A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication

Wireless networking technologies have fundamentally changed the way we compute, allowing ubiquitous, anytime, any-where access to information. At the same time, wireless technologies come with the security cost that adversaries may receive signals and engage in unauthorized communication even when not physically close to a network. Because of the utmost importance of wireless security, many standards have been developed that are in wide use to secure sensitive wireless networks; one such popular standard is WPA Enterprise.

In this paper, we present a novel, highly practical, and targeted variant of a wireless evil twin attack against WPA Enterprise networks. We show significant design deficiencies in wireless management user interfaces for commodity operating systems, and also highlight the practical importance of the weak binding between wireless network SSIDs and authentication server certificates. We describe a prototype implementation of the attack, and discuss countermeasures that should be adopted. Our user experiments with 17 technically-sophisticated users show that the attack is stealthy and effective in practice. None of the victims were able to detect the attack.