Free WiFi networks are much more secure than they used to be. However, public WiFi doesn’t come without risks. If you don’t take necessary precautions, your traffic may still be vulnerable to interception and manipulation by attackers.
Despite the rise of HTTPS, public WiFi networks still pose some risks in 2023.
If the WiFi hotspot is compromised or operated by an attacker, your data and device security could be at risk.
Here’s a more detailed list of the real dangers posed by public WiFi networks in 2023:
Unencrypted WiFi Networks
Most public WiFi networks are now password-protected, which means they’re encrypted. If you’re connected to a password-protected network and a user outside of the network intercepts your connection, they won’t be able to decrypt your data in order to understand it.
If you connect to a free WiFi network without a password, you’re using an unsecured connection without encryption, which is much less secure. In this case, everything you do online can be captured and understood by other people within range.
Even if you’re connected to a password-protected network, there are still potential risks. Firstly, the person running the access point can still intercept and understand what you’re doing, so you’re relying on the network owner being trustworthy.
Secondly, it’s still technically possible to intercept and decipher your web traffic on a password-protected WiFi network. It all depends on the security of the WiFi network.
For example, on a network using WEP encryption, all data is encrypted with the pre-shared key you used to get on the network (i.e. the WiFi password). That means everyone on the network can decipher everyone else’s traffic without a problem.
It’s a little more difficult on WPA-PSK or WPA2-PSK networks, which use individual, per-session encryption keys. However, it’s not impossible. Those keys are derived from the pre-shared key (the WiFi password), which still poses a potential risk.
WPA2-PSK networks are more secure as it uses individual encryption keys.
On WPA-Enterprise or WPA2-Enterprise networks, all the per-client per-session keys are derived completely independently, which means it’s impossible to decode other users’ traffic. In this case, an attacker would have to set up a fake hotspot to gain access to your data.
HTTPS vs HTTP Websites
Most websites today use an encrypted connection called HTTPS, which uses TLS (Transport Layer Security) to secure the information passing between your device and a web server.
HTTPS is an encrypted version of the HTTP protocol, a basic internet standard for accessing web pages. It stops most third parties from seeing what you’re doing on a website, and also stops them inserting malicious code into your web traffic.
If the website you’re visiting is HTTPS-enabled, you’ll see a padlock in the top left-hand corner of your browser’s address bar:
HTTPS has made public WiFi — and the Internet as a whole — much safer. However, HTTPS does not guarantee that you’re safe online, especially on public networks. You’re still vulnerable to some Man-in-the-Middle attacks, phishing, certificate authority issues, and to any vulnerabilities in SSL/TLS.
Most importantly, HTTPS won’t protect your DNS queries, which can be intercepted and manipulated to redirect you to an alternative server under their control. For this reason, we recommend using HTTPS in combination with a VPN.
EXPERT TIP: HTTPS confirms that your connection is encrypted, but it is not a guarantee that you’re connected to the website you think you are. Even if you see a padlock in your address bar, make sure you haven’t been diverted to a domain with a different but similar-looking name.
HTTPS will prevent the WiFi network provider from seeing the individual pages you visit, but they will still see the domain names of the websites you’re browsing.
The most popular websites are all secured using HTTPS today, but you should look out for sites that aren’t. An attacker could easily monitor your activity or insert malicious code into unencrypted (HTTP) web traffic, and it can be monitored and logged by the WiFi provider, too.
Sites that have a secure connection may not default to it, either: Google reports that 3 out of the top 100 non-Google websites don’t. To stay safe on those sites, you’ll need to use a VPN or a browser extension that forces HTTPS connections.
Worryingly, 5% of Google’s visitors do not use HTTPS because the devices or software they’re using are too old to support modern encryption standards. If you’re using an outdated device that doesn’t support HTTPS, consider upgrading if you can.
Man-in-the-Middle (MitM) Attacks
A Man-in-the-Middle (MitM) attack refers to any scenario in which a malicious third party interrupts or alters the communication between two systems.
When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to.
Using public WiFi networks increases your risk of Man-in-the-Middle attacks.
On an unsecured network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.
An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.
Hackers can also trick people into revealing or changing their passwords, exposing highly personal information.
MitM attacks are popular with hackers because they are cheap, easy, and effective. All a hacker needs is something like the WiFi Pineapple — a portable device that looks a bit like a WiFi router, and costs just $120.00.
The $120.00 WiFi Pineapple allows virtually anyone to exploit public networks to collect personal data.
These simple devices enable virtually anyone to create a fake WiFi access point and carry out a Man-in-the-Middle attack. They are commercially available and sold in most computer hardware stores.
The WiFi Pineapple can interface with hundreds of devices at a time. Security researchers use it to execute attacks on public WiFi networks in order to test how safe the network is and learn how to protect it against attacks.
However, it’s clearly a dangerous tool in the wrong hands. Attackers can easily use the WiFi Pineapple to gather sensitive personal data from unwitting public WiFi users.
The WiFi Pineapple can also be used to run SSLstrip, software that changes secure HTTPS requests to their insecure HTTP equivalent.
Modern browsers are designed so that web servers can tell browsers they should use HTTPS, which helps fight against this. However, this protection doesn’t take effect until your second visit to the site.
Fake Hotspots & Evil Twin Attacks
Fake hotspots or ‘Evil Twin attacks’ are among the most common and most dangerous threats on public WiFi connections. An attacker can use them to steal your unencrypted data and infiltrate your device.
To carry out this attack, an attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect. Less sophisticated hackers may even choose names like ‘FREE INTERNET’ to entice people.
An Evil Twin attack is very easy to pull off — you can see this seven year-old doing it in 11 minutes.
WiFi Pineapples can even actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks. Fake hotspots can impersonate a familiar network by copying those SSID signals.
This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a network that they’ve previously connected to.
It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to unknown free WiFi networks because they had targeted names like ‘I Vote Republican! Free Internet’. As a result, 68% of users at the convention exposed their identities when they connected.
These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.
Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious.
DNS Spoofing or ‘DNS cache poisoning’ is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.
DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain you’re looking for (e.g. example.com).
DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for ‘example.com’, any user trying to access that website would be sent to a different IP address specified by the hacker.
DNS Spoofing works by redirecting your traffic to fake servers.
In this way, attackers can send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.
Often, public WiFi hotspots are operated by small businesses that do not have the technical knowledge to keep the router fully secure. They might not have changed the default password and probably haven’t updated the firmware.
Hackers can install malware on insecure routers. This malware sends all the DNS queries to their malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.
Session hijacking is another type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts. It is much less of a risk than it used to be, thanks to the rise of HTTPS.
Hackers can steal your identity through session hijacking.
‘Sessions’ are temporary states established between two communicating devices, such as your device and a web server. The session is established using authentication protocols that ensure the devices know who each other are.
When you log onto a website you are assigned a session cookie — a file containing details about your interaction with the web server. As you browse the website, the server will ask your machine to authenticate itself by resending this cookie.
Session hijacking copies these cookies to impersonate your device and steal your identity.
The most valuable session cookies are those sent to users logging in to highly-secure websites, such as shopping or banking sites.
On an unsecured network, attackers can use specialized software called ‘session sniffers’ to identify and intercept your session cookies.
Session sniffing software is incredibly easy to access, even though it is illegal to use it for eavesdropping and data snooping.