Connecting to a public WiFi network without taking the necessary precautions risks giving attackers access to your browsing activity, account details, and much more. Find out how to stay safe with these 4 essential security tips.
Public WiFi has changed the way we work, the way we travel, and even how we communicate. With a growing global network of over 350 million hotspots, free public WiFi has become a necessary tool for millions of internet users every day.
Companies often overstate the risks of public WiFi in order to generate clicks and sell security products. In truth, public WiFi is not as dangerous as it’s made out to be. Thanks to the rise of HTTPS, you’ll be safer on an open network than ever before.
But public WiFi isn’t risk-free. When you access an unsecure network without taking the necessary precautions, you still risk giving an attacker access to your:
Sensitive personal data
Account details & passwords
Email conversations & messages
All of this information can be exposed if you don’t take measures to change your browsing behavior or protect your connection. According to a report by Norton, 87% of consumers have put their data in danger when using a public WiFi network.
Whether you’re connected to a real public WiFi network or a fake hotspot, using a public network gives hackers more room to intercept and collect your data.
Think of your internet traffic like a conversation: just as in real life, talking in public is far more susceptible to eavesdropping than talking in private.
We won’t exaggerate the potential dangers or tell you never to use public WiFi.
Instead, we’ll give you an honest run-down of the risks of using public WiFi networks.
We’ll cover the real privacy and security issues and explain four simple steps to reduce your chances of getting hacked or having your data stolen.
What is Public WiFi?
Public WiFi is a point of free wireless internet connection available to anyone in a certain area. Public networks will usually have an easily available password or no password at all — which means anybody can connect to them.
Free WiFi hotspots are usually found in busy public places like shops, restaurants, airports, and hotels. Most users now expect to find a free network almost everywhere they go — something cybercriminals use to their advantage.
Is Public WiFi Safe?
The dangers of public WiFi are often exaggerated in an attempt to sell security products. The truth is, thanks to the rise of HTTPS, public WiFi networks have never been safer.
The dangers of public WiFi are often overstated.
A public Wi-Fi network is still inherently less secure than a personal, private network because you don’t know who set it up or who else is connecting to it.
According to a recent Bloomberg investigation, cybercriminals are even checking into hotels just to collect the valuable network data:
“the leader had used his phone’s hotspot to create a new Wi-Fi network, naming it after the hotel. Within minutes, six devices had joined his spoofed network, exposing their internet activity to the hackers.”
If a network has no password, all of the HTTP traffic flowing to and from that hotspot is unencrypted. That means all of the data sent from your computer is being transmitted as plain text.
Connecting to an unprotected public WiFi network leaves you vulnerable to:
Man-in-the-Middle (MitM) attacks
The best way to avoid these dangers is to understand them. In the next section, we’ll cover the five most common risks of public WiFi.
Many VPN companies will try to convince you that public WiFi networks are always dangerous. Thanks to something called HTTPS, this isn’t exactly true.
HTTPS stands for Hypertext Transfer Protocol Secure. It is an encrypted extension of the HTTP protocol, a basic internet standard that allows web pages to be requested and loaded.
On top of the basic functions of HTTP, HTTPS is designed to protect the privacy and security of data in transit.
HTTPS provides encryption via TLS (Transport Layer Security), which secures the connection between a client (e.g. a web browser) and a server (e.g. example.org). This means any connection to a HTTPS website is encrypted, authenticated, and regularly checked for integrity.
HTTPS makes it much harder for an attacker to intercept communications between your browser and the website you are visiting because the data is no longer in plain text.
To check if the website you’re visiting is encrypted with HTTPS, just check the URL in the address bar. If it’s HTTPS-enabled, you’ll see a padlock in the top left hand corner.
If you connect to a website on public WiFi that doesn’t secure itself with HTTPS, you leave yourself wide open to attack. Any third party can monitor your browsing activity, see what URLs you’re loading, and capture the data you’re submitting.
The prevalence of HTTPS doesn’t make public WiFi completely safe. Most importantly, it won’t protect your DNS queries.
If you connect to an unsafe WiFi network it is possible for an attacker to intercept your DNS requests and send you to an alternative server under their control. This is known as a Man-in-the-Middle (MitM) attack.
Technically, a Man-in-the-Middle (MitM) attack refers to any scenario in which a third-party interrupts or alters the communication between two systems.
When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to. According to a threat intelligence report by IBM, 35% of all malicious online activity begins with a MitM attack.
Man-in-the-Middle attacks can come in many forms, including:
On an unsecure network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.
An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.
Hackers can fool people to reveal or change their passwords, exposing highly personal information.
MitM attacks are popular because they are cheap, easy, and effective. All a hacker needs is a device like the $99 WiFi Pineapple — a pocket-sized device that looks like a cross between a USB flash drive and a WiFi router.
The $99 WiFi Pineapple allows virtually anyone to exploit public networks to collect personal data.
These simple devices enable virtually anyone to create a fake WiFi access point and carry out a MitM attack. They are commercially available and sold as standard in most computer hardware stores.
