How would you detect an Evil Twin attack, especially in a new environment?
They're both evil. You shouldn't be connecting to any "Free Public Wifi" without assuming that all your unencrypted traffic will be monitored and modified. The best solution is to not connect to public networks at all, but if that's not an option for you then you can protect yourself a little more by specifying your own DNS (rather than letting the router pick for you), using https everywhere you can, not accessing your sensitive accounts on public networks, considering a VPN, and keeping your software and firmware up to date.
In direct answer to your question, some routers have their MAC address printed on a label; you could ask the router owner to check for you, then connect to it, ping it, and view your arp table (arp -a
) to see if it matches. Alternatively, you could tell the router owner that there's an imposter nearby and have them change the network name.
Traditionally there hasnt been an easy user-oriented method to detect evil twin attacks. Most attempts to detect an evil twin attack (ETA) are geared towards the administrator of a network where they basically have the authorised network admins scanning and comparing wireless traffic. This isnt so much of what you are interested in.
There is a paper here (and slides) that goes over an experimental approach to determine from the user's perspective a real-time ETA. Basically, they use a cunning approach to statistically determine which access point is authorised and which is the evil twin.
A simple approach (that will not always work) that I propose is to merely sniff yourself and see what the IP addresses are. The idea being that an unathorised AP will have a nonstandard (IE what you would expect) IP and thus throw up some red flags... Here is a link that describes how to setup your own ETA so you can play around with my method (or try your own). WARNING: If you are creating an ETA, do so in a lab environment as this is illegal in public.
Also note that an ETA can be greatly mitigated by simply securing the network via an authentication system that uses Extensible Authentication Protocols such as WPA2-enterprise -which works by validating both the client and access point.
To address some other points...
If you have a way to communicate with the authorised network administrators (or at least know which access point is the proper one), then you have already completed a psuedo-meta-athorisation method outside of the digital realm (IE I can physically see the proper router and know it's mac address, ip settings, etc and can thus compare them with what my adapter is telling me I'm connected to). Most often, we do not have this info and moreover shouldnt trust it even if we did. Thus, perhaps the 'best' method for using an untrusted network (ET or not) is to always assume it is compromised and implement a VPN or simply abstain altogether!
Tell the barrista/clerk/etc the wifi has gone down, can they reboot or power cycle the router?
Most people will happily do so, bringing the AP down for a moment, and exposing the evil twin router in the process as any active network that survives a power cycle.
If there is more than 1 evil twin router, this still works.
If there are multiple good routers, this will identify at least one. The same tactic can be used to identify the others ( Hey it's not working still, is that the only wifi box? All this tech is so confusing, maybe you need to do it to all of them? ).
Alternatively, once you identify a good AP, connect a device to it, and then using a second device, connect to the other AP's and attempt to locate the first device over the network. Unless the good AP has been compromised, any AP that finds the original device is a good AP. If it has been compromised however, then all AP's are bad
Another alternative being that if you can see the make of the router, try to log in to its admin panel. If the login prompt doesn't match the make/brand then you have found the evil twin.
The best solutions here are mostly going to involve simply talking to the provider of the legitimate AP rather than running an extensive comparison with questionable results.
In the meantime, if the AP in question is open, it is insecure, evil twin attacks are unnecessary. A public network with a shared password is also insecure. If you're concerned about the security of a public wifi network for any reason, do not use it.