EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India

Transcription

1 EVIL TWIN ACCESS POINT DETECTION AND PREVENTION IN WIRELESS NETWORK Sandip S. Thite Bharati Vidyapeeth s College of Engineering for Women, Pune, India Abstract Now a days wireless access points are widely used in public places to provide web services to the user. The growing users of smartphones use such free WI-FI services for their personal use. They don t care about whether they connect to secure network or not. Such a careless attitude causes a risk of phishing attacks on smartphones. Phishing attacker creates Evil twin access point which attracts the smartphone users and perform the attacks on mobile devices and capture all the sensitive information stored in smartphone memory. The evil Twin attacker sends a stronger signal within close proximity to the wireless users so they can easily attract to Evil Twin AP. The evil twin access point is a serious threat for current smartphone devices. It is a big challenge to distinguish between legitimate access point and Evil Twin AP. Several Evil- Twin AP detection mechanism developed to provide a solution to these problems. Most of these solutions are automated and depends on specific parameters used for detection. In this paper, we have presented a survey on existing techniques with its advantages & disadvantages and proposed new technique for Evil twin AP detection. Keywords: IEEE , Evil Twin AP, Wireless Security I. INTRODUCTION Wireless connectivity is so ubiquitous that one can hardly imagine life without it. Smartphone users rely heavily on a WIFI network for mobile applications. Wi-Fi technology helps us to easily get connected to the web, without cables, patch cords or physical media. Wi-Fi statistics of 2014 highlight that 75 % of people say a week without Wi-Fi would leave them grumpier than a week without coffee. Hotels, Railway stations, restaurant, malls see Wi-Fi as an essential amenity. Smart cities concept pushes Municipal Corporation of city to implement public Wi-Fi concepts for city people. So maximum peoples switch to public Wi-Fi to get data connectivity for different devices like smartphones, laptop, tablet etc. These public Wi-Fi networks are easily available for customers and also completely unsecured in order to facilitate connectivity. Bad side of these public Wi-Fi network is it allows hackers to perform different attacks on connected nodes. hotforsecurity.com [3] reports suggest that 88% public Wi-Fi network is unsecured and easily vulnerable to attack. It is so simple to create an Evil Twin AP with a smartphone by enabling Hotspot. Even with the help of other internet capable devices & software tools we can easily create an Evil Twin AP. The attacker position himself in the propinquity of an authorized AP and lets his smartphone discover what Radio Signal strength and Service Set Identifier (SSID) uses. Then he sends his own device radio signal with the same SSID of authorized AP. Public Wi-Fi users can easily attract to such Evil Twin AP because of good radio signal strength and connect to it. Now Evil Twin AP becomes the end users internet access point. In such scenario, now attacker can easily enter into the information system of a particular smartphone device and able to intercept sensitive data such as password, banking details etc. Evil Twin AP also called as a clone of Authorized access point or Honeypots. It is easy to deploy in any wireless public network, difficult to detect and it is easy to implement different attacks with it. It performs Denial of service, Phishing attack, Man-in-Middle attack and session hijacking attack. 1

