/ THREATS — HOMOGLYPH SSID · MEDIUM

Homoglyph SSID

A network that looks pixel-identical to yours — spelled with letters that aren’t.

/ WHAT IT IS

What it is

A homoglyph SSID is a network whose name looks identical to one you trust but is spelled with different characters. Unicode contains many characters that render the same as common Latin letters — a Cyrillic “а” looks exactly like a Latin “a,” for example.

YOUR NETWORK
C
i
t
y
C
a
f
e
BROADCASTING NEARBY
C
i
t
y
C
а
f
e
U+0430
Cyrillic а
SSID LOOK-ALIKEsame pixels, different bytes — one letter isn't Latin

An attacker names a fake network using these look-alikes. To your eye it’s your network. To the computer it’s a completely different string — which is exactly what lets the attacker run an impersonation without colliding with the real name.

A network that looks pixel-identical to yours — spelled with letters that aren’t.

/ THE ATTACK

How attackers do it

The attacker substitutes one or more characters in a trusted SSID with confusable code points: Cyrillic or Greek look-alikes, Arabic-Indic digits, an em-dash in place of a hyphen, or spliced-in zero-width characters that are completely invisible.

Paired with an evil-twin access point, this is a powerful lure — the network name passes a human glance, and a distracted user taps connect.

/ DETECTION

How we detect it

WifiThreatWatch reduces every nearby network name to a canonical comparison key. It drops invisible format and zero-width characters, normalizes the text, strips combining marks, maps every Unicode digit to ASCII, and applies a curated confusables table for the substitutions normalization doesn’t catch.

NETWORK ACityCafe
NETWORK BCityCаfe
REDUCE
zero-width · marks · digits · confusables
KEY citycafe
SAME KEY · DIFFERENT BYTES → MEDIUM
CANONICAL KEYdifferent bytes that reduce to the same key are the tell

When two networks produce the same canonical form but have different raw characters, that’s a look-alike — flagged as a medium-severity alert. It deliberately does not case-fold, because SSIDs are case-sensitive and a difference in capitalization isn’t an attack.

FREE FOREVERFree in every WifiThreatWatch install.
[ ssid_confusables.py — Unicode canonical-form comparison ]
/ RESPONSE

How we stop it

Detection here is about awareness before you connect. WifiThreatWatch warns you that a look-alike of your network is broadcasting nearby — including the invisible-character tricks that no human eye, and most software, would ever notice.

If you do end up connecting to the impostor, the evil-twin and ARP detectors take over, and Active Defense is ready.

1
BEFORE CONNECTLook-alike flaggedcanonical-form match — even invisible characters
2
IF YOU CONNECTEvil-twin + ARP detectorsBSSID, gateway MAC and live ARP capture take over
3
ACTIVE DEFENSEIdentity reset + tunnelfresh MAC/IP, then an encrypted tunnel
LAYERED DEFENSEawareness is the first line — if you connect to the impostor anyway, two more layers are waiting
WITH SUBSCRIPTIONActive Defense + VPN response. Requires subscription (or the free 10-minute trial).

See it in action.
Download WifiThreatWatch.