Why airport Wi-Fi named 'Airport_Free_WiFi' is a trap

What an evil twin is

An evil twin is a Wi-Fi network broadcast by an attacker using the same SSID as a real one nearby. Hardware is cheap: a laptop running Aircrack-ng or Wifiphisher, or a $40 Raspberry Pi with two USB adapters. The attacker broadcasts on a stronger antenna so phones prefer it. Your phone connects silently to whichever signal is better, no warning, no password prompt. Open Wi-Fi has no authentication of the access point by design.

The 7 places to expect evil twins

Anywhere there is a crowd, an obvious official Wi-Fi name, and people in a hurry to connect. These are the seven highest-risk environments in 2026.

1. Airports, especially small regional ones

Heathrow and JFK get attention, but small regional airports are worse per-traveler because they rarely sweep for rogue access points. The UK CAA's 2024 advisory was prompted by rogue networks at Heathrow mimicking the official "_Heathrow Wi-Fi" SSID.

2. Hotels and conference centers

A rogue "Marriott_Guest" or "Hilton_Honors_WiFi" in the lobby pulls connections from anyone who recently stayed at that chain. Conference Wi-Fi is worse: attendees join whatever name matches the event.

3. Cafes and coffee chains

Starbucks_WiFi, Costa_Free, McDonalds_FreeWiFi. SSIDs are predictable and staff cannot tell a real router from a fake on the next table.

4. Public libraries

Library Wi-Fi is free and unauthenticated. An attacker spoofing "City_Library_Public" harvests traffic from students and seniors banking on library terminals.

5. Apartment building lobbies and shared spaces

Complexes advertise "free building Wi-Fi" in lobbies and gyms. A resident with a Raspberry Pi can spoof the building network from inside a unit, 24/7.

6. Trains and intercity buses

Amtrak_WiFi, FlixBus_Free, Eurostar_Onboard. Real onboard Wi-Fi is slow, so when "the same network" suddenly works faster, passengers switch without asking why.

7. Outdoor public squares and event venues

City-sponsored Wi-Fi in plazas, parks, festivals, and stadiums is rarely authenticated. Anywhere a city advertises its hotspot, an attacker can stand up a copy.

What happens after you connect

The attacker now sits between your phone and the internet. Four attacks become possible.

Traffic interception. Anything over plain HTTP, plain DNS, or unencrypted app APIs is readable on the attacker's screen.

Captive portal phishing. The most common payload. Instead of the real sign-in, you see a captive portal asking you to "Sign in with Google" or "Sign in with Facebook". The page is pixel-perfect, submits credentials to the attacker, and forwards you to the real internet.

SSL stripping on older sites. Without HSTS, the attacker downgrades HTTPS to HTTP and serves a fake login on a lookalike domain. Banks have mostly fixed this; smaller portals remain vulnerable.

DNS hijacking. The attacker controls DNS. Type chase.com and they answer with a phishing server's IP. URL bar looks right; page is fake.

Real cases

DEFCON Wall of Sheep. Since the early 2000s, DEFCON has displayed credentials sniffed off conference Wi-Fi on a live wall. It fills within hours every year, despite a security-aware audience.

2019 US Air Force base evil twin. A contractor stood up a rogue access point inside a US Air Force base, spoofing the guest network. Later cited in government testimony on insider Wi-Fi threats.

2024 UK CAA Heathrow advisory. The UK Civil Aviation Authority warned travelers after rogue networks at Heathrow mimicked the official "_Heathrow Wi-Fi" SSID.

Las Vegas hotel evil twins. Black Hat and DEFCON have run live demos against Strip hotel guest networks using Aircrack-ng and Wifiphisher. Tens of dollars of hardware, under an hour of setup.

DEFCON 2023 automated frameworks. A 2023 talk showed prebuilt frameworks combining SSID spoofing, captive-portal phishing, and credential harvesting. The barrier to entry is a download and a YouTube tutorial.

Microsoft Defender for Endpoint telemetry shows rogue Wi-Fi alerts triggering routinely inside enterprises, often from employee devices auto-rejoining an evil twin while traveling. The FBI issued PSAs against public Wi-Fi banking in 2020, 2022, and 2024, each naming evil twin attacks.

Why your phone makes this easy

iOS and Android auto-rejoin saved networks by SSID match. For open networks the match is just the name, with no password to verify. A phone that joined "Starbucks_WiFi" in Seattle six months ago will silently rejoin "Starbucks_WiFi" in Dubai today, no prompt. An attacker just needs to be in range with a louder antenna.

