Every year, corporate laptops connect to hundreds of Wi-Fi networks that are not under the direct control of our organizations. Employees travel and connect to public networks in airports, parks, or on public transport systems, along with other networks that may seem to have better security, in hotels or other businesses.

All these Wi-Fi access points, especially those that are public, constitute an opportunity for cyberattackers to access the sensitive information stored on these corporate laptops. Even Wi-Fi access points that are seemingly more secure can entail risks, because they may not actually be the access points we are trying to connect to. This is the case with evil twins, a threat that we highlighted as one of the most dangerous for mobile security in the coming year.

This kind of attack has already become a reality in the last few months: the US Department of Justice indicted seven cyberattackers who allegedly belonged to the Russian intelligence services. Their goal was to steal the credentials for laptops belonging to anti-doping agencies, nuclear energy companies, and chemical laboratories. But how did they do it?

Bait and hook

The Russian cyberattackers used a set of tools that included 4G LTE routers, a mini server, and Wi-Fi antennae with IEEE 802.11 (the most common wireless computer networking standards), all of which they hid in the boots of rental cars. The attackers parked these vehicles close to places where their victims would connect to the Internet: hotels, bars, restaurants… Using this physical proximity, their devices emitted the same SSID (Service Set Identifier, i.e., the name by which the network we want to connect to is visible for our Wi-Fi enabled devices) used by these locations, and thus tricked their victims. What’s more, so as not to raise suspicions, once the victim took the bait and connected to the fake network, they were provided with high speed Internet access via the routers.

This way, the users experiencing the cyberattack believed that they were connected to a legitimate Wi-Fi access point. However, they had taken the bait, and were in fact connected to a malicious access point that looked just like the real thing, designed by the cybercriminals to be able to steal sensitive information from the victim’s corporate laptop.

evil twins
Source: Wired / Department of Justice

How can we protect against evil twins?

From the point of view of companies that provide their customers with Wi-Fi networks, such as hotels or restaurants, the important thing is to provide as secure a connection as possible. This includes WPA2 password encryption systems, and the use of user logins. For this reason, it’s also a good idea to use pages with logins that require secure passwords, or even ones that require users to register first. While this doesn’t totally eliminate the risk of there being evil twins around – they can replicate logins and contain encryption – it does make it more difficult for cyberattackers to replicate genuine access points: an open SSID that doesn’t have the usual login page should arouse suspicions.

Secondly, companies can in fact go one step further. It is possible to detect the evil twins that try to imitate their access points with a wireless intrusion prevention system (WIPS), and then report them. These solutions consist of network hardware that scans the whole radio spectrum in the surrounding area in order to detect the presence of unauthorized access points.

On the other hand, in terms of employees with corporate laptops who connect to Wi-Fi networks outside the organization’s control, awareness training is a key. They must be wary of access points with suspicious SSIDs, and more so if they regularly form part of a kind of business that usually includes a login page and credentials.

In any case, prevention against evil twins doesn’t just come down to the decision to connect to an access point. Generally speaking, in order to avoid damages from any kind of cyberattack that uses a Wi-Fi network as an attack vector, employees must refrain from using sensitive company information or sending and receiving financial data via these connections, especially the most exposed public networks.

Finally, advanced cybersecurity solutions such as Panda Adaptive Defense are able to monitor 100% of all active processes on the organization’s endpoints. This way, it forms an efficient barrier to prevent, stop, and resolve unauthorized attempts to access corporate laptops, even those that use Wi-Fi networks as an attack vector.