Published March 13, 2026 | Version v1
Journal article Open

Development of a Wi-Fi Security Audit System for Detecting Evil Twin attacks and Weak Keys

Authors/Creators

Description

Publication Summary: PRISMA-Guided Wi-Fi Audit & Detection

Title: Operationalizing Wi-Fi Security: A Multi-Signal Audit Framework for Evil Twin Detection and Posture Assessment (2015–2025)

Project Overview

Despite the advent of WPA3, Wi-Fi networks remain vulnerable to Evil Twin access points and credential theft due to legacy support and misconfigurations. This research bridges the gap between theoretical protocol vulnerabilities (e.g., KRACK, Dragonblood) and practical enterprise defense. We present a deployable audit workflow grounded in a PRISMA-based systematic review of literature from the last decade.

Problem Statement

Existing detection heuristics often rely on single-signal data (e.g., RSSI only), which fail across diverse hardware chipsets or high-interference environments. Furthermore, security posture checks are frequently incomplete, overlooking critical exposures like PMKID leakage or risky WPA3 Transition Mode deployments.

Research Objectives

  • O1 (Detection): Achieve high-precision (~95%) Evil Twin detection with low False Positive Rates (~4%) using multi-signal fusion (RF patterns + 802.11 management semantics + active verification).

  • O2 (Auditing): Systematically evaluate network posture, including Protected Management Frames (PMF)enforcement, PSK entropy, and EAP-TLS migration readiness.

  • O3 (Remediation): Deliver actionable intelligence to contain rogues and rotate compromised credentials.

Methodology & System Architecture

Our systematic review (n=540 records identified; n=40 included) synthesized evidence from a decade of protocol breakages and detection toolchains. This evidence informed the design of our four-module audit system:

  1. Passive Scanner: Builds device fingerprints using Radiotap metadata and RSN/AKM suites.

  2. Active Verifier: Sanity-checks EAPOL/SAE behavior via directed probes.

  3. Key Auditor: Evaluates "crackability" effort and flags weak protocol states (e.g., missing PMF).

  4. Remediation Engine: Fuses evidence into a "Policy Readiness Radar" for stakeholders.

Key Findings & Evaluation

  • Multi-Signal Superiority: Evidence maps and ROC curves confirm that combining RF features with management-frame semantics significantly outperforms single-family detection methods.

  • Policy Gaps: Many "secure" environments remain attackable due to WPA3 transition-mode downgrades and PMKID exposure in WPA2/WPA3-mixed networks.

  • Performance: Evaluated against AWID/AWID3 datasets, the framework maintains a stable F1-score (~94.8%) on commodity hardware, making it viable for SMEs and campus environments.

Keywords: Evil Twin, Rogue AP, WPA3/SAE, PMF, EAP-TLS, PMKID, PRISMA Systematic Review.

Files

final-report.pdf

Files (998.0 kB)

Name Size Download all
md5:345e6c106a6e9af38b026d390acb249b
998.0 kB Preview Download

