Evil twin Wi-Fi detection: the hotspot that looks exactly real.

An evil twin is a fake Wi-Fi network that wears the real one's name. You connect to "Airport_Free_WiFi" or "Hotel-Guest" like you always do, except this time the access point is a laptop in someone's bag, sitting silently between you and the internet, reading everything that isn't independently encrypted. The attack is cheap, common, and invisible by design — your phone shows full bars and a familiar name. Helix watches the things the attack can't fully hide: open networks, a gateway whose hardware address suddenly changed, and DNS answers that don't add up. Here's how the trap works, how detection works, and exactly where the detection stops being certain.

1. What an evil twin actually is

Every Wi-Fi network broadcasts a name — its SSID — and that name is the only thing your phone uses to decide "this is the network I trust." There is nothing stopping anyone from standing up a second access point that broadcasts the exact same name. That is an evil twin: a rogue access point impersonating a legitimate one, usually a popular public network like a café, hotel, airport, or conference Wi-Fi. When your device sees two networks with the same name, it generally picks whichever has the stronger signal — and an attacker sitting a few feet from you with a powerful radio can easily win that contest.

Once you join the twin, the attacker is your gateway to the internet. They forward your traffic onward so everything appears to work normally — pages load, email arrives, the connection feels fine — while every packet passes through their hands first. This is a textbook man-in-the-middle position. Anything sent in the clear is readable. Anything they can trick into downgrading or trusting a fake certificate is readable. And because the attacker controls your DNS and your gateway, they can redirect you to lookalike login pages, inject content, or simply harvest metadata about everywhere you go. The whole attack hinges on one fact: a Wi-Fi name proves nothing about who is actually running the network.

2. Why the fake is so convincing

The reason evil twins work is that there is no built-in trust anchor for an open Wi-Fi network. When you connect to your bank, your browser checks a certificate that proves the server is who it claims to be. When you connect to "Cafe_Guest" Wi-Fi, there is no equivalent check — your phone simply trusts the name. So the attacker doesn't need to break any cryptography. They just need to:

• Clone the name. Copy the SSID of a network people already use without thinking — the more familiar and crowded the venue, the better.
• Win the signal. Sit closer than the real router, or use a stronger radio, so devices prefer the twin. Some attacks also actively knock you off the real network so your phone re-joins the strongest option, which is theirs.
• Look normal. Forward traffic so the connection works, sometimes even cloning the venue's captive-portal splash page so the experience feels identical.

From your seat, nothing looks wrong. The name is right, the bars are full, the internet works. That is precisely why a human cannot spot a good evil twin by eye — the only reliable tells are technical, and they live below the surface where the network actually negotiates its identity.

3. The signals that give it away

Detection comes down to noticing the things the attacker either can't fake or fakes imperfectly. Helix treats the network the way a security analyst would — not "is the name familiar?" but "does the network behave consistently with the real one?" Three categories of signal do most of the work, and the rest of this article walks through each. The key idea is that an evil twin has to insert itself into the plumbing, and inserting yourself leaves marks: a connection that is suddenly open instead of secured, a gateway whose hardware fingerprint changed, and a name-resolution system that is answering in ways the legitimate network wouldn't. None of these is proof on its own. Together, they are a strong heuristic — and a strong, honest heuristic that raises an alarm at the right moment is worth far more than a false sense of safety.

4. Open and unencrypted networks

The simplest and loudest signal is the easiest to ignore: the network is open — no password, no link-layer encryption. Open Wi-Fi means every frame between your device and the access point travels in the clear over the air, where anyone nearby with a cheap radio can capture it. An evil twin is very often an open network precisely because that's the path of least resistance for the attacker and the least friction for the victim — nobody has to be handed a password.

Helix flags open and unencrypted networks plainly, because the security posture you're actually on rarely matches the comfort of the name. "Hotel-Guest" feels safe; an open "Hotel-Guest" is a network where the local radio environment — including a rogue access point — can see and shape your traffic. The flag isn't a claim that every open network is malicious; plenty are simply badly configured. It's a prompt to treat the link as hostile: assume the air is being listened to, and rely on your own encrypted tunnel rather than the Wi-Fi's nonexistent one. A fail-closed VPN turns an untrustworthy open network into a sealed pipe, which is exactly the right response to a flag like this — the network can no longer read your traffic even if it wanted to.

5. Gateway MAC changes and ARP spoofing

This is the heart of evil-twin and man-in-the-middle detection, and it deserves a careful explanation. Every device on a local network has a hardware address — a MAC address — burned in at the link layer. Your phone reaches the internet through the gateway: the router, identified on the local network by its MAC. To know which MAC belongs to the gateway, your device uses ARP, the address-resolution protocol, which essentially shouts "who has this IP?" and trusts whoever answers.

ARP has no authentication. That is its original sin. An attacker on the same network can answer "I'm the gateway" — an ARP spoof — and your device will start sending its internet-bound traffic to the attacker instead of the real router. The visible symptom is that the gateway's MAC address changes: the same gateway IP that used to map to the router's hardware address now maps to a different one, the attacker's machine. Helix watches for exactly this — a gateway whose MAC fingerprint shifts when it shouldn't, or a network where the gateway's hardware identity doesn't line up with what's expected for that connection. A sudden gateway-MAC change on a network you've used before is one of the strongest single indicators that someone has slid into the middle.

