Steps to take when being targeted by "Evil Twin" WiFi attack?

wireless-networking ssid

I'd like to ask for help, maybe steps on what to do, when being targeted by an "Evil Twin" attack.

My question is related to this: SSID with very similar name, is this an attempt of hacking? But I'm quite certain it is an attack in my case, and I rather need countermeasures, not just making certain on the fact that it is an attack.

I would also like to point out that I'm not a security/network professional, although I'm a software developer student. I merely noticed what is happening because I often read articles on various interesting IT topics.

The story:

About a month ago, I noticed a WiFi network with the exact same name as mine (Paternoszter), appearing on my laptop WiFi list when I'm home. It is an open network, unlike mine, which is password protected (only).

For the first few days I paid not much attention other than making sure I'm connecting to my own network, but then my network started "disconnecting" and reconnecting to the "fake" one, this is when I turned off my WiFi, and also my router.

At this point I reported the incident to the authorities, filled the forms, sent screenshots and all they asked for. I got a promise that "they will look into it". I used my computer only on LAN for a week after, but the duplicate network still persists. (It is there even when I unplug my router from electricity)

A month passed, nothing has changed, but I'm too afraid to use my own WiFi network. It is annoying because I have zero experience with things like this, I used 3 tutorials just to do my router settings. I don't know what I could do.

Are there any further steps a beginner like me take? I had hoped that they would give up by now.

UPDATE (2017.06.20.): Three days after this post the "twin" disappeared, but as I had no idea why, I haven't yet posted anything. It turned out authorities have looked into it, but I was told that they cannot tell me anything during the investigation. I want to hereby thank all the comments, it helped me calm my nerves!


Solution 1:

Your comment said that when you changed your SSID, then changed it back the 'evil twin' network did the same. Couple that with the fact that you admit not being terribly knowledgeable in networking leads me to believe this could possibly be a guest SSID or another SSID for a different frequency (2.4GHz vs 5GHz) as detailed in your linked question. Look for Guest or 5GHz in your router settings to confirm. If you can't understand feel free to post your router model & maybe one of us can

Solution 2:

This is more on the "finding out what is going on" side rather than being a direct fix.

Grab your smartphone, go to the relavent appstore, and download one of the wifi analyser applications.

Turn off your wifi, or your whole router

Use the signal strenth reading from the wifi analyser to identify where the problem ssid is being broadcast from. This answerer found that his "duplicate SSID" was being broadcast from a local device, which he was able to locate. Even if you cannot gain access to where the device is, you should be able to narrow it's position down well enough to easily tell you who is doing this, i.e. which neighbour.

Solution 3:

The best way defend against an "evil twin" attack is to configure a new SSID and disable broadcast. When you disable broadcast on your SSID, you will no longer see it on your PC/MAC WiFi network lists. You'll have to physically type it in along with the WPA2-PSK passphrase. This way, no one will see your SSID. When configuring an new SSID, try sometime totally different than "Paternoszter" or "Paternoszter2" or "Paternoszter3". Make it a new SSID name. Hope this helps.

Solution 4:

While it's probably legal to match the SSID, it appears quite risky to me. If someone decides to provide an "open evil twin" network, it can backfire in at least two ways:

  1. others could simply use it (with strong crypto) and exhaust monthly data quota/trigger speed throttling,

  2. unknown users could use it for illegal things (file sharing, sending blackmail letters, whatever), which would be traced back to the "evil twin" operator.

With this in mind, you could just put up "free WLAN" signs to attract other (anonymous) users. This might make the rogue access point operator think twice :)

Solution 5:

Locating the offending device is the #1 thing you should be doing. I would also use Wi-Fi analyzer as Baldrickk suggested.

If this is something that is scaring you to the point where you don't want to use Wi-Fi the #2 thing you need to do is protect yourself from future attacks.

WIPS\WIDS technology is new enough that it could be difficult for you to set-up manually and expensive to buy a commercial solution.

More information about Wireless Intrusion Prevention Systems:

https://en.wikipedia.org/wiki/Wireless_intrusion_prevention_system

There is a, low cost, home solution I am aware of called the FingBox and it has numerous features to give you control and information about your wireless network. It can also detect some attacks, like the Evil Twin and a de-auth flood.

https://www.fing.com/products/fingbox/

If you want to try your hand at rolling your own system here is the opensource solution:

http://openwips-ng.org/

Even if you had a WIDS system capable of detecting the Evil Twin you would still need to track down the device physically and confront the owner. The good news is that it's likely within walking distance.

Related

How to inspect and download banner image from this website?
Normal equation in Excel (statistics)
Can I install Homebrew without sudo privileges?
How to extract .arc files
Cursor flickering and jumping to bottom left corner
Web browsers say certificates expired or not yet valid, even though the certificate is valid for today's date and system clock is accurate
How to disable Windows 10 system log
#if DEBUG vs. Conditional("DEBUG")
Get Value of a Edit Text field
How can I use JavaScript source maps (.map files)?
How to find out if a Python object is a string?
How to restart a single container with docker-compose