Authenticating Public Wireless Networks with Physical Evidence

Users of public Wi-Fi networks risk being tricked into connecting to `evil twin´ access points set up by attackers to launch man-in-the-middle attacks. We present a system which employs post hoc validation of an anonymous Diffie-Hellman key exchange undertaken as part of an 802.1X/EAP-TTLS network association process. Our system utilises an additional secure auxilliary channel to run a modified version of the interlock protocol based on physical evidence in the network location. By using keying information generated during the network joining process, we allow spontaneous network users to detect man-in-the-middle attacks as well as avoiding the need for pre-shared keys. We report on implementations of our system which utilise physical evidence of authenticity in the alternative forms of public displays and 2D barcodes embedded in the environment and read by mobile phones.