Evil twin attack: The dangers of free Wi-Fi

‘’The best things in life are free’’ – sang Janet Jackson who clearly didn’t know the dangers of free Wi-Fi networks. One such unseen danger is called an evil twin attack. Not unlike its namesake, this attack also wishes to cause chaos and misery, but in a little more subtle fashion. So, let’s find out what it is, how it works, and how we can protect ourselves against it.

Table of contents

    In short: What is an evil twin attack?

    An evil twin attack is when a hacker sets up a Wi-Fi hotspot that mimics a real one. By connecting to it, you let the hacker copy all the data you transmit and receive.

    Evil twin attack defined

    In more complex, cybersecurity terms, an evil twin attack is a man-in-the-middle attack that uses a fake Wi-Fi hotspot. That fake evil twin access point is set up to mimic a real existing Wi-Fi network. 

    Here’s how an evil twin gets you

    If the hacker did their job well, your device will have no way of telling which network is real – these evil twins don’t even sport evil goatees. These days, you don’t just mimic the SSID (Service Set Identifier), but also the encryption that the network uses. So, with no obvious signs of malfeasance, you connect to the evil twin network thinking that it’s a legitimate access point, and you’re off to the races (to have your data stolen).

    The evil twin attack is just the beginning 

    Indeed, there is a second act. An evil twin is a key part of a man-in-the-middle attack, where it becomes that proverbial man. Once you’re connected via the hacker’s hotspot, they can use it to clone your data, among other devious things. 

    Having control of your data stream allows them to inject fake website login pages to capture your login data, which is a type of phishing attack. That way, they can easily grab your usernames and passwords for anything you use (as long as they bothered to set up fake website login pages) while you’re using the hotspot. 

    How does an evil twin attack work?

    The hacking depends on you not being attentive and in a hurry – usually in public and popular places. It’s better for the hacker if you’re less likely to miss any abnormalities when you’re not expecting anything and not paying attention to details (like a misspelled name of the Wi-Fi).

    Be wary in public! Because your device doesn’t recognize the hotspot as a fake. Hackers try to appear as believable as possible for you as well.

    These are the steps the malicious actor takes when planting the man in the middle – enjoy the theatrics.

    1. Finding the ‘’proper’’ location

    Mise en scène

    A popular place with public Wi-Fi is the prime place for hackers. Airports, coffee shops, libraries, shopping malls. The bigger the place, the more access points it will have, the better for the hacker – a new access point will not draw as much attention among a dozen of others.

    1. Setting up a fake Wi-Fi access point

    Mise en place

    Malicious actors look at a real hotspot and copy its SSID, which is the hotspot’s name. They then configure their own Wi-Fi hotspot (using cybersecurity testing tools like the Wi-Fi Pineapple) to transmit the same SSID.

    1. Setting up a fake captive portal

    Mise en situation

    Many public networks have a login page asking you to enter your details to use their Wi-Fi. Hackers set up a similar-looking captive portal. The fake login page is roleplaying as the real one to appear credential so as to not raise suspicion and get your login info.

    1. Make the victims connect to the fake access

    Mise au point

    The hackers do it in two ways:

    • by making the fake hotspots’ signal stronger (which makes the devices connect to it automatically);
    • or by launching a DDoS attack to kick everyone from the real network.

    Such DDoSing disconnects users from an already established connection to trusted networks via a deauthentication attack. Then, the Wi-Fi-connected devices try and re-authenticate themselves on the network. And, in this case, the devices automatically connect to a network with a stronger signal.

    1. The hacker has access to your device and steals your personal information


    The internet traffic is going through the hacker’s device. Everyone accessing the web through the bad actor’s fake Wi-Fi network and the fake captive portal is now seen by the hacker. Your login credentials when connecting to your bank account and even keystrokes on social media – every minute detail is no longer private.

    End scene.

    Evil twin attack example 

    Let’s say you, an unsuspecting device-haver might be visiting your favorite Seattle Coffee Chain Franchise. As you take your Ultimax Turbogrand cup of latte and sit down to watch some KanColle, you connect to the local hotspot to preserve mobile data and increase the connection speed.

    But, hark, there are two Wi-Fi networks called “Seattle Coffee Chain Franchise!” Which one do you choose? If the network isn’t password-protected (to save time for baristas who are already busy trying to figure out how to write “George but with a Y” on a cup), you can’t even look for the padlock on the Wi-Fi symbol. So you log in to the network and take your daily anime dose.

    Then you think about logging in to Facebook to post your comment about the episode you just watched on the Big Broadside Kriegsmarine Girlfriends fan page. You are led to an authentic-looking Facebook login page. You enter your data, which the hacked website records and forwards to the real Facebook site. You are logged in without any knowledge that you just gave away your data. 

    Just like that, you have just fallen for a man-in-the-middle attack-enabled technologically-assisted social engineering attack!

    How to spot an evil twin attack 

    It is hard to spot it in the process. A hacker who did due diligence with their work will have copied the SSID, encryption, and maybe even the MAC address of the public Wi-Fi network. The tools they need to do it aren’t that conspicuous either – they only need a laptop and something as easy to hide as the previously mentioned Wi-Fi Pineapple. 

    How to protect yourself from an evil twin attack 

    Luckily, there are cybersecurity tips and tricks you can use to protect yourself from connecting to a fake wireless access point or handing over your data. These include:

    1. Disable auto-connect: Despite having smart in the name, your phone is anything but, so it will connect to the evil twin public Wi-Fi networks, especially if their signal is stronger. 
    2. Don’t connect to unprotected Wi-Fi: If the Wi-Fi network doesn’t demand a password, it’s unsafe and much easier to take for evil twin attacks. 
    3. Don’t ignore security notifications: Phones and laptops and whatnot come with security features installed, some of which may notify you of things like network encryption being different than the last time you connected to this Wi-Fi network.
    4. Don’t access sensitive accounts and services: It’s just a good practice not to do your banking or business email checking on public Wi-Fi. The ‘’don’t show your privates in the public’’ type of thing.
    5. Use a VPN to protect yourself on public Wi-Fi: A virtual private network encrypts your data before it leaves your device. That way, anyone monitoring your data via their man-in-the-middle attack won’t see anything but useless VPN encrypted data. Naturally, this prevents them from directing you to capture pages and such. 

    Bottom line: Stay safe from evil twins 

    Forewarned is forearmed, and now you know what evil twin attacks are and how to use basic defenses against them. Of all the methods mentioned here, only one requires an investment in a security tool.

    Cut out the middleman!

    Get Surfshark


    How do evil twin attacks work?

    A hacker sets up a duplicate network of a legitimate Wi-Fi hoping that the victims would connect to the fake one. When this happens, all of the user’s data will go through the fake network and end up in the hacker’s pocket.

    What is the meaning of evil twin?

    Also known as the ‘’man in the middle’’, an evil twin in the cyberworld means a malicious Wi-Fi hotspot mimicking another Wi-Fi, the one that the user intended to use. It’s called that because usually setting up a duplicate fake hotspot leads to a privacy violation.

    Do hackers use evil twin attacks?

    Yes, hackers use evil twin cyberattacks to monitor internet activity and get victims’ personal data, like login information and card credentials.

    What scenario describes an evil twin attack?

    An evil twin attack is when a malicious person sets up a fake access point usually made to look like a public Wi-Fi network.