The 4 defenses you should already have on

None of these are expensive. Most are free. Together they push the attack surface down to almost nothing.

1. Disable auto-join for public networks. iOS: Settings > Wi-Fi, tap the network, Auto-Join off. Android: long-press the network, turn off "Connect automatically". Do this for every saved airport, cafe, and hotel SSID.
2. Always-on VPN. Mullvad ($5/month), ProtonVPN (free tier), or Apple iCloud Private Relay encrypt all traffic before it touches the local network. Set the VPN to "always on".
3. HTTPS-only mode in your browser. Chrome, Firefox, Safari, and Edge all offer "HTTPS-only" or "Always use secure connections". Turn it on. Your browser refuses plain HTTP, which kills SSL stripping.
4. Forget the network after you leave. Before the flight, before checkout, before you walk out of the cafe, open Wi-Fi settings and "Forget This Network". Your phone will not auto-rejoin a spoofed version next month.

How to tell a real airport Wi-Fi from a fake

Real airport Wi-Fi has three properties that fakes usually miss.

• A single official SSID published at the airport. Real airports print the name on gate signs and boarding-pass holders. If you see five variants like "Heathrow_Free" or "Heathrow_WiFi_2", treat them all as suspect.
• The captive portal URL matches the airport's domain. Real Heathrow Wi-Fi sends you to a heathrow.com subdomain. A fake sends you to "airport-portal-login.com" or random nonsense.
• Real portals ask for a boarding-pass code, terminal number, or email, not a social login. If "Sign in with Google" is the only option, close the page.

The personal hotspot rule

For anything sensitive (banking, work email, work VPN, password manager), skip public Wi-Fi and tether to your phone's cellular hotspot. A 5G or LTE hotspot is encrypted between phone and carrier tower, and the SIM authenticates you. There is no SSID to spoof. The 200 megabytes you spend on a 30-minute work session is worth more than a credential leak. For international travel, an eSIM from Airalo or Holafly costs $5 to $20 a week.

Where browser security fits in

VPN and HTTPS-only mode handle the network layer. The browser layer is where the captive-portal phishing page lands. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans login forms against brand-impersonation patterns. If an evil twin portal spoofs a Google or Facebook sign-in, SafeBrowz flags it before you submit.

Frequently asked questions

If a Wi-Fi network has no password, is it always dangerous?

Always unauthenticated. A no-password network cannot prove the access point is real. Treat every open network as untrusted: VPN on, HTTPS-only on, auto-join off, forget the network when you leave.

Does a VPN protect me from an evil twin completely?

Mostly yes for traffic interception and DNS hijacking. The gap is the captive-portal page, which loads before the VPN connects. Do not enter credentials there.

The Wi-Fi is asking me to sign in with Google. Is that normal?

No. Legitimate captive portals never need your Google or Facebook password. They ask for an email, room number, boarding-pass code, or a terms tap. A social-login captive portal is a phishing page.

Could my phone reconnect to a fake hotel Wi-Fi in another city?

Yes. Phones auto-rejoin saved open networks by SSID name only. If you joined "Hilton_Honors" in Chicago and an attacker in Bangkok broadcasts the same name today, your phone rejoins silently. "Forget This Network" for every saved chain.

Is HTTPS enough by itself? My browser shows the padlock.

HTTPS only proves the server controls a certificate for its own domain. An attacker can serve a phishing site with a valid certificate on a lookalike domain. Read the URL bar carefully.

What is the single most important habit if I only do one thing?

Always-on VPN. Mullvad, ProtonVPN, or Apple iCloud Private Relay. Even if you join an evil twin by accident, your traffic stays encrypted.

Related reading

• Your phone is the new phishing target - how the text scam works
• Pastejacking - how a copied command runs code you never saw
• Microsoft phishing emails - how to spot the fake login
• How to tell if a website is a scam in 10 seconds

Bottom line: Evil twin Wi-Fi costs $40 of hardware and 30 minutes to set up. Your phone auto-rejoins saved open networks by name alone, which makes it worse. The fix is cheap: always-on VPN, HTTPS-only browsing, auto-join off, and "forget this network" before you leave. For anything sensitive, tether to your phone's cellular hotspot. Add a browser-layer scanner like SafeBrowz and the captive-portal phishing page stops working too.