222 comments (clear)

  1. Be careful by drivinghighway61 · · Score: 5, Insightful

    So, in other words, be careful when you connect to an unfamiliar access point? Shouldn't people already be doing this? This is about the same parallel as "Don't take candy from strangers."

  2. Thist article misses the point.... by Ajmuller · · Score: 4, Insightful

    The security lapse isn't with bad software, it's with bad policy and hapless users. If you connect to a fraudlent base station, then you can intercept banking passwords even on with connections that use end-to-end encryption. Why, and why isn't this protected. Simple. If you connect to a website, even the most-secure site in the world using SSL. If there is something wrong with the SSL certificate you will be presented with a dialog asking you if you want to accept the certificate. 99% of people blindly click yes, because clicking no means that it "wont work" and clicking yes means it "will work". So to the average user there is no downside to clicking yes and a large downside to clicking no. Enough with the psychology though. Once you have clicked yes on this dialog the entire chain of communication is now suspect. You cannot be sure that there is not someone sniffing your connection. Even if you check the certificate and everything looks OK (Sane information in text fields) you still can't be sure that it's valid unless you compare the signature of the SSL certificate with a known-good one. So, the real danger here lies in unsigned SSL certificates and hapless users. This type of attack is just as easy to orchestrate (if not easier) by associating with any wireless access point and spoofing dns or even on a wired network.

  3. Re:Yes by Allen+Zadr · · Score: 4, Insightful
    Not even necessary...

    Open web browser (usually defaults to google or MSN).
    418 Connection Refused; Your <link...>router is having an encryption problem. Click <link...>router for more information.
    User clicks on link, which installs Certificate Authority (with the requisite warnings). Seems simple to most users. There's an error about Wireless Encryption - and it wants to install a certificate. Since the user wasn't trying to hit a secure site at the time, it doesn't seem as immediately suspicious.

    No, the "one percent"ers around here know the diff between a Cert and a C.A. But the other 99% don't. Hopefully, by the time they hit their online banking - they will have forgotten about the previous "router issue".

    As usual, a small shaking of social engineering in a technical issue can turn a seemingly trivial security issue a very real security issue.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.