2 Figure 1: Secured vs. Unsecured Public Wi-Fi Network In this paper our attention is on important security issues of wireless network, which is called as Evil Twin access point. The rest of this paper organized as follows. In section II describes background details of the access point. Section III describes the literature survey about Evil Twin access point detection technique. Proposed system presented in section IV. Future scope mentioned in section V. Section VI concludes this paper. II. BACKGROUND Wirless Network Mobility it is a great feature provided by wireless network.wireless network is used to provide interconnection between different devices. It s very popular because of features like low cost, effectiveness, mobility, easy to install & scalability. Now a days maximum network developed with the wireless environment. Wireless access point The access point is a heart of wireless network. It is central device which takes services from wired network & provide it to end point nodes like mobile, laptop, tablet etc. with the help of access point we require minimum infrastructure cost for WLAN development. Multiple device connectivity is the added advantage with the access point. With the help of Hotspot application, we can create our handheld device as an access point. An attacker can create his handheld device as AP by using Hotspot application, which acts as an Evil Twin AP. Such AP attracts other wireless devices. These devices connect to such Evil twin AP and become victim of an attacker. Now a day s different security mechanism are used to protect authorized AP from such attacks. By using the wireless encryption protocol we can secure our AP from different attacks. But different software tools are easily available in the market which can be used by attacker to break the security of such secure network. For example, with the help of MAC address changer software attacker can easily change its AP S MAC address into an authorized AP address. Also tools like Aircrack-ng suite attacker can easily monitor the wireless traffic and steal some important information of authorized AP which is helpful to create Evil Twin AP. The Unauthorized Access point is divided into three categories Fake access point It is created or installed by outside attacker who is not a part of authorized network. Without knowing to authorize user it can perform the attack. The purpose of such attack is to perform a malicious behavior, such as eavesdropping, steal the information & falsification. Rouge Access point- It is installed by not only outside attacker, but also authorized user of that network. Authorized user of network wants more advantage from network for that purpose he creates Rouge AP in its network by stealing the information of authorized AP. Rouge AP is more dangerous because of authorized user handling such AP who knows all the secure information about the network. Evil Twin Access point- Attacker creates bogus access point, with such AP it will provide internet services by enabling DHCP service. So mobile user can easily attract to such AP which provide internet service. At the same time attacker continuously monitoring wireless traffic and capture some important information of connected user. SSID: Service Set Identifier SSID comprises 32 characters. It is associated with WLAN. Client devices use the SSID to identify and connect different wireless Network. It is important to communicate in WLAN and form a group of devices connected to the same access point Received Signal Strength (RSS) The quality of communication between the sensor unit and the AP is indicated by the RSS value [9] and it is expressed as Decibels (db). RSS values can vary from 0 to -100[12]. The value showing nearness to 0 signifies strong signal, whereas the value approaching 100 indicates weaker signal [14]. Evil Twin access point creation with example It is easy to create Evil Twin access point, Consider figure 2, where Original AP is 2

3 authorized AP, and all users & smart phone are connected to it. This AP gets WAN services through a modem. Evil Twin AP also called as a clone of Authorized access point. Attacker capture the Original AP information through wireless traffic, through which it get information, like SSID, MAC Address, IP address range. Now attackers AP uses this captured information of authorized AP to create clone of authorized AP. After successful creation of the clone, the attacker tries to attract users who normally connect to authorized AP. Victim as shown in figure the, User3, User 4 & smartphone 2 are easily attracted to Evil Twin AP, because of maximum signal strength and better bandwidth which they get from Evil Twin AP. They also think that they are connected to authorize AP. Now Evil Twin AP performs the attack on these users by providing WAN services. It also steals the important information of these connected nodes and victim never knows about this. Figure 2: An example of Evil Twin AP III. LITERATURE SURVEY Lots of research is going on for prevention & detection of evil twin access point. Different technique used by industry people & academic researchers. These techniques further divided into client side, server side and hybrid approaches. The oldest method to detect Evil twin access point is to compare different parameters like MAC address, IP address, SSID. If all these parameters are same then we can say that the access point will be authorized one. But attackers are very smart by using d ifferent software tools they can easily steal authorized user s different parameters and using this create Evil twin AP. Even if we monitor wireless traffic it is easy to get such type of information. In server side approach, Central server which is connected to the wired & wireless network. On this central server Evil twin access point detection tool is installed, by using this tool whole network continuously monitor and check that if any unauthorized client is connected in network. After specific time interval it checks the status of each AP in the network. And generate the result, whether AP is authorized or unauthorized. In client side approach, different techniques are used, in first technique client called as a thick client, where Evil-Twin AP detection tool is installed on client side, using this tool client decide whether it s connected to authorized or evil twin AP. In second technique client called as a thin client, where Evil Twin AP detection tool is available at server side, the client request for verification of AP and depending upon result generated by server client decide whether to connect to AP or not. Academic researcher also contributed for detection of malicious AP. Industry solutions are also useful. Air Defense & AirMagnet these are the some commercial products are useful for prevention of malicious AP. Academic researchers and Industry people are works on to find a improved solution for the detection of Evil Twin AP. There are some methods which focus these problems. Every method uses different parameters to get a solution which causes a different rate of success for fake AP detection. Air Defense [2] it is a commercial product which deploy sensors in the network. With the help of sensor it manages up to 10 APs. It detects the attackers & vulnerabilities in the network. It is very useful network monitoring tool, especially for wireless network. But the slow response time for detection of Evil Twin AP is the big drawback. Time require for verification of AP is high. That s the sufficient time for attacker to understand and attack the network. AirMagnet [1] is another commercial product which is used for detection of vulnerabilities and intrusions. It not only detect unauthorized APS but also denial of service attack by flooding technique. The drawback with this system is that, system administrator is always moving around the network for detection of security threats in network. Qiang Xu et al. [5] proposed device fingerprinting solution for unauthorized AP detection. They create a whitelist database where authorized AP information is stored with some parameters. Every time it checks Available AP in the network with the parameter listed in Whitelist. If it found any unmatched parameter during comparison then it discarded that AP from the network. It is a very good solution for Evil Twin AP detection, but it considers only few parameters for comparison which is not 3

4 sufficient for unauthorized AP detection. Even in some cases it banned authorized AP from the network because of some vulnerable parameter mismatching. Songrit Srilasak et al. [7] provides combined solution for detection and counterattack the malicious AP. It has a central server which is used to collect the wireless data by using its own access point. First it analyze the wireless data and then it detect the malicious AP. After analyzing the data if it found rogue access point, then the central system uses the switch to disable a port to which rogue access point is connected. This technique gives effective and low cost solution which works on any existing wireless infrastructure. But if the central system takes the wireless data from rogue access point for analysis, then the whole system will collapse. The drawback with this approach is we want to rely on a central server for detection and if because of heavy network traffic if the central server is not available then network in critical condition which is easily vulnerable to attacks. Wei et al. [8] implement sequential hypothesis test for unauthorized AP Detection. In this technique, they monitors incoming traffic at router and take a decision about TCP-ACK pairs which are passively collected. Roth et al. [6] implemented systematic approach which helps the user to detect evil twin AP in a wireless network. In this technique short authentication string protocol is used for the purpose of cryptographic key exchange. Verification of short string is done by encoding the short strings as a sequence of color, carried out sequentially by user device and from particular access point. S. Jana et. al. [4] provides a server side solution using clock skews of access point in a wireless network. They use clock skews as a fingerprint to differentiate malicious AP with beacon frames. Detection of MAC spoofing is difficult in this approach. Calculation of clock skews in TCP/ICMP required more time and lack of accuracy shows drawbacks in system. It causes a heavy weighted solution. Even with some drawbacks positives from this method which includes it measure the effects of temperature variations, virtualizations and Network Time Protocol (NTP) synchronization on clock skews. Clock skews is most important parameter which acts as fingerprint so will be unique to each access point. IV. PROPOSED SYSTEM Evil Twin AP detection is a challenging task. The Current technique handles different attacks like Man in the Middle attack, spoofing attack etc. But these techniques will not work for different scenarios. The main drawbacks of many techniques is they work for detection of Evil Twin AP, but prevention policy is not present with these mechanisms. We proposed a novel approach which considers parameters like MAC address, SSID, RSSI value, and 12 bit sequence no. field in IEEE frame. Figure 3 : System Architecture Evil Twin AP detection mechanism works in two different modes, It is initially work for Data collection MODE and with the help of collected data from data collection mode used in verification mode. Data collection mode The data collection mode is used to gather the information parameters like MAC address, SSID, RSSI value, and 12 bit sequence no. field in IEEE frame. This information is used for comparison between authorized and malicious AP. In data collection mode, there are two important phases which can be used for getting above information. Figure 4 : Working of Data Collection Mode 4

