What is a rogue access point?

Any WiFi access point broadcasting on a network without authorization from the owner. The term covers three distinct attacks: an employee plugging a personal router into corporate Ethernet, an attacker setting up an impostor SSID to collect credentials (evil twin), and a malicious open AP in a public space that intercepts unsuspecting users.

How can I tell if a WiFi network is an evil twin?

Warning signs include two networks with the same SSID but different BSSIDs (MAC addresses), an unexpectedly strong signal from an SSID that normally comes from further away, an open network claiming to be a known-protected one, a captive portal asking for credentials it should not need, and a BSSID whose OUI does not match the expected router vendor.

Which tools find rogue APs?

For quick home scans, the WiFi Analyzer apps on Android show SSID, BSSID, channel, and signal. For deeper analysis on a laptop, Kismet is the reference Linux tool and passively surveys every 802.11 frame. NetSpot and Acrylic WiFi Professional work on Windows and macOS. Enterprise wireless IDS like Cisco WIPS or Aruba WIPS operate continuously.

Are coffee shop WiFi networks dangerous?

The official coffee shop network is usually fine. The danger is an attacker broadcasting the same SSID with an open radio, hoping your phone auto-joins. Verifying the BSSID matches what the shop published, and using a VPN, defeats this attack.

Can my router detect rogue APs on my home network?

A few high-end consumer routers (some UniFi, Netgear Nighthawk Pro, ASUS with built-in AiProtection) perform passive scans and alert on unknown APs. Most consumer routers do not. For a home network, manual quarterly scans with a phone app are usually sufficient.

Threat awareness

Rogue Access Point Detection: Spotting Evil Twins and Fake WiFi

A rogue access point is any 802.11 radio broadcasting on your network without authorization. The term covers three different attacks — a helpful-employee rogue that plugs a personal router into the office LAN, an attacker impersonating a trusted SSID to harvest credentials (the classic evil twin), and a malicious open AP in a public space that intercepts your traffic. All three look identical from a distance and all three have specific signatures you can learn to spot. This guide covers home, coffee-shop, and small-business detection techniques, tool recommendations for each platform, and what to do when you find one.

The three types of rogue AP

1. Employee rogue

A staff member bridges a personal router into the office network for convenience. Often open or WPS-enabled, creating a backdoor into the corporate LAN.

2. Evil twin

Attacker broadcasts an SSID identical to a trusted one, with stronger signal to win the client auto-join race. Used for credential capture, MITM, and payload delivery.

3. Honeypot

Open SSID in a public space, named to look legitimate ("Starbucks_Free", "Airport_WiFi"). Victims connect, attacker captures HTTP, DNS, and anything not HTTPS.

Detection logic overlaps across the three, so the rest of this article walks through the signs any of them present.

Sign 1 — Duplicate SSIDs with different BSSIDs

Every access point broadcasts a BSSID (the MAC address of the radio) alongside the SSID (the human-readable name). A legitimate network has one BSSID per band per AP — a single home router might expose three BSSIDs for 2.4, 5, and 6 GHz, but those BSSIDs are predictable and the OUI (first three bytes) matches the vendor.

An evil twin reuses the SSID but must use a different BSSID because MAC collisions cause association failures. So the signature is: two APs broadcasting the same SSID, different BSSIDs, and often on the same channel to avoid roaming confusion.

To see this on Android, install a WiFi Analyzer app (Farproc's "WiFi Analyzer" is the classic, free of ads in the open-source fork on F-Droid). On iOS, Apple prevents apps from accessing BSSID in normal mode, which is annoyingly opaque — use AirPort Utility with WiFi scanning enabled under Settings. On Linux:

sudo iw dev wlan0 scan | grep -E "SSID|BSS|signal"

# or with nmcli:
nmcli -f SSID,BSSID,CHAN,SIGNAL,SECURITY dev wifi list

Two lines showing the same SSID but different BSSIDs is the first red flag, especially if one of the two has a noticeably stronger signal (attackers boost signal to win the auto-join race).

Sign 2 — MAC OUI does not match expected vendor

The first three bytes of a BSSID (the OUI, Organizationally Unique Identifier) identify the hardware vendor. A legitimate TP-Link router has an OUI in the TP-Link range; an ASUS router has an ASUS OUI. An attacker running hostapd on a Raspberry Pi has whatever OUI the USB WiFi card presents, which is rarely the same as the original network's AP.

