Evil Twin WiFi Alert

Your features list includes the ability to “Get alerted when new WiFi hardware appears nearby with your same network name, and also get alerted if your WiFi network suddenly loses its password.”, in the event of an evil twin WiFi detection.

But where is the info for what I can do with Glasswire to stop an evil twin WiFi compromise if I see this alert? Isn’t there any additional info that can be displayed with this alert?

Shortly after I got the alert, Glasswire says my computer had connected to a new access point with a new MAC address, that my Internet access changed, and my DNS service settings changed - in separate pop-up alert messages. I already have DNS settings changing all day long, so that part of the alert didn’t make things more clear.

I talked to ATT tech support a few hours later and after supposedly checking ‘stuff’’ they said that they didn’t see a compromise. But I’m not sure if they (or their tech) would notice if my connection was being routed through an evil twin connection.

ATT tech did say that a device tried to change something with the router, but failed.

What can I do on my end to stop an evil twin with Glasswire - or anything else for that matter?



Do you just have one router, or multiple?

If our organization had an Evil Twin Wifi alert I believe we would shut down our networks, delete the old network from our devices, then set up a new network and make the new network name hidden. Then we’d probably walk through our office to try to find the Evil Twin device and disable it.

After that we’d probably set up a security camera in the same area where the Evil Twin device was found.

This type of attack wouldn’t be something any type of software could solve easily on the client side.

As soon as my netowrk gets a request to have the MAC address changed, I think I’d rather it refuse it or maybe even shut down for a specified amount of time. I guess that’s on the ISP?

This was on an ATT home network. I’ve changed the router name and pass, but read somewhere that making the name hidden, doesn’t really hide or secure it all that much. Maybe that info was wrong? You still recommend doing that?

What would be really helpful is a way to prevent being kicked off my own network so I don’t log back on through the evil twin.

Maybe better - have an alert that provides me with a log of all the new internet connection data so I can contact my ISP and have them trace/track. If I could match an evil twin IP to another router’s IP near me, I’d be happy with that, too.

Even better, have something provide a GPS location for the IP. That may be asking too much, but sometimes asking questions get some talented programmer’s brain cranking.

Aside from all that, a suggestion…since evil twin and RDP are fairly serious issues, is there a way to make the alerts for those situations more visibly apparent? Like in a bright red alert box or make them appear in a different corner/center of the screen or make the alert persist until the user clicks the button to close the alert? Not just a colored icon.

A lot of people could be missing these situations.

When I’m working on the computer and there’s a steady but sporadic stream of alerts throughout the day, there’s a tendency to tune at least some of them out after a while. Something like this deserves a different level of alert - maybe even a repeating sound, too. It SHOULD be annoying because so much is potentially at risk.

If someone is doing an Evil Twin attack it probably means they are making a network with your exact network name. Perhaps if you hid the network it will help with the issue, but perhaps a sophisticated attacker could still find a way to get the hidden network name…

If you’re not a company or government organization it’s unlikely you ave a victim of an Evil Twin attack. Do you live in an apartment or something like that? Perhaps another person uses your ISP and they have the same router setup that used the same network name and credentials somehow?

If you have multiple routers to cover a large area then it can sometimes cause a false positive with the Evil Twin notification.

I have also seen a false positive if you have a router behind a router that’s misconfigured with NAT problems… Perhaps your modem is in router mode, but it should be in bridge mode because you are using a secondary router?

Those are things to consider. This is just a simple home scenario with a modem, router (built-in router firewall per ATT).

Thanks for your time and attention!

1 Like