It looks identical, it works the same, and everything you type goes through someone else's computer. The evil twin attack, explained.
An evil twin is a WiFi network set up by someone in (or near) a public venue that uses the same name as the venue's real WiFi — so your phone or laptop can't tell them apart. The attacker's laptop sits between you and the internet, watching everything. Recent attacks have hit airline lounges, big-chain cafes, and conference centres. Five tells, and one habit that beats them all.
How the attack works. The attacker brings a small device into a cafe that broadcasts a WiFi network with the same name as the real one, but with stronger signal. Your phone, which connected to the real network last week, sees the same network name now with stronger signal — and silently connects to it. Every site you visit is now routed through the attacker's device. They can read what you do, modify what comes back, and serve you fake login pages for any site you visit. You don't know any of this because everything looks normal. They walk out of the cafe twenty minutes later with everyone's credentials.
If you tap the WiFi icon and see TWO networks with the same name (or near-identical names: "CafeName" and "CafeName-Free" and "CafeName_Guest"), at least one is wrong. Don't connect to either — ask the venue staff which is the real one. Or just tether.
If a venue normally puts the WiFi password on a sign and today the network is open, suspect an evil twin. Real venues rarely change WiFi security overnight. Open is convenient for everyone — including the attacker.
If you've connected here before and the captive portal (the login splash) looks different — different colours, different fields asked for, asking for email when it used to be free — pause. The captive portal can be the actual attack: capture your email, then phish it next week.
After connecting, if a normally-fine website suddenly shows a certificate warning, the network is intercepting your traffic. Disconnect immediately. Most evil-twin setups are sloppy enough that they break HTTPS on at least some sites.
If you walk in and the venue WiFi is showing five bars from the moment you sit down — much stronger than usual — that's because the evil twin device is closer to you than the real router. Real venue WiFi usually has dead spots; suspiciously perfect signal everywhere is unusual.
Easiest defence: don't use venue WiFi at all. Tethering takes 10 seconds, uses your own LTE, and is mathematically immune to evil-twin attacks (because the attacker isn't on your hotspot's password). The 2GB you'll use over the course of a meeting costs less than a coffee. See the tethering guide.
Evil twin is just one of several public-WiFi-specific attacks. Read the lot together.
If your team works from airports, hotels, and client sites, this is the attack class that targets them. whedo.it bundles always-on VPN, device security baseline, and traveller-aware Conditional Access policies for managed clients with hybrid workforces.
A Support Representative will get in touch.
A Support Representative will be in touch the same business day.
No deck, no pitch — walk your environment with a senior Australian practitioner. Confidential by default.
I built this business because I wanted to do Managed services properly — for a small number of clients, at a senior level, with the same person on the end of the phone every time. The work is too important and the stakes are too high for anything less.
Behind the formal qualifications: a Cyber Security degree from the University of the Sunshine Coast, currently working on my Master’s, plus a continuous stack of Microsoft, Acronis and Nerdio certifications — the ones that have to be renewed because the threats don’t stay still.
Behind the certifications: thirty years of doing the work. I cut my teeth in consulting, then went to Cisco on the team building the original iPhone — Cisco’s VoIP handset, the trademark Apple later acquired in the 2007 settlement. At TPG in 1999 I sold frame-relay networks when frame-relay was the cutting edge of business connectivity. I built and sold a Sydney-based MSP called Online IT before relocating to Perth.
Three decades of watching what’s actually changed and what hasn’t. The technology has changed almost beyond recognition. The principles haven’t. Identity first. Backup that has actually been tested. A senior practitioner who knows your environment. Calm in an incident. Honest answers when the answer is “no.”
That’s whedo.it. That’s the brief. That’s why long-tenure clients don’t leave.
— Warren Ephron, Director