preferred over the original valid wireless network’s SSID. For example,
               if the original SSID is “ABCcafe,” then the rogue WAP SSID could be

               “ABCcafe-2,” “ABCcafe-LTE,” or “ABCcafe-VIP.” The rogue WAP’s
               MAC address and channel do not need to be clones of the original
               WAP. These alternate names may seem like better network options to
               new visitors and thus trick them into electing to connect to the false
               network instead of the legitimate one.

               The defense against rogue WAPs is to be aware of the correct and valid

               SSID. It would also be beneficial for an organization to operate a
               wireless IDS to monitor the wireless signals for abuses, such as newly
               appearing WAPs, especially those operating with mimicked or similar
               SSID and MAC values.


               Evil Twin

               Evil twin is an attack in which a hacker operates a false access point
               that will automatically clone, or twin, the identity of an access point
               based on a client device’s request to connect. Each time a device

               successfully connects to a wireless network, it retains a wireless profile
               in its history. These wireless profiles are used to automatically
               reconnect to a network whenever the device is in range of the related
               base station. Each time the wireless adapter is enabled on a device, it
               wants to connect to a network, so it sends out reconnection requests to
               each of the networks in its wireless profile history. These reconnect
               requests include the original base station’s MAC address and the

               network’s SSID. The evil twin attack system eavesdrops on the
               wireless signal for these reconnect requests. Once the evil twin sees a
               reconnect request, it spoofs its identity with those parameters and
               offers a plaintext connection to the client. The client accepts the
               request and establishes a connection with the false evil twin base
               station. This enables the hacker to eavesdrop on communications

               through a man-in-the-middle attack, which could lead to session
               hijacking, data manipulation credential theft, and identity theft.

               This attack works because authentication and encryption are managed
               by the base station, not enforced by the client. Thus, even though the
               client’s wireless profile will include authentication credentials and
               encryption information, the client will accept whatever type of