WiFi Users Should Beware 'Evil Twins'
Jan 20, 2005 10:12 AM PT
Wireless access to the Internet through WiFi hot spots is widening to include more public places, but users of the often free wireless networks are being warned that security risks are also growing.
The most recent cautionary advice came from UK researchers at Cranfield University who indicated "evil twin" WiFi or 802.11 wireless networks may be used to pose as legitimate hot spots to steal passwords or other personal information.
Wireless analysts indicated the threat is nothing new, but agreed with Canfield's researchers that default security settings for wireless computer access are typically unsafe.
The UK experts, who are presenting their findings in the UK this week, said attackers could easily use the same frequencies as legitimate WiFi hot spots to lure wireless users into disclosing sensitive information without knowing it.
The Canfield University experts described the evil twin vulnerability as one that WiFi attackers could easily exploit.
Pointing out that anyone with the right equipment could seek out a wireless frequency and substitute an evil twin, the researchers blamed unsafe default settings in both the wireless networks themselves and in computers equipped for wireless access.
The researchers said users should ensure that security and encryption settings are on, but warned the only way to be truly safe from the evil twin danger was to abstain from sending password, financial or other sensitive information via public WiFi access points.
Ken Dulaney, Gartner vice president of mobile computing, told TechNewsWorld that the issue may have more significance with the growing number of public WiFi hot spots.
"It's not a new threat," Dulaney said. "This has been possible since the early days of hot spots."
Calling the evil twin danger "a derivative of phishing" -- a reference to Web-based efforts to dupe users into divulging information -- Dulaney agreed with the UK researchers that default wireless settings in both networks and on computers leave users vulnerable.
"Most people don't bother to implement security because they don't understand it and it's a pain to have, so they leave it wide open," he said.
Charles Golvin, a wireless analyst with Forrester, agreed, calling the UK researchers' point about default settings "on the money."
Golvin told TechNewsWorld that wireless security runs the gamut from well-managed and thoughtfully constructed to completely insecure. And he pointed out that the issue is not limited to wireless.
Golvin also said vendors tend to make installation and configuration of wireless technologies as simple as possible, often at the expense of security.
"The interest of the vendor is best served by making it as easy to use and set up as possible," he said. "[Vendors] are not the ones bearing the brunt of it, unless there's some kind of backlash."
Analysts agreed that users are best protected by ensuring use of firewalls, antivirus and security options for wireless connectivity. Despite the added time and trouble, they said encryption is a necessity to avoid falling victim to attacks such as the evil twin scenario highlighted this week.