Evil Twin Attacks at Airports: Documented Cases

Evil Twin Attacks at Airports: Documented Cases

Table of Contents

What Is an Evil Twin Attack?

An evil twin attack creates a rogue WiFi access point that mimics a legitimate network. The attacker sets up an access point with the same SSID (network name) as the real network, often with a stronger signal. Devices connect to the rogue AP either automatically (if they have the SSID saved) or when users manually select what they believe is the legitimate network.

Once connected, all of the victim's internet traffic flows through the attacker's device. The attacker can observe unencrypted traffic, inject content into HTTP pages, present fake login portals, and log every DNS request to build a profile of the victim's online activity.

Evil twin attacks have been demonstrated at security conferences for over two decades. But documented cases of criminal prosecution reveal that these attacks are not just theoretical - they happen in real airports, to real passengers, with real consequences.

The 2024 Australian Case

In mid-2024, Australian Federal Police arrested a man for allegedly conducting evil twin attacks at Perth, Melbourne, and Adelaide airports, as well as on domestic flights. The case is one of the few documented criminal prosecutions for this type of attack.

graph TD
    subgraph "Australian Evil Twin Attack"
        A[Suspect Sets Up Rogue AP] --> B[SSID Matches Airport Free WiFi]
        B --> C[Passengers Connect]
        C --> D[Fake Captive Portal Displayed]
        D --> E[Portal Requests Email Login]
        E --> F[Credentials Captured and Stored]
        F --> G[User Redirected to Real Internet]
    end
    subgraph "Locations"
        H[Perth Airport]
        I[Melbourne Airport]
        J[Adelaide Airport]
        K[Domestic Flights]
    end

The 2024 Australian evil twin attack flow - fake captive portals at multiple airports

According to police reports, the suspect used a portable device to create a WiFi network that mimicked the free airport WiFi. When passengers connected, they were presented with a fake captive portal - a login page that looked like the standard airport WiFi sign-in. The page requested email addresses and passwords, which were stored on the suspect's device.

The suspect allegedly conducted these attacks at multiple airports and on flights between cities. Police seized a portable wireless device, a laptop, and a mobile phone during the arrest. The case highlighted that evil twin attacks require minimal equipment and can be conducted by a single person in crowded public spaces.

Why Airports Are Ideal Targets

Several factors make airports particularly vulnerable to evil twin attacks. First, passengers expect free WiFi and actively look for it. The psychological expectation of open WiFi reduces suspicion when a network appears.

Second, airport WiFi typically uses captive portals - web pages that appear when you first connect, asking you to accept terms of service or enter an email address. Passengers are conditioned to see these portals and enter information. A fake portal that requests slightly more information (like a password) may not raise alarms.

Third, airports are high-density environments with hundreds or thousands of potential victims in close proximity. The attacker does not need to move - victims come to them and stay for extended periods while waiting for flights.

Fourth, passengers are often distracted, tired, and in a hurry. They are less likely to scrutinize a WiFi login page when they are rushing between gates or trying to get online during a layover. Business travelers may be particularly motivated to connect quickly to check email or join conference calls.

The Attack Mechanics

Setting up an evil twin requires surprisingly little equipment. A laptop with a wireless adapter capable of access point mode, or a dedicated portable router, is sufficient. The software required is freely available - hostapd for creating the access point, dnsmasq for DHCP and DNS, and a simple web server for the captive portal page.

graph TD
    subgraph "Evil Twin Components"
        A[Rogue Access Point] --> B[DHCP Server]
        B --> C[DNS Server]
        C --> D[Captive Portal Web Server]
        D --> E[Credential Logger]
        A --> F[Internet Uplink - Optional]
    end
    subgraph "Attack Variants"
        G[Passive Monitoring - Watch Traffic]
        H[Active Interception - Modify Traffic]
        I[Credential Harvesting - Fake Portals]
        J[SSL Stripping - Downgrade HTTPS]
    end

Evil twin attack components - the attacker needs only basic wireless hardware and free software

The attacker configures the access point with the same SSID as the target network. In an airport, this might be "Airport_Free_WiFi" or the specific airport's branded network name. No password is set, matching the open nature of the legitimate airport network. The rogue AP often broadcasts at a higher power level than the legitimate access points, causing nearby devices to prefer the stronger signal.

