Sepio | Blog

Evil Twin Attack

Evil Twin Attack

Twins are sometimes so identical that it is almost impossible to tell them apart. And, in such cases, the uniform characteristics can be used for sinister activities, even evil. No, not like Ursula Buffay from Friends, but rather a type of WiFi attack known as an Evil Twin attack. This type of attack, which relies heavily on social engineering, occurs when a rogue access point (AP) spoofs a legitimate AP’s SSID (i.e., the WiFi name) and, in some cases, its BSSID (the MAC address).

By carrying out an Evil Twin attack, perpetrators can intercept the communication between the victim and the legitimate AP, without either entity knowing, known as a man in the middle hardware attack. In some cases, the malicious actor can gain log in credentials, access to sensitive data, or even carry out fraud. So how is this done?

Step 1: Create a hotspot

This step is fairly straightforward. In fact, you have probably already done it yourselves when you used your phone as a hotspot. In an Evil Twin attack, however, the rogue AP needs to mimic the legitimate one. That means changing the SSID to match that of the genuine AP. Again, this is a basic step and simply requires the attacker to change the name of the fake hotspot to that of the legitimate one so that when the unsuspecting victim sees it, they do not think anything of it. In some cases, the bad actor will also spoof the genuine AP’s BSSID so that security software solutions do not detect it as unauthorized.

Step 2: Have the victim connect

For devices that have not yet connected, the attacker can simply ensure that their signal is stronger than that of the genuine AP’s. In a case where the device has already connected to the legitimate AP. This is typically the case when targeting enterprise networks. The attacker can send deauthentication packets to the victim and the legitimate AP to block their connection. This prompts the user to reconnect. And, when doing so, will see the Rogue AP under the disguise of the legitimate one, thanks to SSID spoofing.

Step 3: Attacks

Attack 1 – Eavesdropping

An Evil Twin attack on a public network, such as those found in coffee shops or airports, allows attackers to act as a man-in-the-middle (MiTM). By intercepting the communication between the victim and the legitimate AP, the malicious actor can eavesdrop on and/or alter the traffic between the two entities.

Attack 2 – Phishing

When targeting an enterprise network, the attacker needs to bypass authentication and will do this through a phishing scam. As mentioned, the perpetrator will likely have to block the already-established connection between the victim and the legitimate AP, prompting the victim to try and reconnect – this time to the Rogue AP (which, to the victim, appears legitimate). In doing so, the user will be directed to a fake Captive Portal page that requires login details; the same as those required for the legitimate AP.

However, when the victim enters those details, they are being sent directly to the hacker. Although the hacker will not know the correct network password, they will know when the correct password has been entered. This is based on the network handshake that was captured during the deauthentication process. When the victim enters the correct information, the hacker can use these credentials to gain access and control of the target network.

See no evil

Since Evil Twin attacks can be carried out in public places, the attack surface increases significantly as WFH and BYOD trends become more widely adopted among enterprises. This is especially due to the COVID-19 pandemic spurring a significant, and immediate shift to remote work. However, the most dangerous characteristic of these attacks, which impacts both public and enterprise networks, is their covert nature. Besides appearing legitimate to the user due to a spoofed SSID, the Rogue AP is able to bypass network security solutions. This includes NAC, by spoofing the legitimate AP’s BSSID.

Essentially, the victim and the device can see no evil. And it is especially worrying when an enterprise network is targeted… Once the network login details are obtained, the attacker can gain access to the network. From here, the bad actor can monitor network traffic, steal data, inject malware, and more. This of course, causes harmful consequences to the enterprise.


Sepio’s solution provides a panacea to gaps in device visibility to ensure you are getting the most out of your cybersecurity investments. With Sepio’s solution, enterprises can be sure that they will not become victim to an Evil Twin attack. By constantly monitoring and analyzing all wireless communication in real-time through Machine Learning, Sepio can identify all devices operating within the enterprise’s environment, and which networks such devices are connected to by revealing the BSSID of all Access Points. With its policy enforcement mechanism, Sepio instantly detects suspicious connections and triggers a mitigation process through its integration with existing Network Access Control products.

With Sepio, enterprises can finally see evil – and be protected.  

May 18th, 2021