The same mechanism underlies an evil twin even without a classic ARP spoof: when you join the twin, the "gateway" your device talks to is the attacker's access point, so its hardware address is simply not the one the real network presents. By tracking the gateway's MAC and treating an unexplained change as suspicious, Helix catches both the on-network ARP poisoner and the impersonating access point with the same logic. It's the network equivalent of noticing that the person who answered the door isn't the person who lives there — the name on the mailbox didn't change, but the face did.

6. Unexpected DNS

DNS turns names into addresses — it's how "yourbank.com" becomes a number your phone can reach. Whoever controls your DNS controls where your requests actually go. An attacker in the middle almost always wants to control DNS, because it lets them quietly send you to lookalike servers, redirect login pages to harvesting sites, or simply log every domain you touch.

Helix watches for unexpected DNS: name resolution being handled by a server that isn't what the network should be using, DNS responses that don't match what's expected, or resolution being silently redirected. A network that hijacks your DNS — pointing you at a resolver you didn't choose, or returning answers that steer you somewhere subtly wrong — is behaving the way a man-in-the-middle behaves, not the way an honest café router does. Combined with an open link and a changed gateway MAC, an unexpected DNS configuration moves the situation from "probably fine" to "treat this network as compromised until proven otherwise." On its own, an unusual resolver might just be an aggressive captive portal; alongside the other two signals, it's corroboration.

7. The threat model

It helps to be precise about who this defends against and how they operate, because the right mental model leads to the right behavior. The evil-twin attacker is opportunistic and local. They are physically near you — in the same terminal, lobby, conference hall, or coffee shop — running a small, cheap rig that broadcasts a familiar name and forwards traffic. Their goals are some mix of: capturing credentials from anything that isn't properly encrypted, harvesting session tokens, redirecting you to phishing pages via DNS, and mapping who you are by watching where you go.

The attack scales beautifully for them because public Wi-Fi trains everyone to connect on autopilot. A busy airport gate might have dozens of people join a rogue "Free Airport WiFi" in an hour, each one handing the attacker a window into their traffic. The defense, therefore, isn't to memorize MAC addresses by hand — it's to have something watching the link layer continuously and to assume the network is hostile by default, encrypting your own traffic so that even a successful man-in-the-middle captures only ciphertext. Detection tells you when to be especially careful; encryption ensures that being on a bad network costs you less even when detection is uncertain. Pair the Wi-Fi heuristics with a fail-closed tunnel and the attacker's prize shrinks from "everything you do" to "the fact that you connected at all."

8. Who this is for

Rogue-Wi-Fi detection matters most to people who travel, who connect from places they don't control, and for whom a single intercepted session is a serious problem:

• Executives and dealmakers. Airport lounges, hotel lobbies and conference Wi-Fi are exactly where evil twins thrive, and exactly where you're most likely to be doing something sensitive on a borrowed network. A gateway-MAC alert is the cue to stop trusting the link.
• Lawyers and advisors. Privileged communication can't be allowed to cross a man-in-the-middle in the clear. Knowing the network is open, or that the gateway just changed identity, tells you to route everything through your own tunnel before you touch anything confidential.
• Journalists and the targeted. A capable adversary will absolutely stand up a twin to capture credentials or map contacts. Even a heuristic warning shifts the odds, and combined with encryption it denies the attacker the content they came for.
• Frequent travelers and the privacy-minded. If you connect to public Wi-Fi often, autopilot is the enemy. A tool that flags the open link, the changed gateway, and the suspicious DNS turns a blind habit into an informed choice.

9. How Helix does it

Helix folds rogue-Wi-Fi detection into the same suite as the rest of your protection rather than treating the network as an afterthought. It surfaces when a network is open or unencrypted, watches the gateway's MAC for unexplained changes that signal an ARP spoof or an impersonating access point, and flags DNS that's being handled or answered in ways the network shouldn't be. When the signals line up, you get a clear warning instead of a silent compromise.

Detection is only half the answer, which is why it sits next to the fail-closed VPN and the onion network. The honest design principle is that you should be able to use a hostile network safely, not just be told it's hostile. So the recommended posture is layered: detection tells you when a link is suspicious, the fail-closed tunnel ensures your traffic is sealed even on an open or man-in-the-middled network, and the onion routing breaks the metadata trail. Each layer covers a gap the others don't — because no single signal, and no single tunnel, does the whole job. The same philosophy runs through the device shield: detect what you can, encrypt around what you can't, and be honest about the seam between them.

10. The honest limits

Evil-twin detection is a heuristic, and the responsible thing is to say so plainly:

• A careful evil twin can clone the router's MAC. The gateway-MAC signal is strong but not absolute. A sophisticated attacker can copy the legitimate router's hardware address onto their rogue access point, so the gateway MAC doesn't change — defeating that particular check. This is why the detection combines multiple signals rather than relying on any one, and why encrypting your own traffic matters regardless of what detection says.
• Open networks aren't all malicious. Plenty of legitimate public Wi-Fi is open and badly configured. The flag means "treat this link as untrusted," not "this is definitely an attack." The correct response to either case is the same: tunnel your traffic.
• Unexpected DNS can be a captive portal. Hotel and airport portals routinely intercept DNS to push you to a login page. That can look like hijacking. The signal is most meaningful in combination, not alone.
• Detection is not protection. Knowing a network is hostile doesn't secure your traffic — encryption does. The warning is a prompt to rely on your own tunnel, not a substitute for it. And none of this defends a device that's already compromised; spyware on the phone reads your screen before any network is involved.

Within those limits, the goal is the one that actually helps: notice the open link, the changed gateway, and the wrong DNS early — and make sure your traffic is sealed whether or not the heuristic is certain.