Heres the basic evil twin scenario: The attacker sits in the parking lot of a coffee house—or maybe even in the coffee house itself—with a Wi-Fi card and a separate connection to the Internet, probably over a cellular carrier network. Using an attack tool such as hotspotter, they simulate a wireless access point with the same SSID (wireless network name) as the one users would expect, such as t-mobile.
If the signal is strong enough, other users will connect to the attackers system instead of the real access point. The attacker can then serve them a Web page asking for the user to re-enter their credentials, including credit card info if they have the nerve to go so far, give them an IP address and then pass them on to the Internet.
There are many other scenarios. Even without stealing the credentials and credit card info, the attacker sits as a man-in-the-middle and can capture any unencrypted traffic. The attacker doesnt even really need the cellular card; they can just get the info and return an error. If the attacker doesnt stick around too long, the user may eventually get through on the real access point and drop all suspicion.
These attacks are more likely to work with public hot spots rather than corporate Wi-Fi networks, which are likely to use more secure network authentication mechanisms. The real exposure to corporate users is when they use a public hot spot to run the corporate VPN; first they must expose themselves to evil twin-type attacks.
Rogue access points have become a problem as well within corporate networks, and these too could operate from the parking lot of a building, especially if aided by a directional antenna. Windows connects by default to all wireless networks a user has in their networks list, meaning all networks to which they have connected in the past. So if an attacker waits with a rogue access point named linksys odds are that a user will eventually come along who had connected to such a network at home. The users notebook, and the corporate network to which it is attached, may then be vulnerable.
Personal firewalls dont stop the evil twin part of the attack, as they dont operate at that network level. Of course, the notebook itself is exposed when connected to an evil twin, and the attacker could access any open shares or exploit any uncorrected vulnerabilities, and here a firewall could help.
There are companies, such as AirDefense, which sell products to defend against such attacks. AirDefense sells products both for personal systems and enterprises to counter evil-twin, rogue AP and other attacks. Strong authentication and encryption are also generally good defenses.
Its not surprising that connections over a wireless network would have vulnerabilities. Wi-Fi is becoming so ordinary a technology that users may not be alert enough for the threats they are likely to face. So as with other threats, education is the first line of defense against wireless attacks.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.