July 15, 2015
Public, Open Wireless Hotspots: To Connect or Not
July 15, 2015
This paper highlights the risks involved with connecting to an untrusted network such as public Wi-Fi. These networks are highly insecure due to data being emitted through airwaves. This allows for attackers to easily eavesdrop on network communication by creating an evil twin access point and taking advantage of devices using the auto connect feature.
This paper discovers the information by surveying participants and creating an evil twin to discover how many participants connect unknowingly.
Secure wireless fidelity (Wi-Fi) networks require a password or users to register before being able to use their free Wi-Fi service. Once connected to the network, devices offer an auto connect feature so users don’t have to keep entering a long monotonous password every time they connect to the same network .
However, this feature is also used on open networks. An open network is a network that does not require a password to connect. This auto connect feature can then become an attack vector .
Hackers use this knowledge to their advantage, creating a Wi-Fi hotspot with the same name as a popular open Wi-Fi network this will capture users as they roam nearby [4, 6]. Unbeknownst to the users around this rogue Wi-Fi hotspot, their mobile devices will connect automatically if they have previously connected to a hotspot with the same name. Hotspots are not geotagged, so the auto connect feature does not check the location or context of the surrounding as suggested by .
Devices scan for networks they have previously connected to and use the stored credentials to connect. This allows hackers to manipulate this protocol and lure users into using their rogue hotspot. Once connected, the attacker has gained a link to the mobile device and a possible payload containing an exploit could be injected on the device [6, 14].
This is a study to discover how often people use public Wi-Fi, their typical usage and the device they typically use. This was achieved by using a survey which 31 participants completed. Whilst the participants completed the survey, a rogue access point (AP) was set up to capture if any of the users’ devices would automatically connect. In doing this, it highlighted to the participants the potential risk of connecting to public Wi-Fi.
As stated in the introduction, public Wi-Fi is extremely vulnerable to eavesdropping or man in the middle attacks due to the radio waves emanating beyond intended coverage area [4, 6, 10].
There are many research papers that propose different and unique ways to mitigate rogue access points or evil twins [1,2,3,6,7,8,9,11,13].
It has been discovered that iOS devices are vulnerable to attack. If an abnormal response is returned when connecting to a network, a UIWebView is opened. An attacker can take advantage of this by launching an ARP Poisoning Attack, DNS Poisoning Attack, or a Man-in-the-Middle Attack redirecting the requesting iOS device to a malicious location .
Through empirical research, it is believed that 20% of all enterprise networks have a rogue access point within their network. A protective framework is suggested to monitor network activities, discover the possibility of rogue access points on the network and block unauthorized network access through the rogue access points .
Though this hypothesis could possibly help to mitigate rogue AP’s on a network, it would still be dependent on the administrator of the network to have it configured correctly .
Research suggested that client mitigation techniques are discussed to allow the client to control the process of checking, if an AP is an authorized AP or evil twin .
A possible mitigation method is a contextual based detection that checks the surrounding APs when accessing the public AP. This detection method stores the surrounding AP data when you first connect to the AP, on future connections the contextual data is analysed before automatically connecting.
If an evil twin rogue AP has been set up in a different location, the contextual AP data will not match, thus preventing connecting to an evil twin AP. This method would allow control on the client side rather than depending on a framework as suggested by  to be installed on the network.
An empirical case study demonstrates the ease of creating an evil twin AP and a cloned website Wi-Fi log in page. The authors discuss the tools used to create and evil twin AP and how to clone a web page. The experiment was conducted on a university campus, the participants or students were not aware of the experiment taking place, the author’s state that this was to make the experiment as real as possible. Usernames and passwords were not stored and the students were informed after the experiment.
The authors concluded that the experiment was successful and private confidential usernames and passwords were gathered during the experiment. They suggest that users should be educated better on wireless vulnerabilities and the possible risk of an evil twin or a rogue access point on the network .
Rogue AP’s (evil twin) is one of the highest threats to Wi-Fi . Therefore, users of public Wi-Fi should be educated on how to remain secure whilst using public Wi-Fi. It is also important to remember that wireless access points coverage often emanate beyond the confines of the establishment that they are often located. Because of this, it is highly vulnerable to eavesdropping.
A proposed method is to compare the gateway being used by the network and the routes that the packets use to determine validity of a real AP as opposed to an evil twin. They suggest that this method would detect Man-In-The-Middle and evil twin attack without any assistance from the WLAN operator 
Mobile devices are often perceived as more secure due to using apps rather than a web browser. Users do not consider the data transfer is identical and often mobile devices are more vulnerable due to the lack of anti-virus or firewall .
The experiment completed in this paper was conducted in a local college which included 31 participants that volunteered to take part in this study. Participants were contacting via internal e-mail system at the college asking for volunteers to take part in the study; the only stipulation was that they must have used public Wi-Fi to connect to the internet.
The e-mail instructed readers to bring a device they often use to connect to public Wi-Fi and also informed readers that the experiment would last roughly half an hour and they would be required to complete a survey during this time.
Participants were aged 16 years and over and there were more males than females, 17 males and 13 females.
