Skip to content ↓ | Skip to navigation ↓

The evil twin is not just a schlocky plot device for TV crime shows and absurd soap operas, it’s also a threat to your company’s data.

It’s relatively easy for a criminal to set up an evil twin rogue wireless access point that mimics one that your users and visitors connect to, whether on your premises or in a public place, with the intention of stealing usernames and passwords.

That’s one of the reasons why it’s such a good idea to always use a VPN, creating an encrypted tunnel between your computer and a third-party server, preventing snoopers from intercepting information enroute.

But a new tool offers the promise of more proactively warning network administrators if there is a rogue “evil twin” access point in the vicinity.

Called EvilAP_Defender, the tool is designed to alert administrators if a suspected evil twin is discovered.

The tool is able to discover evil APs using one of the following characteristics:

  • Evil AP with a different BSSID address
  • Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
  • Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter – mainly different OUI (tagged parameters are additional values sent along with the beacon frame. Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area).

But the EvilAP_Defender tool offers to take things one step further, launching a denial-of-service (DoS) attack against rogue access points that it discovers in order to reduce the chances of users endangering their data by connecting.

In order to help it identify friendly networks (and presumably avoid “friendly fire”) it is possible to put for network administrators to run the EvilAP_Defender tool in a “learning mode”.


The tool’s developer Mohamed Idris says that he will continue to add new features to Evil_AP Defender, and there’s some discussion on Reddit about what new versions of the tool might be capable of doing.

But the counterattack capabilities of EvilAP_Defender obviously raises some interesting legal questions.

In most countries around the world, it would be considered illegal to launch an attack against somebody else’s computer without their permission, so if you use EvilAP_Defender to DoS an evil twin access point without getting the attacker’s go-ahead first, aren’t you yourself committing a criminal act?

Mind you, there might be some sneaky ways of getting around that. As a comment left on The Register amusingly points out, seeing as the rogue access point is disguised as one of your own company’s access points, you might be able to convincingly argue that you were merely “stress-testing” your access point’s resilience to a denial-of-service attack rather than booting away an attacker.

Comment in The Register

I am not a lawyer, and I’m sceptical if any law enforcement agency would pursue you if you chose to protect your WiFi users in this way, but it’s clearly an area where you should tread very carefully.

Wireless access pointOne thing is clear. More and more organisations are choosing to become more proactive in defending their users and corporate data from attackers.

Increasingly we will see companies taking the fight to the attackers, rather than simply defending themselves, just as we have seen countries bluster about pre-emptive strikes against foreign hackers.

The jury is still out as to whether that’s a sensible road to go down or not, but make sure that you have taken adequate steps to protect your users and your corporate data from evil twin attacks.

That means:

  • Not just relying on the name of a WiFi network before deciding whether it can be trusted as legitimate or not.
  • Where possible restricting browsing on public WiFi networks to websites that do not require login credentials, and never using them for sensitive data. 3G mobile connections, for instance, can be typically considered much safer than public WiFi.
  • Running a VPN to ensure that any browsing and transmitted data is done through an encrypted tunnel that cannot be easily snooped upon by malicious parties.

Would you feel comfortable running a tool like this at your company? Would you launch an attack against a suspected evil twin? Leave a comment below sharing your point of view.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.

10 Ways Tripwire Outperforms Other Cybersecurity Solutions
  • moha99sa

    Nothing is illegal here. The tool doesn't attack the hacker it denies network users from connecting to the Evil Access Point.

    • Coyote

      tl;dr (I know it is probably too long still):
      I've reported scans (network scans) to the abuse contact of a host (this has happened more than once) because they were a webhost (which implies here that they were doing nothing wrong but were a victim themselves), and as such it was pretty obvious that they had a customer that was compromised and that victim was being used to scan (potential) additional victims. What if I DoS'd them? Not everything is what it seems to be! They did nothing wrong (they were a victim) but where would I be with the law and where would I be ethically ? It is worth repeating: not everything is what it seems to be! In addition, laws have loopholes and those loopholes often protect the perpetrator, even for laws you would never expect the perpetrator to use to their advantage. But it happens – a lot. I really do understand this type of thinking – I really do understand what revenge is, what inspires it, and so this point is from understanding a certain (probably 'negative') part of life: revenge is revenge. Read that again if you need to. Read it many times until you understand it (otherwise, tread very cautiously).

      While I understand your point, it seems you are the author so you're surely defending your own work and therefore you can't really say this isn't a conflict of interest, can you? That leaves you little left (of course, if you aren't, then that is irrelevant and there isn't a conflict of interest). But wait – I also sympathise with you (or 'the author') – attacks (of which I will not call 'hacking' … and neither will I even get in to that …) are a thorn to the side of every administrator and actually all legitimate users. However, your logic just doesn't work 100% of the time (and is ultimately flawed). Laws by their very nature have loopholes and those loopholes can and do protect those who are doing wrong in the first place. Considering that (and even not), I'm afraid this is vigilantism (and vigilantism is… vigilantism) and when you're doing wrong yourself (or potentially defined 'wrong') yourself, especially with the law in tow, you're playing a dangerous game with fire (it also sets a bad precedence for yourself, see my previous point on revenge).

      I promise you this: the law isn't as simple as you think (or would like to believe) it is – loopholes are a real problem and that is why laws have them; they're designed to be abused (and I categorise misinterpret and being up for multiple interpretations as being abused). As for abuses of law (let's say 'loophole' is involved although there is more to it):

      Good example where the so-called victim can be the perpetrator: IT. Ignoring that corporations sometimes abuse these, consider patent trolling – the amount of things patent trolls obtain rights for, things that they did not create/come up with/etc. and for which it should be impossible to have a patent for in the first place… is scary. They do this and then go after companies (and any entity they can find that they can harass) that are supposedly abusing their supposed patent, and then wasting their time, making them acquire legal advice (or additional, perhaps) and sometimes succeeding in it. It is petty theft but legal petty theft all because of the serious loophole in patent protection (and that includes that copyright/etc. law doesn't involve a 1:1 internationally), something that is supposedly meant to protect others innovations … but often fails… perhaps there's flaws in the law itself? (I know many would say yes because some things are defined as property when they really shouldn't be, and given that so much of these things evolve over time, it has the potential to stifle innovation and unfortunately it often does]. It is a law though, and it is not unlike other laws in that regard.)

  • It is a nice post to making us aware about it.

  • Daniel

    Most Enterprise wireless systems already have this feature built in. My Aerohive AP's have WIPS (wireless intrustion prevention system), and I know know Ruckus and other similar vendors do the same thing.

  • Steve

    I implemented a wireless man-in-the-middle years ago that relayed frames between two wifi interfaces on different channels (it did minor edits to beacons and could issue channel change actions toward stations on the original channel). So this idiotic "defense" would detect an "evil twin" (same BSSID, same MAC, different channel) and then start DoSing – which the mitm would then copy back to the original channel. An own goal and extremely stupid. Without the "active defense" this idea would never get any publicity. Yet its stupid because I can DoS the original LAN much more effectively than this idiot can and once you've decided to get into that game you're onto a loser (hint: 802.11 provides NO guarantee of availability).

    Discovering "evil twins" isn't hard (they aren't actually trying to hide) but there are complications – do you scan all the channels in the band (even those not used for 802.11 in the host country). What about the different bands (those in the 5GHz space) or PHY modes other than those used by the legal access points? What if an adversary is trying to hide and only beacons until its hooked a client (and you aren't guaranteed to see any client-directed beacons/channel changes if MIMO or directional antennas are used)?

    Sorry, this is a non-story about someone with no real contribution to make.

  • Lily Cadence

    I got a lot of viruses that came from Wifi to my POS device. Tell me please how I can protect my payment software from such a trouble?

  • Lily Cadence

    I got a lot of viruses that came from Wifi to my POS device. Tell me please how I can protect my payment software from such a trouble?

    • Steve From IT

      I’m nine months late, but you should find someone to set your Wifi, PoS, and corporate networks to be on separate VLANs, if not completely separate networks.

  • Agent Hunk

    what about starbucks wifi?I wish to learn how to identify real from fakes..

    • Dominic Lewis

      yeah, i think they’re secured by AT&T IIRC but you can’t be sure enough unless you take precautionary steps and are fully aware of the red flags/giveaways.

  • Steve from IT

    It seems like the current iteration instead performs DoS against the users, not the WAP. This is less legally questionable, as you can tell users that you reserve the right to DoS them if necessary for security, and they agree to that by connecting, blah blah. That way you’re not violating the CFAA when you DoS them.

<!-- -->