A Passive Client-based Approach to Detect Evil Twin Attacks

As the widespread deployment and usage of 802.11-based wireless local area networks (WLANs), Wi-Fi users are vulnerable to be attacked by a security threat called evil twins. The evil twin, a kind of rogue access points (RAPs), masquerades as a legitimate access point (AP) to lure users to connect it. Malicious adversaries can easily configure evil twins on a laptop to induce victim wireless users. The presence of such a threat continuously leads to significant loss of information. In this paper, we propose a passive client-side detection approach that allows users to independently identify and locate evil twins without any assistance from a wireless network administrator. Because of the forwarding behavior of evil twins, proposed method compares 802.11 data frames sent by target APs to users to determine evil twin attacks. We implemented our detection and location technique in a Python tool named ET-spotter. Through implementation and evaluation in our study, our algorithm achieves 96% accuracy in distinguishing evil twins from legitimate APs.