Real scans of real networks — what the data actually shows, and what it means for you.
A shared, crowd-sourced database of confirmed WiFi attacks. When one WifiThreatWatch device catches an attack, every other one can be warned before connecting — the attacker’s rogue access point documented in full, your own network only ever as a one-way hash.
Our second airport field report: a WifiThreatWatch scan of Pensacola International Airport’s free WiFi — one well-run network on a security-focused DNS, but still open, still crowded, and not entirely without anomalies.
A first-party WifiThreatWatch scan of the public WiFi at Denver International Airport: every network open, one name broadcast by 73 access points, and live ARP + DNS anomalies the app flagged in real time.
Our eighth detector watches for the signature of a deauthentication flood — repeated disconnects while your real access point is still beaconing strong — the classic setup for forcing you onto an evil twin.
Our seventh detector catches tampered DNS answers by resolving canary domains whose correct IP is already known — flagging spoofing even when the resolver’s own address never changed.
Our sixth detector passively watches DHCP OFFER/ACK replies and flags any server that isn’t your real gateway handing out its own gateway and DNS — how an attacker becomes the middleman without touching ARP.
With ARP, evil-twin, and DNS detectors shipped, WifiThreatWatch now covers the man-in-the-middle attack end to end — detecting the concrete techniques that create one, verifying them, and breaking the attacker’s targeting.
Our fifth detector flags an unexpected change to the DNS resolver your device trusts — a clear fingerprint of evil-twin or man-in-the-middle redirection — while suppressing the resolver change its own VPN legitimately causes.
Our fourth detector catches look-alike network names — SSIDs spelled with confusable or invisible Unicode characters that render identical to yours — by reducing every nearby name to a canonical form.
Our third detector: a concurrent subnet ping-sweep that surfaces every device on your network, names it by manufacturer, and flags any MAC address it has never seen before — the foothold most attacks start from.
Our second detector: two-tier, mesh-aware evil-twin detection that checks BSSID, gateway MAC, and DNS to catch a fake access point wearing your network’s name — without crying wolf at your own eero or Orbi.
The first detector we shipped: real-time ARP spoofing detection that captures ARP frames off the wire to catch gateway impersonation as it happens — not by polling a cache the attacker already rewrote.