1 / 30

WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection

WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection. D. Mónica, C. Ribeiro INESC-ID / IST Lisbon, Portugal. T he Evil Twin Attack. The Evil Twin Attack.

xannon
Download Presentation

WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. WiFiHop - Mitigating the Evil Twin Attack through Multi-hop Detection D. Mónica, C. Ribeiro INESC-ID / IST Lisbon, Portugal

  2. The Evil Twin Attack

  3. The Evil Twin Attack • A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.

  4. The Evil Twin Attack • A malicious AP is configured to mimic a legitimate AP, enabling attackers to eavesdrop all wireless communications done by the victims.

  5. Existing Techniques • Detection by the network • Manual administrator detection (Netstumbler) • AirDefense • Wavelink • RIPPS • Yin et al. 2007 • …

  6. Existing solutions problems • Detection by the network • Complete coverage is required • They may flag a normal AP • (e.g. from a nearby coffee shop) • They do not work for rogue APs with authentication • They may access unauthorised networks • They are ineffective in detecting short time attacks

  7. Existing Techniques • Client-side detection • ETSniffer • Use timing measurements • Distinguishes one-hop from multi-hop One-hop - OK Multi-hop - Evil

  8. Existing Techniques • Client-side detection • ETSniffer • Use timing measurements • Distinguish one-hop from multi-hop • WifiHop • Does not use timing measurements • Based on the behavior of the legitimate AP • No AP authorization list is necessary • User may test the network before using it • No modification to the host network (cost-effective)

  9. Objectives • Provide a convenient and usable technique to detect Evil Twin Attacks • Ensuring: • User-sided operation • Operation not detectable by the attacker • Capable of operation in encrypted networks • Non-disruptive operation

  10. WiFiHop

  11. Approach • Detect a multi-hop setting between the user’s computer and the connection to the internet. • Assumes that the rogue AP will relay traffic to the internet using the original, legitimate AP

  12. Solution Overview

  13. Solution Overview

  14. Solution Overview

  15. Solution Overview Too late !!!

  16. WiFiHop

  17. Open WiFiHop

  18. Covert WiFiHop Encrypted • Encrypted link between Malicious and Legitimate AP • We cannot access payloads of the exchanged packets

  19. Covert WiFiHop • We create a watermark using a sequence of packets with pre-determined lengths • We modify our scheme not to require payloads • Instead, we detect packets with certain lengths • WEP/WPA have deterministic, predictable packet lenghts

  20. Covert WiFiHop • Analysis of the probability of random generation of the watermark • We looked at the SIGCOMM trace • Total of 4 day sequence of packets • Got the least observed packet length given different analysis periods • Measured the correlations between successive lengths • Measured the amount of extraneous packets inserted amongst the watermark sequence packets

  21. Least observed packet length

  22. Repeated packet lengths

  23. Interleaved packets

  24. Covert WiFiHop • Watermark is a sequence of packets with different lengths • Detection is a k-state finite state machine • Progresses whenever a packet with the proper length is detected • Ignores extraenous packets (machine state never regresses) • E.g. watermark of length 3, with packets of size a, b and c, stops when those lengths are detected in that relative order • Due to packet loss and miss-order, both the client and the server repeat the requests several times

  25. Testing network

  26. Automatic Configuration • WifiHop is able to estimate the parameters necessary for operation • Packet lengths for the watermark can be estimated by sampling the current network traffic for around 6 seconds • Both the clients and the echo-server conservatively operate assuming highest network load • although for low traffic scenarios less repetitions could mean faster detections • The echo-server delays the transmission of the watermark by 1 second

  27. Effectiveness of WifiHop • Neither Open nor Covert WifiHop exhibited false positives • (for a total of 1000 runs for each load scenario) • For medium and low traffic scenarios there were also no false negatives • For high traffic scenarios some false negatives occurred • Consistent with the parameterization • Each test took ~30 seconds to test all the channels

  28. Summary

  29. Final Remarks • User-sided detection of the evil twin attack is viable • It can be done in useful time (under 1 minute) • WifiHop can operate on open and encrypted networks • WEP/WPA and some VPNs • Avoids server-side detection problems • Enough sniffers to ensure complete network coverage • High false positive rate • No real time detection/mitigation • WifiHop can be ran on off the shelf equipment • Users do not need to trust the network

  30. Thank You carlos.ribeiro@ist.utl.pt

More Related