When a victim connects, the rogue AP's DHCP server assigns an IP address and sets itself as the default gateway and DNS server. All of the victim's traffic now flows through the attacker. The DNS server redirects initial requests to the captive portal, which presents a convincing login page.

What Research Shows About Capture Rates

Academic research on evil twin attack effectiveness shows mixed results, largely because the success rate depends heavily on what the attacker is trying to capture.

For credential harvesting through fake captive portals, research papers have reported that 30-60% of users will enter some form of credentials when presented with a convincing login page. The rate is higher when the portal mimics a familiar service (like "Sign in with Google") and lower for generic forms.

For passive traffic interception, the picture has changed dramatically with the adoption of HTTPS. In 2015, approximately 40% of web traffic was encrypted. By 2026, over 95% of web traffic uses HTTPS. This means that an attacker conducting a passive evil twin attack sees encrypted traffic for almost all web browsing. They can observe DNS queries (revealing which sites the victim visits) and connection metadata, but they cannot read the content of HTTPS-protected communications.

However, certain data remains vulnerable. DNS queries are typically unencrypted (unless the device uses DNS-over-HTTPS or DNS-over-TLS). Some mobile apps still transmit data over HTTP. And credentials entered on fake captive portal pages are captured regardless of HTTPS adoption - because the victim is entering them directly on the attacker's server.

DEF CON Demonstrations

Evil twin attacks have been demonstrated at DEF CON and other security conferences for years. The Wall of Sheep (covered in a separate article) captures credentials from conference WiFi, but dedicated evil twin demonstrations have shown the technique's effectiveness even against technically sophisticated audiences.

In multiple DEF CON demonstrations, researchers have set up rogue access points in conference areas and tracked how many devices connected automatically. The numbers are consistently high - even at a security conference where attendees should know better. The automatic connection behavior of mobile devices means that many connections happen without any user interaction.

Defense Strategies

Defending against evil twin attacks requires a combination of technical measures and behavioral awareness.

Use a VPN. A properly configured VPN encrypts all traffic between your device and the VPN server, rendering evil twin interception useless for content monitoring. The attacker can see that you are using a VPN, but cannot read the encrypted traffic.

Never enter real credentials on captive portals. If an airport WiFi asks you to "sign in with Google" or enter an email password, that is a red flag. Legitimate airport WiFi captive portals typically ask for agreement to terms of service, not authentication credentials for third-party services.

Use cellular data when possible. Your phone's cellular connection is not vulnerable to evil twin attacks. For sensitive activities like banking or email, cellular data is always more secure than unknown WiFi.

Verify HTTPS. Before entering any credentials on any website while connected to public WiFi, verify the HTTPS padlock and check the domain name carefully. A fake Google login page at google-airport-login.com is not Google.

Disable auto-connect to open networks. Both iOS and Android allow you to prevent automatic connection to known open networks. This forces you to manually select networks, giving you an opportunity to evaluate whether the network is legitimate.

Scanning for Rogue Access Points

The BLEShark Nano can scan the 2.4GHz WiFi environment to identify access points broadcasting in your area. During authorized security assessments, this capability reveals rogue access points that may be operating alongside legitimate infrastructure.

For corporate security teams, periodic scanning for unauthorized access points is a standard practice. An evil twin inside your office - broadcasting your corporate SSID - is a serious threat because employees may connect automatically with their corporate credentials. The Nano's portable form factor makes it practical to walk through facilities and map the wireless environment, identifying any access points that should not be there.

Airport security teams and facilities managers can use similar scanning techniques to detect evil twin attacks in progress. An access point broadcasting the airport's WiFi SSID that does not match any known infrastructure MAC address is a strong indicator of malicious activity.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment