Evil Twin Attack: Fake WiFi Access Point Vulnerabilities

Evil Twin Attack: Fake WiFi Access Point Vulnerabilities

Thousands of businesses across the globe save time and money with Okta. Find out what the impact of identity could be for your organisation.

Evil Twin Attack: Fake WiFi Access Point Vulnerabilities

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

During an evil twin attack, a hacker tricks victims, and they log in to a stolen and insecure form of WiFi. Once the victims connect, the hacker can see everything they do online. 

Setting up an evil twin network is remarkably easy. Several off-the-shelf products allow anyone to become a hacker, including people who don't know anything about computers or programming. 

Evil twin attacks, step by step 

Hackers need impatient web users to pull off an evil twin attack. Unfortunately, plenty of us fall into this category. When we go into a public space, such as a library or a coffee shop, we expect that establishment to offer free and fast WiFi. In fact, reporters even rank businesses by their connection speeds. 

But that speed and convenience come with a cost. Hackers can quickly take over a safe-seeming WiFi connection and see (or steal) anything users do online. 

An attack typically works like this:

  • Step 1: Set up an evil twin access point.
    A hacker looks for a location with free, popular WiFi. The hacker takes note of the Service Set Identifier (SSID) name. Then, the hacker uses a tool like a WiFi Pineapple to set up a new account with the same SSID. Connected devices can't differentiate between legitimate connections and fake versions.
     
  • Step 2: Set up a fake captive portal.
    Before you can sign in to most public WiFi accounts, you must fill in data on a generic login page. A hacker will set up an exact copy of this page, hoping that they will trick the victim into offering up authentication details. Once the hacker has those, they can log in to the network and control it.
     
  • Step 3: Encourage victims to connect to the evil twin WiFi.
    The hacker moves close to victims and makes a stronger connection signal than the valid version. Anyone new will only see the evil twin, and they will tap and log in. The hacker can kick off anyone currently connected with a distributed denial of service (DDoS) attack, which temporarily takes the valid server offline and prompts mass logins.
     
  • Step 4: The hacker steals the data.
    Anyone who logs in connects via the hacker. This is a classic man-in-the-middle attack, which allows the attacker to monitor anything that happens online. If the user logs into something sensitive (like a bank account), the hacker can see all the login details and save them for later use. 

Customer participation is critical in an evil twin WiFi attack. And unfortunately, only about half of all consumers think they're responsible for securing their data on a public WiFi account. Most think the companies that offer connections will protect them. The companies may disagree.

Evil twin attacks: 2 examples 

Why would someone want to sit between customers and websites? Let's walk through two examples of how hackers might use data like this. 

Let's imagine a hacker sitting inside a connection at a local coffee shop:

  • The setup is successful. The hacker ha