Most people think Wi-Fi is passive when you’re not connected.
It isn’t.
When Wi-Fi is enabled, your phone actively searches for networks it can join. That behavior isn’t a mistake or poor design, its necessary for usability and it creates a real, well-documented attack surface that makes evil twin attacks and network impersonation significantly easier, especially in public spaces.
This isn’t hypothetical. It’s how Wi-Fi has worked for years.
What Your Phone is actually doing
When Wi-Fi is turned on, your phone is constantly sending out a message saying
“Is this network here?”
This occurs for every network your phone has an inactive standing connection with. So WIFI networks you have connected to previously.
Historically, devices would ask for networks by name (SSID) often ones you had previously connected to.
That behavior is defined in the IEEE 802.11 standard and has been documented and analyzed extensively by security researchers and vendors.
Modern operating systems have improved this behavior, but it has not disappeared entirely, and the risk is not zero.
Why This Matters To You
Evil Twin Attacks Become Trivial
An evil twin is a rogue access point that pretends to be a legitimate Wi-Fi network.
If an attacker knows:
- What network names devices are looking for
- Or what common public SSIDs (NAME) exist
They can:
- Stand up a fake access point
- Match the SSID (NAME)
- Lure devices into connecting
Once connected, the attacker can:
- Observe traffic metadata
- Attempt credential capture on insecure connections
- Perform man-in-the-middle attacks
- Force downgrade or captive portal abuse
This attack class is so common it is explicitly covered in security guidance and wireless assessment methodologies.
If your phone remembers networks like:
- Hotel Wi-Fi
- Coffee shops
- Airports
- Conferences
- Corporate guest networks
An attacker doesn’t need to break encryption.
They just need to pretend to be that network. They simply say “Hey I am that network”
This risk is well known in wireless security and is one of the reasons modern OSes:
- Randomize MAC addresses
- Reduce directed probe behavior
- Restrict auto-join logic
Those mitigations help — but they are not absolute.
The Nitty Gritty
I won’t bore you with the technical details here but both Apple and Google have improved quite a bit with MAC randomization and smarter auto join logic etc but this still varies a lot by OS version, configuration, and Evil Twin attacks are still very feasible in 2025! This means turning off your WI-FI when not using it is the simplest and most effective solution! This reduces risk and isn’t paranoia. It’s no different than locking your screen when your done using your phone.
When is your risk the highest?
- Airports
- Hotels
- Conferences
- BASICALLY ANY PUBLIC LOCATION
IT’S SO SIMPLE!
This is how simple fixing this issue is. Follow these steps
- Turn WI-FI off when your not using it
- Remove old saved networks that you don’t use anymore.
- Don’t connect to public WI-FI unless you trust it.(You shouldn’t)
- Use cellular data unless you need WI-FI
