Open Wi-Fi Got Encrypted. Here's Why Your Rogue AP Still Works.

So you’re sitting in your local café, laptop open, and you connect to the free Wi-Fi. No password. No fuss. Job done. But underneath that seamless experience, someone — maybe someone like you — could historically be passively sniffing every single unencrypted byte you’re sending over the air.

That’s now changed. Or has it?

What Is OWE?

Opportunistic Wireless Encryption (OWE) — defined in RFC 8110 and 802.11 — provides unauthenticated encryption for open networks. When your device connects to an OWE-enabled AP, a Diffie-Hellman exchange happens during the association process. Both sides derive a shared key. Traffic is encrypted with that key. No password required.

From a passive sniffing perspective, this is a real improvement. A person on the same network with a monitor-mode adapter can no longer capture your traffic in cleartext.

The Rogue AP Problem Hasn’t Gone Away

Here’s the thing: OWE solves passive sniffing. It does nothing to solve active attacks.

When your device connects to a rogue AP, the same DH exchange happens — but now it’s with the attacker’s hardware. Your device derives a perfectly valid session key with the attacker. Traffic is encrypted, yes — and the attacker can read every byte of it before forwarding it upstream.

The reason this still works is that OWE is unauthenticated encryption. There’s no way to verify you’re talking to the legitimate AP rather than an impostor. 802.11 management frames that advertise the SSID are still unprotected (unless Management Frame Protection is enforced, and most open networks don’t enforce it).

What the Attack Looks Like

1
2
3
4
5
6
7
8
9

# Bring up a monitor interface
airmon-ng start wlan0

# Scan for the target SSID
airodump-ng wlan0mon --essid "CafeWifi"

# Note: tooling for OWE transitions is evolving
# hostapd with OWE support can serve as an evil twin
# Clients will associate, derive session keys with your AP, and begin sending traffic

The tooling around OWE evil twins is less mature than WPA2 equivalents, but the fundamental attack path is identical.

Transition Mode Makes It Worse

Many deployments use OWE Transition Mode, where the AP broadcasts two BSSIDs: one open (for legacy clients) and one OWE. The open network’s beacon contains a hidden IE pointing to the OWE BSSID. Clients that support OWE should silently upgrade.

The downgrade attack here is straightforward: broadcast a louder open network with the same SSID and no OWE transition IE. Legacy clients connect in cleartext. OWE clients may or may not fall back depending on their implementation.

Takeaways

• OWE is a genuine improvement against passive sniffing on open networks
• Rogue AP / evil twin attacks are unaffected — and OWE doesn’t make them harder
• Transition mode creates an exploitable downgrade path
• Until 802.11 management frames are universally protected and APs are authenticated, the attack surface on open networks remains significant

If you want to learn how to build and weaponise rogue access points properly, check out the WiFi Attacks Specialist training.