Evil Twin Attacks

Evil Twin attacks are common, dangerous, and, well … evil.

Evil Twin attacks are almost two decades old now but still pose significant security threats. The US Department of Justice recently charged hackers from the Russian military agency GRU with implementing Evil Twin AP attacks to steal credentials and “plant espionage-oriented malware” within organizations such as anti-doping agencies, nuclear power operations, and chemical testing laboratories.

Evil Twin attacks work in a similar way to a standard phishing scam but are based on Wi-Fi networks. In a phishing attack, an attacker will setup a fake website that looks like a legitimate one, and encourages a victim to enter sensitive: usernames, passwords, baking details, or anything else. This information can then be collected and exploited by the attacker.

Evil Twin attacks are mainly the Wi-Fi equivalent of phishing scams. An attacker will setup a fake Wi-Fi access point, and users will connect to this rather than a legitimate one. When users connect to this access point, all of the data they share with the network will pass through a server controlled by the attacker.


All Wi-Fi Networks Are Vulnerable

An Evil Twin attack takes advantage of two different vulnerabilities. The first is the way that (most) devices handle Wi-Fi networks. The second is the ignorance of most users when it comes to updating and configuring a Wi-Fi network.

Let's look at the technical vulnerability first. Evil Twin attacks take advantage of the fact that most computers and smartphones don't have that much information about the networks they connect to. In many cases, all your device knows about a given Wi-Fi network is its name. This is technically called an ESSID and can be changed easily.

Because most devices only know the ESSID of a network, they have real trouble distinguishing between networks with the same name. If you are reading this at home, you can easily see this right now: use your smartphone to create a Wi-Fi hotspot, and give it the same name as your home network. Now try and access this hotspot on your laptop. It got confused, right? Because it can only see the names of the networks, it thinks that the two access points are the same network.

It gets worse. Most large networks, such as those providing public Wi-Fi, will have dozens (or perhaps hundreds) of access points, all with the same name. This means that users will not get confused when they swap to a different access point, but also makes it easy for an attacker to setup fake access points.

You can install network ‘sniffing' tools that will quickly see the difference between these networks. Popular choices for this are Wigle Wi-Fi or Kismet. However, the average user will not be able to distinguish them. Combined with a little bit of social engineering, this makes it relatively easy to trick users into providing an attacker with the access password for a given network.

How Does an Evil Twin Attack Work?

Let's take a look at the details of how an Evil Twin attack proceeds typically. In most cases, the goal of these attacks is to trick a user into supplying an attacker with the authentication details for a Wi-Fi network. With admin access to a router or other access point, an attacker can then take control of the network. They can then see, read, and alter any unencrypted data traffic, or launch a further attack (such as a man-in-the-middle attack) that will give them even greater control and access.

Fake Network Hotspot

To trick an unsuspecting user into providing a Wi-Fi password, a "Captive Portal" is typically used. This is a screen that you've probably seen when connecting to the internet at a coffee shop or the airport. It usually contains a lot of information that no-one reads, and asks a user to input some information. Because most users are used to seeing these screens and don't know what they should look like, they will happily enter any information an attacker asks for.

To get them to do this, an attacker will first setup a fake Wi-Fi access point that has the same name as the target network. This is super easy to do, as we saw with the smartphone example above. To make this network visible to victims, an attacker will either bring their Wi-Fi router, run it from a network card on their laptop, or (if they need more range) use a Wi-Fi Pineapple.

Network Flooding

Next, they need to kick users off the network. This is done by flooding the network with "deauthentication packets." These make the target network essentially impossible to connect to normally, so devices already connected to it will be thrown off. Users will notice this, get annoyed, and open up the network menu on their device.

But guess what: on the list of networks they can connect to is a network with the same name as the one they were just kicked off from. The hacker controls this network. It is also unsecured, but the average user will try to connect anyway, assuming that the lack of security is related to the “connection problem” they've just had.


After connecting to this new network, the user will be sent a captive portal designed by the attacker. This will look like a standard login page, with loads of boring technical-looking information, and will prompt the user to enter the password for the Wi-Fi network. If the user enters this, the attacker now has the admin password for the Wi-Fi network, and they can begin to take control of it.

Evil Twin Attacks Require Social Engineering

At this point, the attacker relies on the victim doing some pretty stupid things

First, a victim must be de-authenticated from their network in a way that doesn't arouse suspicion. In a corporate environment where Wi-Fi connections are reliable, the fact that a victim's computer has suddenly disconnected will strike them as strange. In a public setting, though, the average user won't suspect an attack is in progress.

Second, a user must be frustrated enough to try to connect to an entirely new, unsecured network that appeared just a few moments ago. Even if the new network has the same name as the trusted one, and their device cannot see a difference between the new network and the old one, this might also make them suspicious. Some operating systems even try to warn users about connecting to networks like this, but again the average user will click through these warnings.

Third, the victim has to enter the network password into the phishing page. You would think that there would be a lot of clues that could tell an experienced user that this page is sketchy: the fact that they've never seen it before, or that it contains incorrect information or (sometimes) is wrongly spelled. However, pages like these are successful in a depressingly high number of cases.

The reason for this is that admin pages for Wi-Fi routers, or authentication pages for networks, are usually really ugly themselves. Because of this, most users will think nothing of re-entering the network password into a phishing page that looks equally bad.

Nonetheless, this stage of an Evil Twin attack is where the majority of such attacks are detected. An experienced user will not be tricked into entering the Wi-Fi password, and can even spot that an attack is happening. Also, because Evil Twin attacks rely on users being in the range of an attacker's ‘fake' access point, they might even work out that the attacker is probably pretty close, and raise the alarm.

How can I tell if I'm connecting to an Evil Twin vs. a Legitimate Hotspot?

Good question. Detecting an Evil Twin attack in progress relies on users spotting that a new, unsecured network has just appeared, and avoiding it.

You might think that this would be easy enough, but we’ve got some bad news. It isn’t. As we already mentioned, most standard devices do not have the kind of network sniffing tools that will allow them to distinguish between a legitimate network and one setup by an attacker.

Attackers can also be smart when it comes to making the new network look like a trusted one. They will choose the same SSID name, for instance, and this is often enough to confuse a standard device (and standard user!) on its own.

Going further, they can then clone the MAC address of the trusted network. This makes it appear as though the new access point is a clone of the existing access points on the target network, strengthening the illusion that it is legitimate. For large public networks, this can even make the fake access point look more legitimate than the real routers, because sometimes IT guys get lazy and forget to clone MAC addresses themselves!

Detection is made even harder by the fact that attackers do not need large, bulky hardware to carry out an Evil Twin attack. They can use the network adapter on their laptop to launch the attack or carry a small router as a fake access point. Many attacks also make use of a Wi-Fi Pineapple. This is a piece of kit that has legitimate uses as a network testing tool, but can also be used to create a Wi-Fi network over a vast area. This means that an attacker need not be in the same building, or even on the same street, to target a particular network.

Another technique used by hackers is to make the signal of their network much more powerful than that of the target network. By boosting the strength of their Wi-Fi signal, they can overwhelm the target network, and make it all but undetectable.

Because of all this, working out whether you are connected to a legitimate network or its Evil Twin, can be extremely difficult. The best approach is to avoid unsecured networks and to be suspicious of duplicate networks.

And, of course, if you are ever faced with a sketchy-looking page that asks you for authentication details, never enter these!

What can I do to protect myself from Evil Twin Hotspots?

Detecting Evil Twin attacks can be extremely difficult, even for advanced users, because telling the difference between a real network and a ‘fake’ can sometimes be impossible.

For most people, therefore, the best defense against Evil Twin attacks relies on two factors. One is being careful to use reasonable security practices when you are online, and especially so when you are forced to connect to public Wi-Fi networks. The other is making sure that an attacker cannot access personal or sensitive information, even if they manage to hack the network you are on. This means encrypting everything, preferably using a VPN.

First up, it is essential to limit your exposure to Evil Twin attacks by acting in a way that limits your vulnerability to them:

Avoid Connecting Unsecured WiFi

Most importantly, you should avoid connecting to networks that look suspicious. Never, ever connect to a network that is unsecured if you have the choice, especially if it has the same name as one your trust!

Pay Attention To Notifications

On a related note, you should pay attention to warnings that your device generates when you connect to certain types of network. Too often users dismiss these warnings as just another annoyance, but in truth, your software is trying to do you a favor by keeping you safe.

Avoid Using Sensitive Accounts

Sometimes, you will be forced to connect to a public network, and sometimes even an unsecured one. If it comes to this, there are a couple of steps you should take to limit your exposure. Obviously, you should not use a network like this to log in to important accounts, including your social media feeds, but especially corporate networks or internet banking services. If like the majority of people, your smartphone is continually logged into certain accounts, you should either manually log out of them on your phone, or not connect your phone via Wi-Fi.

Limit Automatic Connectivity

Another useful technique is to limit the networks that your device automatically connects to, and to ask for your approval when it tries to connect to a new network. Doing this will allow you to quickly review the network you are about to connect to, and spot if it looks suspicious.

The final way to protect yourself against Evil Twin attacks is so important that it is worth a section of its own. If you want to keep yourself safe online, against Evil Twin attacks and many other threats, you should really…

Use a VPN

Evil Twin attacks, as we've seen, are tough to detect. Besides, because the encryption provided by standard Wi-Fi Security Protocols like WPA and WPA2 only starts once your device establishes a connection with an access point, you cannot rely on it to protect you against an attacker’s malicious network.

The best way to make sure you are protected is therefore to use a Virtual Private Network (VPN). This is one of the only ways suggested by the Wi-Fi Alliance to defend yourself from Evil Twin attacks.

A VPN works by creating an encrypted tunnel between you and a VPN server. Typically, a VPN client will work through your browser, or even at the level of your operating system. Every single piece of information you exchange with the broader network is encrypted by your device, and can only be decrypted by your VPN server.

As a result, even if someone manages to intercept the data you send and receive, they will not be able to read or exploit it. The most secure VPNs make use of military-grade encryption protocols that far exceed the security offered by standard Wi-Fi security protocols, and so keep your data completely safe.


As the number and sophistication of cyber-attacks continue to grow, it pays to stay on top of the different types of threat you might face. An Evil Twin attack is just one of these, albeit one that is quite common and can be devastatingly effective against unsuspecting victims.

The key to avoiding Evil Twin attacks is mostly similar to the precautions you should take against any security vulnerability. Make sure you know what networks, servers, and web applications you are connected to. Never, ever send sensitive information across unsecured networks, or when using public Wi-Fi.

And finally, encrypt everything using a VPN. Doing so will not only protect you against Evil Twin attacks, but also defeat many other attack variants, and also keep you anonymous online.

Here are some more guides on WiFi Threats: