Geeks With Blogs
Ulterior Motive Lounge UML Comics and more from Martin L. Shoemaker (The UML Guy),
Offering UML Instruction and Consulting for your projects and teams.
OK, this may be old news to some of you; and it's obvious, once you think about it. But it's news to me, so I want to pass it along.

The topic is WiFi Evil Twins. What's a WiFi Evil Twin, you ask? That's when some thief goes to a public WiFi hotspot area and sets up a new public WiFi network with the same or similar name, in hopes of getting people to sign in through his WiFi instead of the public one. Then he can attempt to upload viruses, record traffic, capture credit card information, etc. Usually he uses a stronger antenna, so that you're more likely to find his network than the legitimate network.

There are variations on this. One might be called the Evil One: he doesn't duplicate the existing network, he just creates a new network. As this interview with Anne P. Mitchell, Esq. (Professor of Internet Law at Lincoln Law School of San Jose, and the President and CEO of the Institute for Spam and Internet Public Policy) explains:

Anne: Yes. Just last week I was sitting in my local Starbucks, where they offer wifi hotspots from T-Mobile. In order to log into a T-Mobile hotspot, you must have an account with T-Mobile, for which you must pay.

Even though I don't use the T-Mobile hotspots, I always check (with my laptop) to see what wifi hotspots are available at any given location because, well, that's part of my beat.

Sure enough, users at that Starbucks who opened their laptops and searched for a local wifi Internet connection were presented with the option of "T-Mobile Hotspot," as they should be, but were also presented with a second option, called "Free Wifi from Team WiFi," which I am 99% certain was an evil twin (and indeed Starbucks confirmed that there was no special offer going on which would have otherwise explained that second hotspot).

Now, notice a few things about this second, uninvited hotspot. First, it uses the term "free wifi." Who wouldn't want to use that, especially compared to the T-Mobile hotspot, where you have to pay?

Second, though, note the friendly and familiar sounding "Team WiFi." By using familiar terms for their evil twin, along with telling people it is free, they are making it very easy for an unsuspecting user to go ahead and click and connect to that evil twin. In fact, users may just think that it's a special offer from the T-Mobile Hotspot people.

Sure enough, Audri, this evil twin caught some people. As the gentleman who was sitting next to me got up to leave, after being on his computer for quite some time, I asked him whether he had logged in to the Internet while he was there.

When he said that he had, I asked him whether he was a T-Mobile user. "Oh no," he replied, "they have a free wifi hotspot set up here."

I advised him that it was almost certainly an evil twin, and that if he had done anything online while logged in through that "free" hotspot which might have compromised any sensitive information, he should take immediate measures to remedy the situation, such as changing any passwords he had sent while logged in.

And for me, this is more than just theory: I'm pretty sure I've met an Evil Twin in the wild. A hotel I've been staying at offers free WiFi (more and more of them do these days — it's a lot cheaper than stringing wires to the rooms). They have three WiFi hubs: "hotel name", "hotel name2", and "hotel name3" (names changed because I'm not sure I'm right yet). That's what the owner believes, anyway; but when I check for available networks, there's a fourth network, named "Hotel Name". And it has a stronger signal than any of the other hubs. What's more, when I connect to the other three hubs, they all give me the same IP address; but when I (carefully and briefly) connect to the fourth hub, it gives me a radically different IP address on an entirely different subnet.

So what should I do about it? That's troublesome. From the interview with Ms. Mitchell:

At this point your readers may be wondering why I didn't alert the authorities. And this is why user education is so very important.

There really was nobody for me to effectively alert. I could have called the police, but they would not have had the resources to even figure out where this evil twin was located, let alone to figure out who and how it was being done. The best thing I could do at that point was to let people know not to use that hotspot.

While I'm all for user education — that's why I'm telling you this — I'm not so complacent as Ms. Mitchell about informing the police. Michigan's Attorney General has made fighting Internet crime a priority, so I've informed their High Tech Crime Unit. It may be a waste of time; but if I don't try, I'll always worry that someone might be getting ripped off, and I didn't do anything to stop it.

Now back to the subject of user education: here are some things you can do to protect yourself.

  1. When in doubt, don't do it. These scammers are good. This is how they make their living. If you don't feel comfortable trying to detect and outwit the scammers, then don't do anything at a WiFi hotspot. Certainly don't enter any passwords, credit card numbers, etc. Save that work for when you have a direct connection. I'm not saying you should never use WiFI; I'm saying that if you don't want to take the time to learn how to protect yourself, then you should never use WiFi.
  2. Always download the latest security updates from Windows Update. Set up your machine to download the updates automatically. Don't tell me you're too busy. If you're too busy, then stay off WiFi. In fact, stay off the Internet, period. The scammers are working hard to find new victims, and you're volunteering to be one. And don't tell me that the updates "break" your machine. While I'll grant that's possible, it's most likely something you're doing wrong, and you need to fix. I've had automatic updates activated on all of my machines for years, and I've never had a problem.
  3. Turn on your Windows firewall.
  4. Download and install Windows Defender.
  5. Install a good antivirus/Internet security package, such as McAfee or Symantec, and keep it up to date.
  6. Install a spyware blocker like Ad-Aware or Spybot. In fact, install both of them. They're free, and they seem to complement each other well. And yes, Windows Defender and McAfee and Symantec all have adware/spyware blockers as well; but since each product has its own strengths and weaknesses, it can't hurt to have multiple layers of protection.
  7. Despite my advocating Ad-Aware and Spybot, be careful with "free" software. Software takes time to develop. Time is money. Although we programmers will often write code for fun or passion, the most common motivation is money. If someone's offering it to you for free, it's very likely because he hopes to make money somewhere else. In many cases, that's by selling ads through adware/spyware; but sometimes, it's by installing viruses and keyboard recorders to steal your banking information. If you're installing "free" software, make sure you trust the company or person that's providing it.
  8. Change your WiFi settings to Paranoid (i.e., safe). This will involve several steps:

    1. Open up your network connections by selecting Show All Connections from your Start menu:

      Show all connections

    2. When you see the Network Connections dialog, right-click your wireless connection and select Properties:

      Selecting Wireless Network Properties

    3. You should see the Wireless Network Connection Properties dialog:

      Wireless Network Connection Properties dialog

      Switch to the Wireless Networks tab:

      Wireless Networks tab

    4. Click the Advanced button to open the Advanced wireless settings dialog:

      Advanced wireless settings dialog

      This lets you choose from three different ways to access WiFi networks:

      • Any available network (access point preferred). This means that you will connect either to wirless hubs or to other wireless computers, but you'll prefer wireless hubs.
      • Access point (infrastructure) networks only. This means that you will connect only to wirless hubs.
      • Computer-to-computer (ad-hoc) networks only. This means that you will connect only to other wireless computers.

      Unless you know you're intending to work with friends or coworkers and plan to meet somewhere without a WiFi network, it's always a bad idea to connect to other wireless computers. That's the easiest way to get viruses; and it's a very easy way to get hoodwinked by an Evil Twin: the scammer doesn't even have to set up a hub, just rename his computer to look like a network. The Paranoid setting here is Access point (infrastructure) networks only. Choose that one unless you're sure you have a reason not to.

      This dialog also has a check box: Automatically connect to non-preferred networks. For added Paranoia, make sure that box isn't checked.

      When you're done in this dialog, click Close. But don't close the Wireless Network Connection Properties dialog. You'll do more work there in the next step.

  9. Next you want to disable automatic connection to all of your WiFi networks, or at least to most of them. Your home network is probably safe, as are those of your friends, and your office; but even in those places, if there are neighbors nearby, there's the chance of an Evil Twin. So the Paranoid (i.e., safe) approach is to only make manual connections. Now if you're like me, you probably already have a number of known Wireless connections; and if Evil Twins are as new to you as they are to me, then those are probably set up for automatic connection. So you'll need to switch those to manual, following these steps for each network:

    1. In the Wireless Network Connection Properties dialog, select the network you would like to change:

      Selecting a WiFi network to convert to manual connection

      After you select the network, click Properties. You should see the Properties dialog for the selected network:

      Properties for the selected wireless network

    2. Select the Connection tab:

      The Connection tab for the selected wireless network

      Uncheck the box that says Connect when this network is in range, and then click OK.

      Repeat this for every wireless network. Then click OK in the Wireless Network Connection Properties dialog as well.

    Once you've disabled automatic connection, you'll need to connect manually to any network. To do this, right-click the wireless network connection icon and select View Available Wireless Networks:

    View Available Wireless Networks

    You'll see the Wireless Network Connection dialog:

    Wireless Network Connection dialog

    Select the network you want to connect to, and click Connect.

  10. While you're in the Wireless Network Connection dialog, search for Evil Twins. If you see two networks with the same name, one is probably an Evil Twin. If you see a network with a seductive name like "Free Wifi from Team WiFi," that's probably an Evil One. Here's a hint: Internet service isn't free. If a cafe or restaurant or hotel puts in WiFi service, it's because they're hoping it will bring them customers. And the only way it can bring them customers is if customers know about it. That means they'll advertise it with signs on the wall or the front door. If you don't see an advertisement for it, it's probably an Evil One. And if there's both a fee-based service like T-Mobile and a "free" service, the "free" service is almost conclusively an Evil One. When in doubt, ask the management. If they don't know about it — or they're clueless and say, "I don't know anything about the wireless" — assume it's an Evil One.
  11. If you think you've found an Evil Twin or an Evil One, I disagree with Ms. Mitchell: inform your Attorney General. They get our tax follars to pursue cybercrime, but they can't be everywhere. If they don't know about the crime, they can't pursue it. Maybe nothing will come of it, and the criminals may keep commiting their crimes; but if no one does anything, then they will keep commiting their crimes. I understand why Ms. Mitchell would inform other patrons that they were at risk. Of course, it takes some chutzpah to start telling random strangers in a cafe that they're at risk; and worse, it may also upset the scammer, and he may take steps to shut you up. And even if you inform the management, it's possible that someone in management is the scammer. I think it's best to leave law enforcement to the law enforcement authorities. Tell your AG.

Robert A. Heinlein once wrote: "Anything free is worth what you pay for it." My cynical addition is "If you're lucky." That "free" WiFi could end up costing you everything you've got in your bank account, and a whole lot more.
Posted on Saturday, November 15, 2008 4:20 PM Support Headaches | Back to top

Related Posts on Geeks With Blogs Matching Categories

Comments on this post: Public Service Announcement: Beware of WiFi Evil Twins!

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Martin L. Shoemaker | Powered by: