Evil Twin Attack
What is Evil Twin Attack?
Evil Twin AttackA Wi-Fi attack in which an adversary stands up a rogue access point that mimics a legitimate SSID, so victims connect to it and expose traffic or credentials.
An evil twin clones the SSID, BSSID, and sometimes the captive portal of a target Wi-Fi network — often a corporate or public hotspot — and broadcasts a stronger signal nearby. Victims (or their devices, set to auto-join) associate with the attacker's AP, after which the attacker can sniff traffic, run SSL stripping, harvest credentials via fake captive portals, inject malicious updates, or pivot into VPN tunnels. Defences include WPA3-Enterprise with server certificate validation, 802.1X with strict CA pinning, MDM that prevents automatic join to open or untrusted SSIDs, wireless intrusion-detection systems (WIDS) that flag duplicate SSIDs, and end-to-end encryption.
● Examples
- 01
An attacker in a coffee shop broadcasting "AirportFreeWiFi" to capture roaming devices and intercept their HTTP traffic.
- 02
A targeted enterprise attack using an SSID that matches the corporate Wi-Fi to phish 802.1X credentials.
● Frequently asked questions
What is Evil Twin Attack?
A Wi-Fi attack in which an adversary stands up a rogue access point that mimics a legitimate SSID, so victims connect to it and expose traffic or credentials. It belongs to the Attacks & Threats category of cybersecurity.
What does Evil Twin Attack mean?
A Wi-Fi attack in which an adversary stands up a rogue access point that mimics a legitimate SSID, so victims connect to it and expose traffic or credentials.
How do you defend against Evil Twin Attack?
Defences for Evil Twin Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Evil Twin Attack?
Common alternative names include: Rogue Wi-Fi, Fake hotspot.