The Evil Twin Attack: Safe use of Public Internet

Patrick Putman

Wireless connectivity has existed now for more than twenty years. And as technology advances, wireless access to the internet increases. Public WiFi access points are everywhere. They exist in restaurants, coffee shops, and shopping malls. Even entire cities offer public access to the internet. Additionally, if you carry a phone, you likely have wireless access in the palm of your hand. But how safe are these access points, and what risk do they pose to your security? Connection to public internet access exposes your data to eavesdropping through a method known as the “Evil Twin” attack.

What is an Evil Twin?

The Evil Twin is a type of man-in-the-middle attack where a fake access point is used to eavesdrop on activity. An attacker is then able to capture traffic or plant malware on the system. Evil twins appear to be legitimate access points by cloning the MAC address and the name or service set identifier (SSID) of the network. The evil twin is very similar to phishing and website spoofing in that it uses much the same tactics.

The evil twin attack begins by cloning a network SSID and pretending to be a local hotspot. An unsuspecting user then connects to the hotspot believing it to be the real one. Unbeknownst to the user, an attacker is actually intercepting all traffic between the user and the host, while also stealing personal data. This can lead to stolen credentials and sensitive information, resulting in identity theft or financial loss. This attack is so successful because most devices are unable to distinguish between two networks with the same name.

Implications to Cybersecurity

The Evil Twin attack poses a significant risk to cybersecurity. Employees may connect and log into a company website through a phony WiFi hotspot thinking it is a legitimate access point. The hacker behind the hotspot then obtains login credentials, and now has access to the company website. Additionally, the hacker is able to steal data or plant malware. Furthermore, attackers can use social engineering to clone a login page and kick users off the access point. This forces them to enter login credentials and reconnect through the attacker’s portal, where credentials are stolen, and traffic is monitored. End users are specifically at risk from evil twin attacks.

For example, perhaps a new coffee shop opens up that is named The Coffee Cafe. As part of their service, they offer free WiFi to their customers. A hacker, using their laptop and a few relatively inexpensive pieces of equipment, can broadcast that same SSID from a nearby source. But because the signal is stronger than the real network, customers will be tempted to select it over the legitimate access point. You spend the time surfing your social media accounts, checking your bank account, or even logging into a company portal. Meanwhile, the hacker has been capturing all of your login credentials and data. The hacker now has complete control over the WiFi session and is able to siphon data, create a back door, or inject malware onto the system.

Preventing the Evil Twin attack

Evil Twins are difficult to detect. This is because the SSID is identical to the real one, and attackers typically offer internet access. But there are steps you can take to prevent connection to an evil twin.


  • Employ the use of WiFi Intrusion Prevention Systems (WIPS) designed to detect unauthorized duplicate access points. This can help prevent employees or clients from connecting to an evil twin access point.
  • Protect access points through the use of a Personal Security Key (PSK) and provide it to employees and customers.

End Users:

  • Do not connect to open WiFi access points without verifying it as legitimate.
  • Disable to auto connect feature and promiscuous mode on all wireless devices.
  • Use a Virtual Private Network (VPN) to encapsulate all traffic if using a public access point.
  • Ask the establishment for the official name of their hotspot, and any security key if one exists.
  • Intentionally type in the wrong key. Some evil twins will grant access to the hotspot no matter what key is entered.
  • Avoid public free WiFi access altogether.

These are the best practices for using public WiFi hotspots. Following these steps can help protect you or your company from an Evil Twin attack.

Tags: , , , ,