# Look up an OUI on Linux (shipped with net-tools)
oui aa:bb:cc:dd:ee:ff

# or use an online database
curl https://api.macvendors.com/aa:bb:cc:dd:ee:ff

Your own home router OUI is a known constant. If a second BSSID on the same SSID has an OUI that matches "Realtek Semiconductor" or "Ralink Technology" (common on USB cards used by attackers), that is a strong signal. OUI spoofing is possible — an attacker can set any MAC they want — but most do not bother, and the lookup catches the lazy majority.

Sign 3 — Unexpectedly strong or unstable signal

Signal strength tells you roughly how far away an AP is. Your legitimate home router probably shows between -50 and -70 dBm from the couch. An evil twin planted in a car outside your apartment will also show in that range, but a rogue AP across the street or in a neighbour's flat will typically be weaker (-75 to -85 dBm) unless the attacker is using a high-gain antenna.

Signs of a rogue AP from signal alone:

An SSID matching your home network but signal fluctuating wildly (attacker walking around).
A duplicate SSID that appears only during certain hours (attacker active when target is home).
A signal stronger than your own router when measured at a known distance.

A 30-second walk around your home with a WiFi analyzer open, watching signal strength and BSSID, reveals most co-located rogues. If you see the same SSID with a BSSID that does not come from your router, you have found one.

Sign 4 — Encryption mismatch or open SSID

Your network is WPA2 or WPA3. If you see a network broadcasting the same SSID but with encryption set to "Open" or "WEP", you are looking at an evil twin trying to trick devices into fallback behavior. Some attackers use the same encryption type to avoid this tell, but open-SSID mimicry is surprisingly common in the wild.

Related: an SSID that should be your network's WPA2 shows "WPA2 Enterprise" (802.1X) or vice versa. A mismatch in the advertised AKM suite is a dead giveaway of an impostor. Linux scan output shows this in the RSN IE:

sudo iw dev wlan0 scan | grep -A 5 "MyHomeWiFi"
# look for:
# RSN:     Version: 1
#          Group cipher: CCMP
#          Pairwise ciphers: CCMP
#          Authentication suites: PSK     <-- your real network
#          Authentication suites: SAE     <-- WPA3, expected if you set that
#          Authentication suites: 802.1X  <-- RED FLAG if not yours

Sign 5 — Captive portal asking for unusual credentials

Honeypots in public spaces commonly use a captive portal to harvest credentials. Red flags:

Portal asks for an email/password combination for a common service (Google, Facebook, Microsoft). Legitimate public WiFi does not.
Portal asks for a credit card to "verify identity" — actual paid WiFi takes payment through known providers, not a one-off portal.
Portal is served over plain HTTP or has a self-signed TLS cert. Real paid WiFi uses a valid cert.
Portal URL is a suspicious domain (free-wifi-verify.tk) rather than the business's own domain.
Portal pops up for an SSID you did not intentionally join — your phone auto-joined a rogue.

When you see one of these in the wild: close the browser, forget the network on your device, and walk away. Do not enter credentials. If the network was supposed to be free-open without any portal (airport, hotel coffee shop), the unexpected portal itself is the red flag.

Tools: what to run where

Platform	Tool	Best for
Android	WiFi Analyzer (F-Droid fork)	Quick SSID/BSSID/signal sweep
iOS	AirPort Utility (with WiFi scan)	Limited but better than nothing
macOS	Wireless Diagnostics (built-in) / NetSpot	Channel map, signal heat map
Windows	Acrylic WiFi Home / inSSIDer	Full AP table with history
Linux CLI	iw dev scan / nmcli / Kismet	Scriptable, deep analysis
Enterprise	Kismet / Aruba WIPS / UniFi WIDS	Continuous monitoring, alerts

Kismet deserves extra mention: it is a passive Linux sniffer that logs every AP, every client, every association over time, and produces reports of "newly seen" BSSIDs. For a small business with a monitoring box, this is the canonical rogue-AP detector. Free, open source, and battle-tested since 2002.

