Evil Twin Attack Prevention?

[Rajjco]

I have a couple of questions about this type of attack.

Detected an intruder in my network and I'm trying to prevent future incidents.

Found a couple of SSID's with the same name as my home network SSID In Asus Site Survey page my home SSID has a full bar connection while the rogue SSID has one bar only.

Can a rogue SSID get the wifi password of my home network when devices auto connect if it was within range?

If so how do you even prevent such attacks?

 

[eibgrad]

The "rogue" AP can NOT access the PSK (pre-shared key), if that's your concern. The PSK is *never* transmitted from the client to the AP during the WPA2/WPA3 4-way handshake.

For all intents and purposes, the only real way you're going to fall victim to this kind of attack is when dealing w/ *open* wifi, esp. one w/ a portal which requires its own authentication. If you're depending on that rather than WPA2/WPA3 for your security, that's a problem. But in most cases where you see this happening, it's public wifi, and invariably that network is completely isolated from the provider's own private network (assuming there is one).

So unless you're NOT following standard procedures like WPA2/WPA3 and using a strong, unique password (PSK), rogue APs shouldn't present a problem (security-wise), even if they're using the same SSID.

Seems to me the bigger problem is having your wireless clients continually attempt to access the rogue AP (unsuccessfully) over and over again. I've seen cases where the user had to lock down the client(s) to a specific AP based on the AP's MAC address (aka BSSID).

All that said, there's always the possibility of some other unknown vulnerability, or a failure to patch a known vulnerability on your part. Wifi is always a case of "use at your own risk" given you are *broadcasting* an access point to the public.

 

[Rajjco]

The "rogue" AP can NOT access the PSK (pre-shared key), if that's your concern. The PSK is *never* transmitted from the client to the AP during the WPA2/WPA3 4-way handshake.

For all intents and purposes, the only real way you're going to fall victim to this kind of attack is when dealing w/ *open* wifi, esp. one w/ a portal which requires its own authentication. If you're depending on that rather than WPA2/WPA3 for your security, that's a problem. But in most cases where you see this happening, it's public wifi, and invariably that network is completely isolated from the provider's own private network (assuming there is one).

So unless you're NOT following standard procedures like WPA2/WPA3 and using a strong, unique password (PSK), rogue APs shouldn't present a problem (security-wise), even if they're using the same SSID.

Seems to me the bigger problem is having your wireless clients continually attempt to access the rogue AP (unsuccessfully) over and over again. I've seen cases where the user had to lock down the client(s) to a specific AP based on the AP's MAC address (aka BSSID).

All that said, there's always the possibility of some other unknown vulnerability, or a failure to patch a known vulnerability on your part. Wifi is always a case of "use at your own risk" given you are *broadcasting* an access point to the public.

Thanks for the detailed explanation.

I had assumed that the PSK (pre-shared key) can be read by the "rogue" AP if one of my devices gets close to it. That's a relief that it cannot access It.

 

[Ripshod]

If the rogue APs don't show any level of wifi security, it's possible someone may be attempting to get your devices to connect to their network. There's a multitude of reasons for them to want to do this, all of them nefarious.
Haven't seen this in a long time though.