Fake in-flight Wi‑Fi 'evil twin' scams rise as travelers depend on onboard internet
Australian authorities arrested a passenger for operating a rogue hotspot that mimicked an airline's Wi‑Fi, illustrating the risks as in-flight connectivity expands.
An Australian man was arrested earlier this year on charges related to running a portable Wi‑Fi hotspot aboard a flight and at an airport, authorities said. The setup was designed to mimic the airline’s official Wi‑Fi service, a tactic cybersecurity researchers describe as an 'evil twin.' The case underscores a growing risk as in‑flight connectivity becomes more common and travelers increasingly rely on onboard internet for entertainment and communication.
An evil twin hotspot duplicates a legitimate network’s name, or SSID, so devices connect to it automatically, often choosing the strongest signal. In the Australian case, investigators say the rogue device broadcast the airline’s SSID aboard a plane and at the airport, luring passengers to a counterfeit login page. The page requested personal details—email addresses, passwords, and even social‑media credentials—under the guise of enabling access to the airline’s entertainment portal. Once stolen, the information could be used to take over accounts, commit identity theft, or facilitate further intrusions.
Travelers face a perfect storm for these attacks: in hotels, airports, cruise ships and airplanes, options for internet access are limited, and mobile data can be patchy or expensive. Many travel providers have shifted entertainment and services to apps and portals on personal devices, meaning passengers routinely log in to networks branded with familiar names. That setup makes it easier for attackers to exploit trust in well‑known brands and to lure victims into entering credentials on fraudulent pages, especially when the login prompts appear to offer access to a paid entertainment system or messaging service.
On a flight, the stakes rise. If passengers connect to an evil twin and submit credentials, attackers can access a range of accounts or trigger session hijacking. The case illustrates how quickly a single rogue hotspot can disrupt a traveler’s ability to stream, browse or communicate for hours while a flight or layover is dependent on onboard Wi‑Fi. As airlines expand in‑flight offerings, the number of logins and credentials flowing through that network also grows, creating a larger attack surface for determined criminals.
Defenses are available, though none are perfect. A virtual private network, or VPN, can help by creating an encrypted tunnel between a device and the internet, making data harder to intercept even if connected to a rogue hotspot. Some in‑flight systems require disabling a VPN to access the onboard portal; travelers should re‑enable their VPN once connected. In addition, experts advise installing antivirus software, enabling two‑factor authentication where possible, turning off automatic Wi‑Fi connections so devices don’t automatically reconnect to a rogue signal, using HTTPS everywhere, limiting login to non‑sensitive sites while in flight, keeping devices updated with the latest patches, using airplane mode with Wi‑Fi enabled when available, watching for suspicious pop‑ups and links, and logging out of portals when the session ends.
With in‑flight connectivity expanding, the risk from evil twin attacks is unlikely to disappear. Travelers should treat onboard networks as untrusted and follow best practices until they are back on a trusted, secure connection. If uncertain, the safest choice may be to stay offline for the duration of the flight.