During the experiment, participants were given a biro pen to complete the survey. A copy of the survey can be found in Appendix A. The survey was used to discover questions regarding the participants use with public Wi-Fi.
To create the rogue AP, Kali Linux 1.09a was installed as a virtual machine on a surface pro 3 tablet. In order to use Wi-Fi, an USB wireless adapter was connected to the device.
For this experiment, the Alfa ASUNWHA wireless adapter was used due to the popularity of the adapter between security professionals. This adapter is compatible with Linux out of the box and is able to inject wireless packets and attack wireless access points.
Wireshark was used to discover which devices connected to the rogue AP.
The experiment was conducted in a classroom at the college that was not located near a college wireless access point and would not interfere with the internal college Wi-Fi. The experiment was held during the evening as the college Wi-Fi is normally shut down and this would also prevent any interference.
This study has two parts in order to gather data from the participants. The first part was to create several rogue AP’s that would be switched on once participants had entered the lab. On entry to the lab, participants were asked to leave any mobile device on the side and to make sure they were turned on and Wi-Fi enabled.
The experiment lasted roughly 20 minutes. During this time, the rogue AP’s where turned on sequentially to discover how many participants mobile devices would connect to the AP. Each AP would only be on for 1 minute once the AP had booted. This gave the devices enough time to connect.
The AP names that were used are the following: O2 Free WIFI, ASDA Free Wifi, DW Free Wifi, Boots Wifi, Starbucks Wifi, Britannia Hotels WiFi and McDonalds Wi-Fi. These names were chosen as they are all local to the college thus a greater chance that the participants have visited these shops, gym, restaurant or hotels and used the free Wi-Fi service. The commands used to create the AP can be found in appendix B.
For ethical reasons, no information was gathered from the device such as the MAC address to keep the devices anonymity. The participants were asked to place their devices on the desk at the front of the lab. This was done so the participants would not try to use our rogue AP to access a secure webpage such as Facebook, online banking or e-commerce site. Therefore, the experiment was never at risk of collecting private data from the participants. The only data that was capture was how many devices connected to the AP.
The second part of the study gathered data directly from the participants in the form of a survey. Once participants were seated they were instructed to complete a survey.
On completion of the experiment, participants were debriefed on the workings of the experiment and that there mobile devices may have just connected to the test AP.
This paper is a survey of empirical data to find the common usage of public Wi-Fi and to discover users’ perception on security while using public Wi-Fi.
31 participants of mixed age and sex conducted the survey in a lab. While the participants completed the survey, the researchers gathered data from the participant’s mobile devices. The data that was gathered was to observe how many devices would connect to the created evil twin.
The data gathered from both the survey and the creation of AP was measured to identify the common usage of public Wi-Fi, the perception of public Wi-Fi security and if the participant’s devices would auto connect to an evil twin rogue AP.
The survey discovered that age ranges 16-18 and 19-25 on average use public Wi-Fi on daily basis and 26-35, 36-45 and 45+ used public Wi-Fi a weekly basis.
The mode average of the hours spent on a single occasion found that 16-18 year olds spent 1-2 hours and always used the same location and the most popular location was at the gym.
The group typically used the Wi-Fi for online shopping and media streaming, such as music streaming. The most common device used whilst at the gym was their mobile phone. This would account for the average time spent and the high usage of media streaming, assuming that the participants would be using music streaming services.
The 19-25 year old group use Wi-Fi almost daily and spend 2-3 hours online shopping and web browsing and often use the same place to gain access to the Wi-Fi.
The 26-35 age groups seemed to use public Wi-Fi for the longest amount of time in a single occasion. Their typical usage of public Wi-Fi was for work and web browsing, which was mostly conducted in a coffee shop or internet café.
This highlighted a high risk of possible data theft due to the amount of time using public Wi-Fi and the occurrence of using the same place, which could lead to a risk to their employer if the work they are conducting on their laptops contains any confidential data regarding their work place.
Figure 1 display the hours spent in a single occasion.
Figure 1. Hours spent using Public Wi-Fi
- 58% of the participants use their mobile phone to access public Wi-Fi
- Only 6% of those have anti-virus installed on their mobile phones
- 61% do not have anti-virus installed
- 33% do not know if they have anti-virus installed
- 29% of the participants typically use their laptop when using public Wi-Fi and all have anti-virus installed
- 5% do not use a firewall
- 22% of the laptop users will use a VPN for added security when using public Wi-Fi
- The survey also highlighted that 30% of participants have used online banking whilst on public Wi-Fi
- 30% typically do their online shopping whilst on public Wi-Fi
- 57% of the participants’ have had a computer virus
- 35% were not sure if they have had one
- 8% were sure that they have not had a computer virus
When asked who they thought was responsible for the security whilst using public Wi-Fi 90% of the participants thought the provider was responsible with keeping them and their data secure.
The evil twin access points that were created were highly successful in capturing users to connect. During the experiment every AP had at least one participant connect.
Table 1 displays the information of the AP name and the amount of participants that connected to it. From the results, you can see that participants had several saved networks on their device. Thus, participants devices connected to several of the evil twins creating during the experiment.