Additional details

References

  • [1] Vanhoef, M., & Piessens, F. (2017). Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). https://doi.org/10.1145/3133956.3134 027 [2] Vanhoef, M., & Ronen, E. (2019). Dragonblood: A security analysis of WPA3's SAE handshake. Retrieved from https://wpa3.mathyvanhoef.com/ [3] Vanhoef, M. (2021). FragAttacks: Security flaws in Wi-Fi. Retrieved from https://www.fragattacks.com/ [4] ESET Research. (2020, February 26). Kr00k (CVE-2019-15126): Serious vulnerability affected encryption of billions of Wi-Fi devices. Retrieved from https://www.welivesecurity.com/2020 /02/26/kr00k-serious-vulnerability- affected-encryption-of-billion-wifi- devices/ [5] National Vulnerability Database (NVD). (2017). CVE-2017-13077 (KRACK). Retrieved from https://nvd.nist.gov/vuln/detail/CVE- 2017-13077 [6] National Vulnerability Database (NVD). (2020). CVE-2020-24586 (FragAttacks). Retrieved from https://nvd.nist.gov/vuln/detail/CVE- 2020-24586 [7] Internet Engineering Task Force (IETF). (2004). RFC 3748: Extensible Authentication Protocol (EAP). RFC Editor. https://www.rfc- editor.org/rfc/rfc3748 [9] Internet Engineering Task Force (IETF). (2022). RFC 9190: Extensible Authentication Protocol (EAP) – Transport Layer Security (TLS) 1.3. RFC Editor. https://www.rfc- editor.org/rfc/rfc9190 [12] National Institute of Standards and Technology (NIST). (2012). SP 800-153: Guidelines for Securing Wireless Local Area Networks (WLANs). https://csrc.nist.gov/publications/detai l/sp/800-153/final [13] National Institute of Standards and Technology (NIST). (2017). SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management. https://pages.nist.gov/800-63- 3/sp800-63b.html [14] Wi-Fi Alliance. (n.d.). WPA3™ security overview. Retrieved from https://www.wi-fi.org/discover-wi- fi/security [15] Wi-Fi Alliance. (n.d.). Wi-Fi CERTIFIED™ Protected Management Frames (PMF). Retrieved from https://www.wi- fi.org/discover-wi-fi/wi-fi-certified- protected-management-frames-pmf [16] ETGuard: A machine learning- based approach to detect Evil Twin AP (arXiv:1901.08940). (2019). arXiv. https://arxiv.org/abs/1901.08940 [17] Agyemang, J. O., et al. (2020). Lightweight rogue access point detection algorithm for Wi-Fi-enabled IoT devices. Internet of Things (Elsevier). Retrieved from https://www.sciencedirect.com/scienc e/article/pii/S2542660518301501 [18] Gustafson, C., et al. (2019). Real- Time Identification of Rogue Wi-Fi Connections. In IEEE INFOCOM. https://ieeexplore.ieee.org/document/8 737471 [19] Client-side rogue AP detection methods. (2020). EURASIP Journal on Wireless Communications and Networking. https://jwcn- eurasipjournals.springeropen.com/arti cles/10.1186/s13638-020-01864-5 [20] University of the Aegean, ICS Department. (n.d.). AWID dataset. Retrieved from https://icsdweb.aegean.gr/awid/ [21] AWID3 (2023). (2023). ACM Digital Library record. Retrieved from https://dl.acm.org/doi/10.1145/363563 8.3635665 [22] Cisco Meraki. (n.d.). Air Marshal documentation. Retrieved from https://documentation.meraki.com/M R/Monitoring_and_Reporting/Air_Ma rshal [24] HPE Aruba Networking. (n.d.). RAPIDS (Rogue AP management). Retrieved from https://help.centralon- prem.arubanetworks.com/ [25] Aircrack-ng Team. (n.d.). Aircrack-ng documentation. Retrieved from https://www.aircrack- ng.org/documentation.html [26] Kismet Wireless. (n.d.). Kismet packages and documentation. Retrieved from https://www.kismetwireless.net/packa ges/ [28] ZerBea. (n.d.). hcxtools (GitHub repository). Retrieved from https://github.com/ZerBea/hcxtools [29] Wifiphisher Contributors. (n.d.). Wifiphisher (GitHub repository). Retrieved from https://github.com/wifiphisher/wifiphi sher [30] s0lst1c3. (n.d.). EAPHammer (GitHub repository). Retrieved from https://github.com/s0lst1c3/eaphamm er [33] SemFio