/ FIELD REPORT — JUN 28, 2026

Before you tap ‘connect’ at Denver Airport, here’s what’s actually on that WiFi.

One laptop, the public terminal WiFi, and WifiThreatWatch running in the background. The short version: everything is wide open — and that’s only where it starts.

On June 28, 2026, we ran WifiThreatWatch on a Windows laptop while connected to the public WiFi at Denver International Airport (DEN). In under an hour it logged four or more open airport networks, one network name being broadcast by 73 different access points, and a handful of live ARP and DNS anomalies. None of the networks used any encryption.

At a big airport, dozens of access points broadcast the exact same network name — which means you physically cannot tell a real one from a fake one by looking. That ambiguity is the whole problem.

Important up front: these are indicators the app flagged, not proof of a specific attack or attacker. See the methodology and caveats at the end — we take them seriously.

/ FINDING 01

Every airport network was open

Not one of the airport networks we saw used encryption — they’re “open” networks, the kind you join with one tap and no password. That’s normal for public WiFi and convenient by design, but it means the data leaving your device isn’t protected by the network itself. Anything not independently encrypted (by HTTPS, or a VPN) is potentially readable by others on the same open network.

Airline lounge guest networkOPEN
DEN Airport Free WiFi 2.4GOPEN
DEN Airport Free WiFiOPEN
Other airport guest networksOPEN
ENCRYPTION AUDITevery airport network the scan saw was open — no WiFi-layer encryption

Open is the baseline risk. The interesting part is what an open, crowded airport network looks like once you’re actually watching it.

/ FINDING 02

One network name, 73 access points

The busiest network, “DEN Airport Free WiFi 2.4G,” was being advertised by 73 distinct access points during our scan. WifiThreatWatch recognized 52 of them as consistent airport hardware and flagged the rest — logging 18 “suspicious BSSID” notices and 3 “evil-twin-nearby” alerts, where a different-vendor access point was broadcasting the same name and out-signaling the real one (in one case 75% signal versus 63%).

“DEN Airport Free WiFi 2.4G” · 73 access points
52 recognized18 suspicious BSSID3 evil-twin-nearby
One twin out-signaled the real access point — 75% vs 63% signal.
SSID ROSTER73 access points, one network name — 52 recognized, 18 suspicious BSSID, 3 evil-twin-nearby

Here’s the honest read: an airport this size legitimately runs hundreds of access points, often from multiple vendors, all sharing one SSID — so many of those flags are probably benign infrastructure. We are not claiming DEN is riddled with evil twins. The catch is that this is exactly the environment an actual evil twin hides in: when 73 access points share one name, one more — an attacker’s — is invisible in the crowd. You can’t audit it by eye. Software can.

/ FINDING 03

Live ARP and DNS anomalies

On one airline lounge guest network in the terminal, WifiThreatWatch logged 5 ARP-spoofing indicators in a two-minute window — a device’s IP-to-MAC binding flipping between hardware addresses within seconds, which is a classic ARP cache-poisoning signature and the mechanism behind most man-in-the-middle attacks. Roughly 37 devices were visible on that network at the time. Separately, the DNS resolver changed on several airport networks during the session.

IP-TO-MAC BINDING · ONE DEVICE
IP ··.··.··.19A4:··:··:··:··:1F
binding re-pointed to a different MAC within seconds — classic ARP cache-poisoning signature
0:00
2:00
5 ARP-spoofing indicators logged
ARP CACHEairline-lounge net — one IP’s hardware address kept flipping (~37 devices present)

Caveat, again: busy public networks can produce some ARP and DNS churn for benign reasons — device MAC randomization, DHCP renewals, roaming between access points. We’re reporting what the app logged, not the intent behind it. But these are the precise signals you’d want to know about, and no traveler staring at a WiFi icon would ever see them.

/ THE SCORE

Exposure ratings (our model)

We scored each network on a simple, transparent model: start from “open/unencrypted,” then add weight for evil-twin indicators, ARP-spoofing indicators, DNS anomalies, and how many devices were exposed on the same network. It’s a risk-exposure rating, not a verdict that an attack occurred.

Airline lounge guest networkOpen · 5 ARP-spoofing indicators · 2 DNS changes · ~37 devices visibleHigh
DEN Airport Free WiFi 2.4GOpen · 73 access points sharing the name · 18 suspicious-BSSID + 3 evil-twin-nearby flagsElevated
DEN Airport Free WiFiOpen · Unencrypted · DNS resolver changeModerate
Other airport guest networksOpen · Unencrypted · DNS resolver changesModerate
/ THE TAKEAWAY

What this means if you fly through DEN

Public airport WiFi is open, crowded, and full of signals you can’t interpret from the login screen. The practical advice hasn’t changed: prefer your phone’s hotspot for anything sensitive, make sure sites are HTTPS, and use a VPN to encrypt your traffic. But note the gap — a VPN encrypts what you send; it doesn’t tell you there’s an evil twin or a man-in-the-middle in the room. That’s the difference between privacy and security.

/ THE TOOL

How we saw all of this

Everything above came from WifiThreatWatch running quietly on a Windows laptop. It watches the network you’re on in real time, surfaces every device, and flags the signatures of an attack — evil-twin indicators, ARP spoofing, DNS anomalies, rogue devices — as they happen. Real-time detection is free. If it confirms an attack, the paid response can break the attacker’s targeting and route you through an encrypted tunnel.

FREE FOREVERWant to run your own scan? Real-time detection is free, for Windows.

Related: how to tell if someone is on your WiFi · the threats library · WiFi security FAQ

/ METHODOLOGY & CAVEATS

Data was collected on a single Windows laptop during one visit to Denver International Airport on June 28, 2026, using WifiThreatWatch in passive monitoring mode. We only observed networks we were connected to or in range of; we did not attempt to intercept, attack, or access any other person’s device.

The app reports indicators, not confirmed attacks. At an airport, many access points legitimately share one network name and come from multiple hardware vendors, which can trigger evil-twin and suspicious-BSSID heuristics — so those flags are ambiguous by nature. ARP and DNS anomalies on busy public networks can also have benign causes (MAC randomization, DHCP renewals, roaming). We report what was logged, not the intent behind it, and we have not attributed any activity to any person or organization.

Don’t trust the WiFi icon.
See what’s really there.