With a wireless LAN hotspot, how do you know if you're connecting to a fake or real access point?
Fake access points (APs) pose a particularly thorny problem because, in many public hotspots, you don't really know what the authentic AP and login page should look like. If you get tricked into connecting to a fake AP, that "evil twin" is in the perfect position to launch man in the middle attacks against you. A fake AP can display a hotspot login page that looks exactly like a legitimate login page to solicit your credit card's number. It can intercept VPN connect requests and attempt to pose as the legitimate VPN gateway. It can even try to mimic any SSL-protected website you might try to visit.
In all of these attacks, the fake AP (and server) are trying to exploit your failure to authenticate who you're talking to -- from the hotspot AP and login portal, to the VPN gateway and SSL server. Therefore, your best defense is to insist on server authentication before you supply any sensitive information (e.g., password, credit card number).
I recommend the following to avoid fake APs:
To learn more, read this tip on defending Wi-Fi clients:
Always take advantage of WPA or WPA2 in hotspots that support this option (e.g., T-Mobile, iBAHN). In those hotspots, you can avoid fake APs altogether by configuring your laptop's Wi-Fi connection to check the hotspot authentication server's certificate, or installing a hotspot connection manager that does this for you automatically.
If you use many different public hotspots, you may have subscribed to a hotspot roaming service like iPass or Boingo. Those roaming clients use SSL to log you in to a central authentication server and automatically authenticate that server during login. Although you might still connect to a fake AP, roaming clients prevent you from being tricked into using a fake login portal.
If you use hotspots that don't support WPA or WPA2, I recommend using a VPN to encrypt private data. In this case, configure your VPN to resist fake AP man in the middle attacks by requiring gateway authentication prior to user authentication. For example, avoid IPsec VPNs that use XAUTH to solicit user passwords without proving gateway identity.
If you visit SSL-encrypted websites at hotspots, don't assume that an "https" URL means that you have reached the legitimate Web server. It's easy for a fake AP to redirect your requests to a fake server that has a self-signed certificate. Here, the onus falls on you and your browser to verify the server's certificate. Don't ignore browser prompts about invalid certificates and make sure that the server certificate was actually issued by a trusted root authority.
Finally, keep your eye on wireless connection behavior in public hotspots. You might find yourself toggling back and forth between a legitimate AP and the fake AP, or being tricked into auto-connecting to another SSID in your preferred network list. These and other symptoms of wireless client attack can be detected by host-resident wireless IPS programs.
Wireless security -- Defending Wi-Fi clients.
This was first published in January 2008