/ THREATS — EVIL TWIN · CRITICAL

Evil Twin

You think you’re on your network. You’re on theirs.

/ WHAT IT IS

What it is

An evil twin is a fake WiFi access point. The attacker stands up their own hardware that broadcasts the same network name (SSID) as one you trust — “CoffeeShop_WiFi,” your home network, an airport hotspot — hoping your device connects to it instead of the real one.

Once you’re on their access point, the attacker is your gateway to the internet. They can read unencrypted traffic, run a man-in-the-middle, serve fake login pages, and tamper with DNS — all while your device shows a perfectly normal WiFi connection.

You think you’re on your network. You’re on theirs.

/ THE ATTACK

How attackers do it

Setting one up is cheap. The attacker copies a legitimate network’s SSID and broadcasts it from their own access point — often with a stronger signal so nearby devices prefer it. Many devices will auto-join a remembered network name without checking that the hardware behind it is the same one they trusted before.

CoffeeShopreal routerYOUyour deviceCoffeeShopevil twinauto-joins the stronger signal
EVIL TWINsame SSID, stronger signal — the device prefers the attacker's access point

Sophisticated variants forward your traffic to the real internet so nothing seems wrong, and run a transparent DNS proxy so resolved names look identical — while the attacker silently substitutes the router underneath.

/ DETECTION

How we detect it

WifiThreatWatch works on two layers. First, a rolling environmental scan enumerates every access point advertising your network’s name. A new access point outside your network’s legitimate “vendor space” is flagged — and escalated when it out-signals your real router, a strong twin indicator.

Second, a connection-state monitor checks your current association against the saved baseline on three axes: BSSID (the access point’s hardware address), gateway MAC (your router’s identity), and DNS resolver. A hard mismatch on BSSID or gateway MAC means you may now be on the fake access point — a full alarm.

BSSID
aa:11:e8aa:11:e8
GATEWAY MAC
e8:d1:1be8:d1:1b
DNS RESOLVER
1.1.1.11.1.1.1
BASELINE MATCH — trusted hardware
BASELINE CHECKthe current association weighed against the saved BSSID, gateway MAC and DNS

Crucially, detection is mesh-aware. Mesh systems like eero, Orbi, Nest WiFi, Deco, AiMesh, and Plume legitimately use multiple access points with different hardware addresses, so we recognize your own roaming nodes — by both hardware prefix and manufacturer — and only flag hardware that genuinely doesn’t belong.

FREE FOREVERFree in every WifiThreatWatch install.
[ wifi_scanner.py — two-tier BSSID / gateway MAC / DNS checks ]
/ RESPONSE

How we stop it

When you’ve actually landed on an evil twin, that’s a critical event — the same full-screen alarm and Active Defense response as a confirmed ARP attack. Because an evil twin and a gateway ARP spoof can be the same attack seen by two detectors, we de-duplicate them so you see one verified alert, not two.

EVIL-TWIN DETECTORfires on the same attackARP DETECTORfires on the same attackDE-DUPcorrelate1verified alert
ONE VERIFIED ALERTan evil twin and a gateway ARP spoof are often one attack — we de-duplicate them so you act once

Tap Protect Me and we break the attacker’s hold — fresh network identity, then an encrypted tunnel to a server we control.

See the full Active Defense flow →

WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.