The Pineapple was first developed by Hak5 as a tool for penetration testers. Pentesters are hired by companies to test or attack their own network in order to highlight any vulnerabilities.
The WiFi Pineapple is able to interface with hundreds of devices at a time. Security researchers can use it to execute multiple attacks on public WiFi networks to see how they work and how to safeguard against them.
While this makes it a valuable tool for researchers, it is also a dangerous tool in the wrong hands. Attackers can easily use the Pineapple to gather sensitive personal data from unwitting public Wi-Fi users.
DNS Spoofing or “DNS cache poisoning” is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.
DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain (e.g. example.com) you’re looking for.
DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for “example.com”, any user trying to access that website would be sent to a different IP address specified by the hacker.
There are two main reasons why an attacker might do this:
To launch a “denial of service” (DDoS) attack. An attacker could alter the IP address listed for a common domain like Google.com in order to divert a huge amount of traffic to another server. If the alternative server is incapable of handling such high volumes it can often slow down or even stop. This kind of DDoS attack can take down entire websites.
Redirection. Corrupted DNS entries can be used to divert victims to fraudulent websites. Attackers use this to send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.
Most attackers will choose to configure their own malicious DNS nameserver. They can then use several strategies to distribute DNS changer malware to a user’s computer, smartphone, or WiFi router.
DNS changer malware changes your device’s settings to point DNS queries to the hacker’s malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.
The code for DNS changer malware is often found in URLs sent via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their computer. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code.
Aside from your device itself, attackers can also target routers with the same DNS changing malware. Routers can override a device’s DNS settings, which is a particular threat for users connected to public WiFi networks.
4Fake Hotspots & Evil Twin Attacks
Fake hotspots or “Evil Twin attacks” are amongst the most common and most dangerous threats on public WiFi connections.
An attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect.
WiFi Pineapples even include the native capacity to actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks, and can be easily copied by malicious third parties.
This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a familiar network that they’ve previously connected to.
It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to dangerous free WiFi networks because they had targeted names like “I Vote Trump! Free Internet. ” This cost them their sensitive data, emails, and messages.
In fact, 68% of users at the convention exposed their identities through public WiFi in some way. These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.
Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious.
Session hijacking is a type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts.
Attackers can use this technique to take over the connection between your device and another machine. This could be a web server, an application, or a website with a login form.
“Sessions” are temporary states established between two communicating devices. The session serves to authenticate the two parties and allows details about their communication to be tracked and stored.
Sessions are established using various authentication protocols that ensure the two parties know who each other are. This includes an HTTP “session cookie” — a file containing details about your interaction with the web server.
When you log onto a website you are assigned a session cookie. As you browse the website, the server will continue to ask your machine to authenticate itself by resending this cookie.
Session hijacking exploits these cookies. The web server you’re interacting with relies on the session cookie to identify and authenticate your device — if it is stolen, the thief can also steal your identity.
The most valuable session cookies are those sent to users logging in to highly secure sites.
Armed with this information, an attacker could:
Purchase goods in your name
Move money between accounts
Change your login details
Lock you out of your accounts
Hackers can steal session cookies in various ways. Typically, they will infect a user’s device with malicious software that records their session information and sends the relevant cookies to the attacker.
On an unsecured network, attackers can also use specialized software called ‘session sniffers’ to identify and intercept your session token.
Software for sniffing is incredibly easy to access despite the fact that it is illegal to use it for eavesdropping and data snooping. Popular sniffing software from the past include Ethereal, FaceNiff, and Firesheep.
The most effective way to protect yourself against session hijacking is to avoid unsecured WiFi networks. You are a much more vulnerable to hijacking if you are sending all of your session cookies unencrypted across a free network.
Generally speaking, session hijacking should not be possible if you’re connecting to a website using an HTTPS connection, because your cookies will be protected by a layer of encryption.
This chapter will explain four simple steps you can follow to reduce your chances of getting hacked or having your data stolen on a public WiFi connection.
1Change Your Browsing Behavior
The most dangerous public WiFi networks are those that don’t require a password to join.
We tend to gravitate toward these networks because they’re common and super convenient, but they increase your risk of a serious breach dramatically.
If you have to use public WiFi, choose a network that is password protected.
If you can’t find an open network that you trust, it’s worth considering using your mobile data plan instead. This option is much more secure and can be found in the Settings menu on your device. Apple and Android both have helpful guides explaining how to do this.
If it’s absolutely necessary to connect to an open network, be sure to limit your activity to avoid any kind of behavior that might involve your personal data.
Avoid online banking or shopping on sites like eBay or Amazon. If something involves financial transactions or submitting your personal details, steer clear.
To avoid fake hotspots, it’s also good practice to ask a member of staff what the WiFi name is if you’re in a restaurant or hotel — especially if there are similarly named networks in the vicinity.
2Change Your Device Settings
There are some simple adjustments you can make to your devices that will make them far less susceptible to attacks.
Turn Off Automatic WiFi Connection
One of the first things you can do is turn off automatic connections. This will help you avoid connecting to random open hotspots.
To turn off automatic WiFi connections on Windows:
Navigate to the Settings menu.
Click Network & Internet > Wi-Fi > Manage Known Networks.
Right-click on any network you don’t want to automatically connect to.
Select ‘Properties’ and uncheck the option labeled ‘Connect Automatically When in Range’.
How to disable automatic WiFi connections on Windows.
To turn off automatic WiFi connections on a Mac:
Navigate to the System Preferences menu.
On the left side, select any network you don’t want to automatically connect to.
Uncheck the box next to “automatically join this network”.
How to disable automatic WiFi connections on a Mac.
To turn off automatic WiFi connections on an iPhone:
Navigate to the Settings menu.
Tap on the ‘WiFi’ option.
Select any network you don’t want to automatically connect to.
Toggle the “Auto-Join” switch to prevent automatic connection.
It’s good to get into the habit of deleting public WiFi networks from your device. Keeping a lean WiFi history helps to avoid the possibility that you’ll connect to a fake access point later.
It’s also best that you turn off file sharing, Bluetooth and AirDrop on your device unless you intend to specifically use it. Having it on all the time is unnecessary and increases the risk of malware-infected files finding their way into your system.
Enable Your Firewall
A firewall is a network security feature that monitors the traffic flowing to or from your network. It allows or blocks traffic based on a set of predefined security rules.
The firewall will work to prevent unauthorized or malicious access to your device.
Most computers now come with a firewall built-in.
If you’re not sure whether your firewall is on or off, it’s worth checking.
To enable the firewall on a Mac:
Open the System Preferences menu.
Choose ‘Security & Privacy’.
Select the ‘Firewall’ tab at the top of the page.
Unlock the window by clicking the lock in the bottom-left corner.
Click ‘Turn On Firewall’ to enable the firewall.
How to enable the firewall on a Mac.
To enable the firewall on Windows:
Open the Start menu and navigate to Settings.
Choose ‘Security & Privacy’.
Choose ‘Update & Security’.
Select ‘Windows Security’ and then ‘Firewall & Network Protection’.
Make sure the firewall is on.
How to enable the firewall on Windows.
It’s important that you remember to keep your computer, laptop, or phone as up-to-date as possible. Fortunately, most software updates are enabled automatically.
Software updates usually contain security patches. Staying up-to-date will protect you against known vulnerabilities that hackers can easily exploit.
It’s possible to trigger a fake software update on your computer if you’re on a public network. For this reason, you should never download software updates over public WiFi — particularly if the alert box pops up while you’re on that hotspot.
Make sure to disconnect and check for updates when you’re on a secure and private connection.
3Security Applications & Extensions
Beyond your device settings, there are some extra applications, extensions, and services that are worth downloading to enhance your security on public WiFi networks.
If you’re using Firefox, DNS over HTTPS will also go a long way to protect you. We’ve seen that DNS requests are still exposed during HTTPS connections; DNS over HTTPS (DoH) seeks to cover those cracks by encrypting your DNS queries.
You can find the DNS over HTTPS settings in the ‘Network’ settings on your Firefox browser.
It’s equally worth investing in some reliable security software like MalwareBytes. These products will offer virus and ransomware protection along with the ability to thoroughly cleanse your system of any malware or spyware you may have already picked up.
Enabling two-factor authentication on your accounts will also go a long way to protect you against data theft. This means that even if an attacker manages to compromise your usernames and passwords, they won’t be able to log in to your account without an extra verification code.
Screenshot of ExpressVPN with list of server locations.
If you use public WiFi networks regularly, a Virtual Private Network (VPN) is arguably the best investment you can make toward security and peace of mind.
VPNs work by creating a secure tunnel between your device and a private VPN server. This server then forwards your traffic on to the website or application you’re visiting.
VPNs stop Internet Service Providers (ISPs) from tracking your browsing activity and also prevent hackers and third parties from intercepting your traffic. If someone does monitor your connection, all they’ll see is useless letters and numbers.
In short, a VPN will keep your browsing secure by encrypting your internet traffic, routing it through a secure tunnel, and masking your true IP address.
A reliable VPN will effectively tackle all of the potential threats we’ve mentioned in this guide, regardless of the network you’re on.
It’s worth noting that not all VPNs are created equally. Some services offer stronger protection than others, while some free services can actually present a security risk in themselves.
In our rush to connect to the applications we need, it’s natural to gravitate toward public WiFi. It’s easy and free, and it’s available almost everywhere.
HTTPS and TLS have made it much harder for hackers to intercept and exploit your data. That said, with only a laptop, some free software, and a WiFi Pineapple, you’d be amazed how much damage can be done.
The simplest solutions are often the strongest. If you’re properly prepared, public WiFi doesn’t pose a huge risk for occasional users. Invest in a reliable VPN and shore up your security by checking your settings and being sensible about the data you expose on an open network.
About the Author
Simon is our Head of Research and has tested hundreds of VPNs since 2016. His research has been covered by the BBC, The New York Times, CNet, Wired, and more. Read full bio