Evil-twin is becoming a common attack in Smart Home environments where an attacker can set up a fake AP to compromise the security of the connected devices. To identify the fake APs, The current approaches of detecting Evil-twin attacks all rely on information such as SSIDs, the MAC address of the genuine AP or network traffic patterns. However, such information can be faked by the attacker, often leading to low detection rates and weak protection.
This paper presents a novel evil-twin attack detection method based on the received signal strength indicator (RSSI). Our key insight is that the location of the genuine AP rarely moves in a home environment and as a result the RSSI of the genuine AP is relatively stable. Our approach considers the RSSI as a fingerprint of APs and uses the fingerprint of the genuine AP to identify fake ones. We provide two schemes to detect a fake AP in two different scenarios where the genuine AP can be located at either a single or multiple locations in the property, by exploiting the multipath effect of the WIFI signal. As a departure from prior work, our approach does not rely on any professional measurement devices. Experimental results show that our approach can
successfully detect 90% of the fake APs, at the cost of an one-off, modest connection delay.