An evil twin is a malicious Wi-Fi network that impersonates a legitimate network. The attacker sets up a hotspot with the same SSID as a legitimate venue’s network (Starbucks_Free_Wifi, Hotel_Wifi, Airport_Free) at higher signal strength than the legitimate network. Devices configured to auto-connect to known SSIDs join the evil twin instead, and the attacker sees all traffic that does not have application-layer encryption.
What it means in practice
The attack is industrialized in pen-test toolkits (Wifi Pineapple, Bettercap, Aircrack-ng) and routinely deployed at security conferences as demonstration. The structural defense is application-layer encryption: HTTPS for web traffic (most major sites enforce HTTPS by default in 2026), TLS for email (most major providers enforce STARTTLS), and VPN for everything else. The remaining threat against an HTTPS-everywhere device is the redirect-to-captive-portal phase where the device shows the user a “log in to this network” page that may be a phishing page collecting credentials, and the auto-connect behavior that joins evil twins without user awareness. The DNS leak risk is also real: evil-twin DNS resolution can return fake IPs for sites the attacker wants to phish, defeated by encrypted DNS at the device level.
Where it shows up
Demonstrated at: every major security conference (Black Hat, DEF CON), in every published pen-test wireless training, and in documented incidents at airports, hotels, and coffee-shop chains where attackers set up evil twins at high signal strength. Targets: travelers connecting to public Wi-Fi, conference attendees, and any user whose device auto-connects to known SSIDs without verifying the underlying network identity. Defenders: device-side configurations that disable auto-connect, application-layer encryption that defeats traffic capture, and VPN configurations that route traffic through trusted tunnels regardless of the underlying network identity.
What you can change today
Three actions. First, disable auto-connect to public Wi-Fi networks: iPhone Settings, Wi-Fi, Auto-Join Hotspot off; Android Settings, Network and internet, Internet, gear icon next to network, Auto-connect off. Forget public networks after you leave them so future visits do not auto-rejoin. Second, run a no-log VPN always-on (Mullvad, Proton VPN, IVPN) so traffic on any network including evil twins is encrypted before leaving the device. Third, enable encrypted DNS at the OS level (iOS, Android, both support it natively in 2026) so DNS resolution is not subject to evil-twin DNS-redirect attacks.
