cancel
Showing results for 
Search instead for 
Did you mean: 

Man-in-the-Middle and Evil Twin attack

ohiovpnuser
Occasional Contributor

Man-in-the-Middle and Evil Twin attack

Friends,

Can I ask your advice and thoughts on how susceptible a user is to falling victim to a man-in-the-middle attack, or a evil twin attack, when using a VPN connection from public WiFi such as a coffee shop or hotel?

Have you come across any KB from Pulse Secure on this topic, or know of any good information on the Internet, or care to share your own perspective? 

 

I have found many documents and articles on the Internet which warn of the danger of using public WiFi and they all recommend to “use a VPN”.   But they don’t explain at a technical level what they mean by “VPN”.   For example with Pulse Secure it is possible to use SSL VPN (web browser as the client), or use a IPSEC VPN (Pulse Desktop as the client).  

 

My gut feeling is an SSL VPN is susceptible to MITM, and an IPSEC VPN is still susceptible but not as much.  Is this accurate?  Is there any technical documents which explain this?  Please correct me if I am wrong.

 

My company uses SSL VPN with the browser as the client.  Lets say a user is at a coffee shop and connects to an evil twin access point.   The access point will assign the laptop an IP address, default gateway, and DNS Servers.   Since DNS is under the control of a hacker anything the user enters into the browser can be redirected to a malicious web site.  If the user enters https://vpn.mycompany.com into the browser, the hacker can intercept this, easily screen scape the real vpn.mycompany.com web page, and then present a fake web site to the user.  I believe the user would see an SSL certificate warning from the web browser (since the hacker’s web site doesn’t have the real SSL cert) but we know users are quick to bypass these warnings.   As technical admins we would also notice that Host Checker doesn’t run, but the average user wouldn’t notice.  The user could believe they have connected to the real vpn.mycompany.com page and enter credentials.   The hacker can intercept all the traffic thus using two-factor authentication won't prevent this type of attack.

 

The overall goal here is to present to management the risk of MITM risks when using public WiFi.  And if there are any ways to mitigate those risks.  Thanks in advance for your feedback!