ASDA Free WiFi
Boots Free Wifi
BritanniaHotels (Local hotel)
DW Free Wifi (Local Gym)
O2 Free WiFI (Costa)
Table 1. Participants who connected unknowingly
80% of the participants think that the provider of the pubic Wi-Fi is responsible for the security of the data communication; 10% thought it was the responsibility of both the user and the provider.
When asked if using a mobile device for online banking is more secure than using a laptop, 61% thought that it was. During the debrief after the survey had been completed a participant queried this question, they told the researchers that they considered using online banking on public Wi-Fi as secure because the use of an app that connects direct to the bank rather than using the internet like a laptop.
This experiment has discovered that some people will use public Wi-Fi for long periods of time in single occasion, and these users often use the same place. The most common places that public Wi-Fi is used are in a coffee shop or in the gym. The gym users tend to use the Wi-Fi for media streaming to listen to their music whilst exercising. The coffee shop users tend to be more orientated in using public Wi-Fi for work purposes or, surprisingly, online shopping.
The participants in this survey highlighted that the common assumption is that the providers of public Wi-Fi are solely responsible; this is an alarming fact, as discussed in the background literature there are many ways an attacker can eavesdrop or attack a Wi-Fi network.
Furthermore, 61% of the participants thought that mobile devices were more secure for online banking than using a laptop. This demonstrates the need for further education towards public Wi-Fi and the security of using public Wi-Fi, whether you are using a mobile device or laptop.
This paper has discussed the risks involved with using Wi-Fi networks such as eavesdropping or evil twin rogue AP’s. It has also discovered that there are mitigation controls that could be used to help identify and prevent connecting to a rogue AP’s. Using a survey, it was discovered the user perception of public Wi-Fi and typical usage. From this, it can be deduced that the utmost importance is educating users to think more securely about the data that they are emitting in an open environment.
1. Aditya, P., Bhattacharjee, B., Druschel, P., ErdÃ©lyi, V. and Lentz, M. (2014). Brave new world. Proceedings of the ACM MobiCom workshop on Security and privacy in mobile environments - SPME '14.
2. Aljawarneh, S., Masadeh, S. and Alkhateeb, F. (2010). A secure wifi system for wireless networks: an experimental evaluation. Network Security, 2010(6), pp.6-12.
3. Bauer, K., Gonzales, H. and McCoy, D. (2008). Mitigating Evil Twin Attacks in 802.11. 2008 IEEE International Performance, Computing and Communications Conference.
4. Briones, J., Coronel, M. and Chavez-Burbano, P. (2013). Case of study: Identity theft in a university WLAN Evil twin and cloned authentication web interface. 2013 World Congress on Computer and Information Technology (WCCIT).
5. Chin, E., Felt, A., Sekar, V. and Wagner, D. (2012). Measuring user confidence in smartphone security and privacy. Proceedings of the Eighth Symposium on Usable Privacy and Security - SOUPS '12.
6. Diksha, N. and Shubham, A. (2006). Backdoor Intrusion in Wireless Networks- problems and solutions. 2006 International Conference on Communication Technology.
7. Jagtap, S. and Honwadkar, P. (2010). Rogue Access Point Detection in WLAN by Analyzing Network Traffic and Behavior. International Journal of Computer Applications, 1(22), pp.27-29.
8. Ma, L., Teymorian, A. and Cheng, X. (2008). A Hybrid Rogue Access Point Protection Framework for Commodity Wi-Fi Networks. IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.
9. Nikbakhsh, S., Manaf, A., Zamani, M. and Janbeglou, M. (2012). A Novel Approach for Rogue Access Point Detection on the Client-Side. 2012 26th International Conference on Advanced Information Networking and Applications Workshops.
10. Phifer, L. (2015). Top Ten Wi-Fi Security Threats - eSecurity Planet. [online] Esecurityplanet.com. Available at: https://www.esecurityplanet.com/article.php/3869221/Top-Ten-Wi-Fi-Security-Threats.htm [Accessed 1 Feb. 2015].
11. Shivaraj, G., Song, M. and Shetty, S. (2008). A Hidden Markov Model based approach to detect Rogue Access Points. MILCOM 2008 - 2008 IEEE Military Communications Conference.
12. Spaulding, J., Krauss, A. and Srinivasan, A. (2012). Exploring an open WiFi detection vulnerability as a malware attack vector on iOS devices. 2012 7th International Conference on Malicious and Unwanted Software.
13. Sriram, V., Sahoo, G. and Agrawal, K. (2010). Detecting and eliminating Rogue Access Points in IEEE-802.11 WLAN - a multi-agent sourcing Methodology. 2010 IEEE 2nd International Advance Computing Conference (IACC).
14. Vanderhurst, G. and Trappeniers, L. (2012). Public WiFi Hotspots at Your Service.
Open a terminal and discover the wlan interface using iwconfig command, in this case wlan0 was used.
Create a monitor mode to listen to traffic
airmon-ng start wlan0
Create the access point
airbase-ng –a AA:AA:AA:BB:BB:BB –-essid “Wireless Name” –c 11 mon0