Of Evil Twins And Boogey Men
By Mike Masnick, Fri Jan 21 01:15:00 GMT 2005

It seems that the press had gone crazy over the story of Wi-Fi "evil twins." Where are the reporters who looked at the details? They are few and far between, unfortunately.

The first indication of this story came on Monday when some news outlets mentioned the "threat" of evil twin Wi-Fi, as announced by a "cybercrime expert." The explanation is pretty straightforward. Someone could set up another Wi-Fi access point near a legitimate hotspot and use the same SSID. If the "rogue" access point has a stronger signal, it can fool people into connecting to the rogue access point instead of the official one. This isn't a particularly new trick. It was described in a 2001 white paper (pdf file) from a security group.

The question, though, should be about what the level of risk is. The initial announcement made it sound dire. "There's only one solution at the moment, until better Wi-Fi security measures are introduced," claimed the report: "all you can do is avoid conducting any financial transactions or transmitting sensitive data over a Wi-Fi hotspot." That's right, you're supposed to completely swear off of Wi-Fi for any kind of sensitive data.

The problem is that statement is completely false. For you to conduct a financial transaction, you would need to first actually be connected to the site where the financial transaction was occurring (presumably, your bank). Just about any bank, these days, has SSL encryption. If your bank doesn't, then you should be using a different bank. If it does have SSL encryption, it wouldn't matter if you're going through someone else's AP, they still wouldn't be able to read your data. That's the point of the encryption. In fact, if that was the goal of a hacker, they wouldn't even need to set up such a rogue "evil twin" access point in the first place. They can see the exact same data by connecting to the same legitimate access point that you're already on.

The real threat from a rogue AP has nothing to do with someone sniffing your traffic. Instead, it comes from whoever is running the evil twin setting up a similar looking login screen to the real hotspot login screen. In that way, they can trick users to putting in their username and password -- or, in the case of a new or one time customer, their credit card. That is a serious risk and one that users should be careful about. However, the idea that no one should transmit sensitive data at a hotspot is simply wrong. There are risks. If websites don't use SSL encryption or if you don't have encrypted email or other tools, that data could be sniffed. However, using any kind of VPN system is likely to protect all of your data no matter what you're doing. A few simple moves can protect you.

So, how many reporters told you this? Not very many. Stories started showing up everywhere today worried sick about this evil twin problem. The BBC, eWeek, CNN and plenty of others all reported it along with some form of the statement saying that you shouldn't do any financial transactions or transmit sensitive data at Wi-Fi hotspots.

A few sources, such as ZDnet and Information Week noted that this wasn't a particularly new exploit. However, very few sources noticed that it wasn't a particularly worrisome exploit either. Glenn Fleishman, at Wi-Fi Networking News has a good post explaining ways to protect yourself in general when using an open Wi-Fi access point which follows a similarly excellent article at Mobile Pipeline.

There are security issues involved in using an open access point, but the story of evil twins has been blown out of proportion. There are ways to protect yourself online, and those are important to tell people about. However, suggesting that they should never use an access point is wrong, and is simply designed to get some researchers some undeserved press coverage.