5 Wireless traffic capturing Phase In this phase we can use a software tool like Aircrack suite, in which airmon-ng tool can be used for capturing wireless traffic from the network. This tool is very useful to distinguish wired and wireless traffic. It s also useful to capture encrypted wireless traffic. By using this tool we capture wireless traffic by putting our wireless network interface card in monitoring mode. It is used to capture beacon and management frame in a wireless network. We here consider not only the Beacon frame, but also management frame because in some network beacon frames are blocked. After monitoring Wireless traffic we get detailed information of each & every AP in the network. Packet Data Extraction Phase In this phase, each and every wireless packet extracted for required information. From these packets we get detailed information about sender, receiver of packets. Here we concentrate on only few specific parameters like SSID, MAC address of AP, RSSI & Sequence no etc. In the packet header field, we get SSID & MAC address and with data field, we get a frame sequence no & RSSI value. Verification Mode In verification mode two important tasks will perform, In first task, it will create a list of all authorized access point with given parameters and in next task, it will compare this list with current list with given parameters and if it found some changes in parameter values then it will disassociate that AP from network. Authentication Information generation phase It takes the input from packet data extraction phase and create a list of all authorized access point with the parameters given in figure 5. Figure 5: Parameters for Authentication Analysis Phase After specific time interval data collection mode gather the data and verification mode generate the list with the given parameters. It always checks the current parameter values with previous values. In comparison it initially check SSID, if it is not same then it immediately prevent that AP to access from network. Next it take MAC address field if SSID is same and MAC address is different then it add that AP in prevention list, But if it found both MAC and SSID same, but RSSI value is different then it checks the current RSSI value with previous value and if the difference will be in between +10 to -10 then it consider it as authorized AP if difference is more than that then it will consider it as Evil Twin AP. There are always few changes in RSSI value because of environmental effect and distance between nodes and AP. Finally, it checks for Sequence no of frames. For that it checks previous frame and current frame sequence no. If the difference between the values is multiple of 12 then its fine, but if it is not multiple of 12 then it is Evil Twin AP. This technique efficiently detect the Evil Twin AP, but environmental condition can affect the RSSI value. Nodes like a smartphone because of mobility causes a drastic change in value of RSSI. But if we use normalization techniques to normalize the RSSI value, then it will reduce these previous problems with RSSI value. Prevention To block Evil Twin Access point we concentrate on the MAC address of access point. We create a list called as Banned AP where we can put these MAC addresses. Every node always goes through this list before connecting to any AP. If it is found in the Banned AP list, then it will never connect to this AP. V. FUTURE SCOPE In future scope, we use an RSSI value as a one parameter in detection mechanism, using this parameter we can easily find the approximate distance in between access point and node. In current scenario we consider parameters like SSID, MAC address, RSSI value & Frame sequence no. We will add more parameters for evaluation, which include Frequency and channel used by AP. Adding more parameters creates robust system for Evil twin detection mechanism. VI. CONCLUSION The Evil Twin access point detection system has been a major research area because of increased in use of wireless network in public places. In this paper, we proposed a novel approach for detection & prevention of Evil Twin AP by comparing important parameters like SSID, MAC address of AP, RSSI values and frame sequence number. Existing Technique does not provide a lightweight solution. But the proposed solution provides a lightweight solution with minimum delay. This system is scalable, cost effective and easy to deploy on any wireless 5

6 network without modifying existing wireless network. This system works on some specific parameters. By increasing more parameters will create a system more robust. So there still remains considerable scope for future research by adding more parameters. REFERENCES [1]Airmagnet. Available: airmagnet.com [2]Air defense enterprise: WIPS. Available: [3]Hot for Security. Hot for security.com [4] S. Jana S. Jana and S. K. Kasera, On fast and accurate detection of unauthorized wireless access points using clock skews, in Proceedings of the 14th ACM international conference on Mobile computing and networking, ser. MobiCom 08. New York, NY, USA: ACM, 2008, pp [5] Qiang Xu, Rong Zheng and Zhu Han, Device Fingerprinting in Wireless Networks: Challenges and Opportunities, IEEE Communication surveys & Tutorials, Vol- 18,No-1, 2016 [6] Roth, V., Polak, W., Rieffel, E. and Turner, T., (2008). Simple and effective defense against Evil Twin Access Points. WiSec 08, March 31 April 2, 2008, Alexandria, Virginia, USA [7] S. Srilasak, K. Wongthavarawat and A. Phonphoem, Integrated Wireless Rogue Access Point Detection and Counterattack System International Conference on Information Security and Assurance, (2008). [8] W. Wei, K. Suh, B. Wang. J. Kurose and D. Towsley, Passive online rogue access point detection using sequential hypothesis testing with TCP ACK-pairs. In Proc. 7th ACM SIGCOMM conference on Internet measurement, (2007). [9] T. Kim, H. Park, H.Jung and H. Lee(2012) Online detection of fake access points using Received Signal Strength [10] G. Shivraj, M. Song and S. Shetty, A hidden markov model based approach to detect rogue access points IEEE, ,2008. [11] H. Han, B. Sheng, C. Tan, Q. Li,and S. Lu A timing based scheme for Rogue AP detection, IEEE Transactions on parallel and distributed systems, vol. 22, no-11, November 2011 [12] S. Vanjale, P.B. Mane, S. Thite Elimination of Rogue access point in Wireless Network, International Journal of Scientific & Engineering Research, Volume 4, Issue 12, December-2013 [13] K. kao, I-En Liao, Y-C Li, Detecting rogue access points using client-side bottleneck bandwidth analysis, ScienceDirect, computers & security 28 (2009), [14] S. Vanjale, S. Thite, A novel approach for fake access point detection and prevention in wireless network, International Journal of Computer Science Engineering and Information Technology Research (IJCSEITR), Vol 4, Issue 1, Feb 2014,