Business-grade wireless IDS

Consumer tools give you a snapshot. A wireless intrusion detection system (WIDS) or wireless intrusion prevention system (WIPS) gives you continuous monitoring:

Ubiquiti UniFi WIDS. Included free on UniFi controllers. Scans adjacent channels, flags unknown BSSIDs, rogue SSIDs, deauth floods. Sufficient for small offices.
Aruba WIPS. Enterprise-grade, classifies APs as "authorized", "rogue", "neighbor", "unknown" automatically. Can contain rogue APs by sending deauth frames (check local law).
Cisco WIPS (Meraki Air Marshal, Catalyst WIPS). Integrated into Meraki dashboard and Catalyst controllers. Similar feature set.
Roll-your-own Kismet. A Raspberry Pi 4 with two USB WiFi cards running Kismet 24 hours a day, logging to a central syslog. Under 100 USD of hardware, everything open source.

All of these depend on establishing a baseline of "authorized" BSSIDs first. Alerts on anything outside that set. The false-positive rate in dense urban environments (apartment buildings, co-working spaces) is high because every neighbour's router looks like a rogue at first; proper tuning means whitelisting genuine neighbour networks and alerting only on the BSSIDs on your SSID.

Home-user protection steps

1
Turn off 'Auto-join' for public networks. Auto-join is how evil twins win — your phone joins the rogue silently. Manual join each time.
2
Use a VPN on every untrusted network. Even if you join a rogue, the attacker sees only encrypted VPN traffic, not your session data.
3
Disable 'Ask to Join Networks' prompts for known SSIDs. If your phone is already paired with an SSID, it should not prompt; attackers exploit this prompt to lure you onto their clone.
4
Verify BSSID before joining sensitive networks. A small business WiFi should publish its BSSID on a sign at the counter. Check.
5
Run a quarterly WiFi Analyzer scan of your home. Two minutes. You know your BSSIDs; anything else on your SSID is a rogue.
6
Disable WPS on your router. WPS is often the way rogues get admitted to a network once planted physically nearby.

What to do when you find a rogue

Different actions for different contexts:

In your home. Tell any housemates first (somebody may have plugged in a travel router). If not, walk the apartment with a WiFi analyzer to locate it by signal strength, unplug it. If the BSSID persists when you unplug everything you own, the attacker is outside — escalate to building management and, if credentials were potentially captured, change them and consider law enforcement.
At the office. Do not unplug on sight — IT needs the forensics. Alert security, preserve the device for inspection, document BSSID/channel/signal at first detection.
In public. You cannot do much beyond not joining. Consider informing the business if the rogue is using their SSID; they may want to file a complaint. Do not attempt deauth or containment — in most jurisdictions that is itself illegal.

Active containment (sending deauth frames at a rogue to kick clients off it) is a feature in most enterprise WIDS products. The FCC has fined hotels for deploying it against guest hotspots. In the US, treat active containment as something your corporate security team's lawyer needs to sign off on.

Frequently asked questions

Can I tell which BSSID my phone is connected to?

Android shows it in WiFi advanced settings. iOS hides it. On macOS, Option-click the WiFi icon in the menu bar to see the current BSSID. On Linux, run iw dev wlan0 link.

Do attackers really run evil twins or is this theoretical?

It is a routine attack at conferences (DEF CON has had documented rogue AP swarms since 2010), at airports (FBI has published warnings), and at corporate events. For random home users it is rarer but non-zero.

My phone shows an old SSID from a cafe I visited a year ago — is that a rogue?

Not necessarily. Phones remember SSIDs you connected to. If the cafe is out of range, the entry is just cached. It is a rogue concern only if the SSID appears nearby when the real cafe is not present — which is why auto-join should be disabled.

Can WPA3 prevent evil twins?

Partially. WPA3-Personal with SAE binds a client to a specific AP public key, which makes a naive evil twin fail authentication. But many WPA3 deployments run transition mode, which falls back to WPA2 and evil twins can exploit that fallback.

Should I report rogue APs to the FCC?

In the US, yes, if you are a victim of an impersonation attack. The FCC prosecutes RF fraud. Realistically they will act on a pattern of reports, not a single incident. Document and report anyway.

Quick self-check

Open a WiFi analyzer app right now. Find your home SSID in the list. Count the BSSIDs that come with it. If the count matches your router's advertised bands (typically 2 or 3), you are clean. If there is an extra BSSID you cannot account for, investigate.

Recap

Three rogue types: employee, evil twin, honeypot. Detection overlaps.
Duplicate SSID + different BSSID = strongest indicator.
OUI lookup catches lazy attackers; signal strength catches located ones.
WiFi Analyzer, Kismet, WIDS depending on scale.
Disable auto-join, use a VPN on untrusted networks.

Every 802.11 radio broadcasts its identity. You just have to look.