Networks. (2021). Wireshark 802.11 filters — reference sheet (PDF). https://semfionetworks.com/wp- content/uploads/2021/04/wireshark_8 02.11_filters_-_reference_sheet.pdf [34] Wi-Fi Alliance. (n.d.). Wi-Fi CERTIFIED Enhanced Open™ (OWE). Retrieved from https://www.wi-fi.org/discover-wi- fi/wi-fi-certified-enhanced-open [35] Page, M. J., McKenzie, J. E., Bossuyt, P. M., Boutron, I., Hoffmann, T. C., Mulrow, C. D., … Moher, D. (2021). The PRISMA 2020 statement: An updated guideline for reporting systematic reviews. BMJ, 372, n71. https://www.bmj.com/content/372/bm j.n71 [36] PRISMA Statement. (n.d.). PRISMA 2020 resources and checklists. Retrieved from https://www.prisma-statement.org/ [37] hashcat Project. (2018). New attack on WPA/WPA2 using PMKID (Forum thread). Retrieved from https://hashcat.net/forum/thread- 7717.html [38] NCC Group. (2018). PMKID- based WPA2 cracking. Retrieved from https://research.nccgroup.com/2018/0 8/09/pmkid-based-wpa2-cracking/ [39] Cisco Systems. (n.d.). Catalyst 9800 Wireless Controller — Rogue management (configuration guide). Retrieved from https://www.cisco.com/c/en/us/tdocs/ wireless/controller/9800/17- 10/config-guide/ [40] Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). A guide to securing Wi-Fi networks. Retrieved from https://www.cisa.gov/sites/default/file s/publications/A_Guide_to_Securing_ Networks_for_Wi-Fi.pdf [41] IEEE Standards Association. (2020). IEEE standard for information technology— Telecommunications and information exchange between systems—Local and metropolitan area networks— Specific requirements—Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications (IEEE Std 802.11- 2020). IEEE. [42] IEEE Standards Association. (2004). IEEE standard for information technology— Telecommunications and information exchange between systems—Local and metropolitan area networks— Specific requirements—Part 11: Wireless LAN MAC security enhancements (IEEE Std 802.11i- 2004). IEEE. [43] IEEE Standards Association. (2009). IEEE standard for information technology— Telecommunications and information exchange between systems—Local and metropolitan area networks— Specific requirements—Part 11: Amendment 4: Protected management frames (IEEE Std 802.11w-2009). IEEE. [44] IEEE Standards Association. (2008). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Fast BSS transition (IEEE Std 802.11r-2008). IEEE. [45] IEEE Standards Association. (2008). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Radio resource measurement of wireless LANs (IEEE Std 802.11k- 2008). IEEE. [46] IEEE Standards Association. (2011). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Wireless network management (IEEE Std 802.11v-2011). IEEE. [47] IEEE Standards Association. (2011). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Interworking with external networks (IEEE Std 802.11u-2011). IEEE. [48] IEEE Standards Association. (2016). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Fast initial link setup (FILS) (IEEE Std 802.11ai-2016). IEEE. [49] IEEE Standards Association. (2014). IEEE standard for information technology—Specific requirements—Part 11: Amendment: Very high throughput below 6 GHz (IEEE Std 802.11ac-2014). IEEE. [50] IEEE Standards Association. (2021). IEEE standard for information technology—Specific requirements—Part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications— Amendment: Enhancements for high efficiency WLAN (IEEE Std 802.11ax- 2021). IEEE. [51] IEEE Standards Association. (2020). IEEE standard for local and metropolitan area networks—Port- based network access control (IEEE Std 802.1X-2020). IEEE. [52] Simon, D., Aboba, B., & Hurst, R. (2008). The EAP-TLS authentication protocol (RFC 5216). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc5216 [53] Aboba, B., Simon, D., & Arkko, J. (2008). Extensible authentication protocol (EAP) key management framework (RFC 5247). