Evil Twin Attack

Evil Twin Attack

An Evil Twin Attack is a type of WiFi network attack where an attacker sets up a rogue access point that mimics a legitimate network. The rogue access point typically has a name and configuration that is very similar to the legitimate network.

Twins are sometimes so identical that it is almost impossible to tell them apart. And, in such cases, the uniform characteristics can be used for sinister activities, even evil. No, not like Ursula Buffay from Friends, but rather a type of WiFi attack known as an Evil Twin attack.

This type of attack, which relies heavily on social engineering, occurs when a rogue access point (AP) spoofs a legitimate access point’s SSID (i.e., the WiFi name). And, in some cases, its BSSID (the MAC address).

By carrying out an Evil Twin attack, perpetrators can intercept the communication between the victim and the legitimate access point (Protecting Remote Connections). Without either entity knowing, known as a Man in the Middle Attack. In some cases, the malicious actor can gain log in credentials, access to sensitive data, or even carry out fraud. So how is this done?

Step 1: Create a Hotspot

This step is fairly straightforward. In fact, you have probably already done it yourselves when you used your phone as a hotspot. In an Evil Twin attack, however, the rogue access point needs to mimic the legitimate one. That means changing the SSID to match that of the genuine access point. Again, this is a basic step and simply requires the attacker to change the name of the fake hotspot to that of the legitimate one so that when the unsuspecting victim sees it, they do not think anything of it.

In some cases, the bad actor will also spoof the genuine access point’s BSSID so that security software solutions do not detect it as unauthorized.

Step 2: Have the Victim Connect

An Evil Twin Attack occurs when an attacker creates a fake wireless access point that mimics a legitimate access point. For devices that have not yet connected, the attacker can simply ensure that their signal is stronger than that of the genuine access point’s.

In a case where the device has already connected to the legitimate access point (a scenario often seen in targeting enterprise networks), the attacker can send deauthentication packets to the victim and the legitimate access point to block their connection. This prompts the user to reconnect. And, when doing so, will see the Evil Twin Attack under the disguise of the legitimate one. Thanks to SSID spoofing. This malicious access point is often configured to have the same name (SSID) as the legitimate one. Making it difficult for users to distinguish between the two.

Evil Twin Attack
Evil Twin Attack

Step 3: Evil Twin Attack


An Evil Twin attack on a public network, such as those found in coffee shops or airports, allows attackers to act as a Man in the Middle Attack (MiTM Attack). By intercepting the communication between the victim and the legitimate access point, the malicious actor can eavesdrop on and/or alter the traffic between the two entities.


In an Evil Twin Attack on an enterprise network, the attacker aims to bypass authentication by using phishing tactics. As mentioned, the perpetrator will likely have to block the already-established connection between the victim and the legitimate access point, prompting the victim to try and reconnect. This time to the Rogue access point (which, to the victim, appears legitimate due to the Evil Twin Attack). In doing so, the user will be directed to a fake Captive Portal page that requires login details. The same as those required for the legitimate access point.

However, when the victim enters those details, they are being sent directly to the hacker. Although the hacker will not know the correct network password, they will know when the correct password has been entered.

This is based on the network handshake that was captured during the deauthentication process in the Evil Twin Attack. When the victim enters the correct information, the hacker can use these credentials to gain access and control of the target network.

Evil Twin Attacks in the Era of Remote Work

Since Evil Twin attacks can be carried out in public places, the attack surface increases significantly as remote work security (WFH) and bring your own device (BYOD) trends become more widely adopted among enterprises. However, the most dangerous characteristic of these attacks, which impacts both public and enterprise networks, is their covert nature. Besides appearing legitimate to the user due to a spoofed SSID, the rogue access point is able to bypass network security solutions. This includes NAC, by spoofing the legitimate access point’s BSSID.

Essentially, the victim and the device can see no evil. And it is especially worrying when an enterprise network is targeted… Once the network login details are obtained, the attacker can gain access to the network. From here, the bad actor can monitor network traffic, steal data, inject malware, and more. This of course, causes harmful consequences to the enterprise.

Sepio’s Asset Risk Management: Guarding Against Evil Twin Attacks

Sepio’s Asset Risk Management (ARM) provides a panacea to gaps in device visibility. Ensuring you are getting the most out of your cybersecurity investments. 

With Sepio’s solution, enterprises can be sure that they will not become victim to an Evil Twin attack. By constantly monitoring and analyzing all wireless communication in real-time through Machine Learning, Sepio can identify all devices operating within the enterprise’s environment. And which networks such devices are connected to by revealing the BSSID of all Access Points. With its policy enforcement mechanism, Sepio instantly detects suspicious connections and triggers a mitigation process through its integration with existing Network Access Control products.

See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.

May 18th, 2021