Threats, Cybercrime

EvilAP attack observed at RSA Conference, Pwnie Express

February 15, 2017

Sensors monitoring Wi-Fi in the exhibit hall at the RSA 2017 Conference in San Francisco detected an EvilAP attack that compromised six different people roaming the floor packed with security pros, many of which, alarmingly, “don't turn off their Wi-Fi,” a Pwnie Express analyst said Wednesday.

“We have sensors set up and when we see a device spin off a lot of access points,” it raises red flags, Yolonda Smith, director of product management at Pwnie Express, told SC Media. “This one spun off 100 access points.”

In an EvilAP attack, a Karma attack is used by the rogue access point to spoof sites known to users. “Phones like to connect to familiar things, this one took a copy of everybody's phones said ‘oh yes, I'm this and I'm that,'” Smith explained, noting that observing the attack was “essentially like watching a drug deal go down.”

Of the six people compromised in the attack observed by the company, two were still wandering the floor when Smith gave SC a look at the attack in progress. The real danger comes when the victims “go back to their corporate networks and labs and bring all this bad stuff they picked up at RSA with them,” said Smith.

prestitial ad