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc5247 [54] Rigney, C., Willens, S., Rubens, A., & Simpson, W. (2000). Remote authentication dial in user service (RADIUS) (RFC 2865). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc2865 [55] Rigney, C. (2000). RADIUS accounting (RFC 2866). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc2866 [56] Aboba, B., & Calhoun, P. (2003). RADIUS (remote authentication dial in user service) support for EAP (RFC 3579). Internet Engineering Task Force. https://www.rfc- editor.org/rfc/rfc3579 [57] Congdon, P., Aboba, B., Smith, A., Zorn, G., & Roese, J. (2003). IEEE 802.1X remote authentication dial in user service (RADIUS) usage guidelines (RFC 3580). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc3580 [58] DeKok, A., & Winters, A. (2012). Transport layer security (TLS) encryption for RADIUS (RFC 6614). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc6614 [59] Rescorla, R. (2018). The transport layer security (TLS) protocol version 1.3 (RFC 8446). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc8446 [60] Harkins, D. (2017). Opportunistic wireless encryption (RFC 8110). Internet Engineering Task Force. https://www.rfc- editor.org/rfc/rfc8110 [61] Harkins, D. (2015). Dragonfly key exchange (RFC 7664). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc7664 [62] Harkins, D. (2010). Extensible authentication protocol (EAP) authentication using only a password (RFC 5931). Internet Engineering Task Force. https://www.rfc- editor.org/rfc/rfc5931 [63] Funk, P., & Blake-Wilson, S. (2008). Extensible authentication protocol tunneled transport layer security (EAP-TTLS) version 0 (RFC 5281). Internet Engineering Task Force. https://www.rfc- editor.org/rfc/rfc5281 [64] Eronen, P., & Tschofenig, H. (2008). EAP authentication using IKEv2 (RFC 5106). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc5106 [65] Haverinen, H., & Salowey, J. (2006). Extensible authentication protocol method for global system for mobile communications (GSM) subscriber identity modules (EAP- SIM) (RFC 4186). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc4186 [66] Arkko, J., & Haverinen, H. (2006). Extensible authentication protocol method for 3rd generation authentication and key agreement (EAP-AKA) (RFC 4187). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc4187 [67] Arkko, J., Lehtovirta, V., & Nakhjiri, M. (2009). Improved extensible authentication protocol method for 3rd generation authentication and key agreement (EAP-AKA') (RFC 5448). Internet Engineering Task Force. https://www.rfc-editor.org/rfc/rfc5448 [68] Frankel, S., Eydt, B., Owens, L., & Scarfone, K. (2007). Establishing wireless robust security networks: A guide to IEEE 802.11i (NIST Special Publication 800-97). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detai l/sp/800-97/final [69] Scarfone, K., Dicoi, D., Sexton, M., & Tibbs, C. (2008). Guide to securing legacy IEEE 802.11 wireless local area networks (NIST Special Publication 800-48 Revision 1). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detai l/sp/800-48/rev-1/final [70] Hoeper, K., & Chen, L. (2009). Recommendation for EAP methods used in IEEE 802.1X (NIST Special Publication 800-120). National Institute of Standards and Technology. https://csrc.nist.gov/publications/detai l/sp/800-120/final [71] Wi-Fi Alliance. (2019). WPA3- Enterprise 192-bit security overview. https://www.wi-fi.org/ [72] Wi-Fi Alliance. (2021). Passpoint® (Hotspot 2.0) overview. https://www.wi-fi.org/ [73] Wi-Fi Alliance. (2018). Wi-Fi Easy Connect™ (Device Provisioning Protocol, DPP) overview. https://www.wi-fi.org/ [74] Wi-Fi Alliance. (2018). WPA2® security overview. https://www.wi- fi.org/ [75] Cisco Systems, Inc. (2024). Managing rogue devices (Catalyst 9800 controllers). https://www.cisco.com/ [76] Cisco Systems, Inc. (2020). Protected management frames (PMF) on SSID—Client support considerations. https://community.cisco.com/ [77] Cisco Systems, Inc. (2024). Rogue detection and containment: Best practices. https://www.cisco.com/ [78] Hewlett Packard Enterprise (Aruba). (2023). RAPIDS: Rogue AP management (Aruba Central). https://www.arubanetworks.com/ [79] Hewlett Packard Enterprise (Aruba). (2022). AirWave RAPIDS user guide. https://www.arubanetworks.com/ [80] Cisco Meraki. (2025). Air Marshal: Rogue SSID detection and containment. https://documentation.meraki.com/ [81] Juniper Networks, Inc. (Mist). (2024). Rogue, neighbor, and honeypot APs—Concepts. https://www.juniper.net/ [82] FreeRADIUS Project. (2024). EAP-TLS configuration guide. https://wiki.freeradius.org/ [83] Cisco Meraki. (2024). 802.1X / EAP-TLS deployment guide. https://documentation.meraki.com/ [84] TP-Link Corporation Limited. (2024). Omada EAP-TLS configuration example. https://www.tp-link.com/ [85] Silicon Labs. (2023). Protected management frames (802.11w) [Application note]. https://www.silabs.com/ [86] Linux Wireless. (2023). hostapd: WPA3/SAE and PMF configuration. https://wireless.wiki.kernel.org/ [87] Android Open Source Project. (2024). WPA3 and OWE: Platform requirements. https://source.android.com/ [88] Apple Inc. (2024). Wi-Fi security features (WPA3 and PMF) in Apple platforms. https://support.apple.com/ or https://developer.apple.com/security/ [89] TrustedSec, LLC. (2024). The dangers of WPA3 transition mode. https://www.trustedsec.com/ [90] Cisco Systems, Inc. (2025). Understanding wireless security: Rogue AP containment [Conference presentation]. Cisco Live. https://www.ciscolive.com/ [91] Vanhoef, M. (2022). WPA3 security considerations. https://wpa3.mathyvanhoef.com/ [92] Kolias, C., Kambourakis, G., Stavrou, A., & Gritzalis, S. (2016). Intrusion detection in 802.11 networks: A comprehensive review. IEEE Communications Surveys & Tutorials, 18(1), 184–208. https://doi.org/10.1109/COMST.2015. 2402161 [93] Szott, S., Kurowski, A., & Owczarek, P. (2021). Security in IEEE 802.11 networks—A survey. Computer Networks, 193, 108001. https://doi.org/10.1016/j.comnet.2021. 108001 [94] Han, S., Jeon, Y., Kim, D., Choi, S., & Park, J. (2017). A rogue access point detection scheme based on RSSI in IEEE 802.11 networks. KSII Transactions on Internet and Information Systems, 11(9), 4590– 4606. https://doi.org/10.3837/tiis.2017.09.02 1 [95] Turan, Ö., Özbek, M. E., Aydos, M., & Güngör, V. C. (2017). Evil twin attack detection in IEEE 802.11 networks using machine learning. In Proceedings of the International Conference on Information Networking (ICOIN 2017) (pp. 331– 336). IEEE. https://doi.org/10.1109/ICOIN.2017.7 899488 [96] Sun, J., Liu, Q., Wang, S., & Wang, W. (2020). Client-side rogue access point detection with PHY/MAC features. EURASIP Journal on Wireless Communications and Networking, 2020(1), 75. https://doi.org/10.1186/s13638-020- 01726-y [97] Krogfoss, A., Tjensvold, M., Kure, Ø., Rocha, T., & Nunes, I. (2020). Rogue Wi-Fi connections: Detection and mitigation. In IEEE INFOCOM 2020—IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 1036–1041). IEEE. https://doi.org/10.1109/INFOCOMW KSHPS50562.2020.9162917 [98] Jain, V., Laxmi, V., Gaur, M. S., & Mosbah, M. (2019). ETGuard: Detecting D2D attacks using wireless evil twins. arXiv Preprint, arXiv:1903.05843. https://arxiv.org/abs/1903.05843 [99] Nivethitha, R., & Balasubramanian, R. (2014). Detection of rogue access points in IEEE 802.11 WLANs—A survey. International Journal of Computer Applications, 98(1), 1–7. https://doi.org/10.5120/17161-7279 [100] SensePost. (2015–2024). hostapd-mana (MANA): Rogue AP toolkit and documentation. https://github.com/sensepost/hostapd- mana