How to Stay Safe on Public WiFi

Below are four simple steps to reduce your chances of being hacked and having your data stolen on a public WiFi connection.

1Use a Virtual Private Network (VPN)

If you use public WiFi networks regularly, then a virtual private network (VPN) is the best investment you can make toward security and peace of mind.

VPNs create a secure tunnel between your device and a private VPN server. This server then forwards your traffic on to the website or application you’re accessing.

Using a VPN stops internet service providers (ISPs) from tracking your internet activity, and also prevents hackers and third parties from intercepting your traffic.

If someone is monitoring your internet connection, all they’ll see is a meaningless combination of letters and numbers.

In short, a VPN keeps your browsing secure by encrypting your internet traffic, routing it through a secure tunnel, and masking your true IP address.

However, a VPN can still be hacked through vulnerabilities in its servers or connection protocols. It is important to choose a secure and reliable VPN effectively tackles all the potential threats we’ve mentioned in this guide, regardless of the network you’re on.

2Change Your Browsing Behavior

The most dangerous public WiFi networks are those that don’t require a password to join.

We tend to gravitate toward these networks because they’re common and super convenient, but they hugely increase your risk of being hacked.

If you have to use public WiFi, choose a network that is password protected.

If you can’t find an open network that you trust, consider using your mobile data plan instead. This option is much more secure and can be found in the Settings menu on your device. Apple and Android both have helpful guides explaining how to do this.

If it’s absolutely necessary to connect to an open network, be sure to limit your activity to avoid any kind of behavior that might involve your personal data.

Avoid online banking or shopping on sites like eBay or Amazon. Steer clear of submitting your personal details as you risk exposing your account details to third parties. Instead, make sure to always use your home or workplace WiFi for financial transactions.

To avoid fake hotspots, it’s also good practice to ask a member of staff what the WiFi name is if you’re in a restaurant or hotel. This is especially important if there are a number of networks with similar names in the vicinity.

3Change Your Device Settings

There are some simple adjustments you can make to your devices that will make them far less susceptible to attacks.

1. Turn Off Automatic WiFi Connection

One of the first things you can do is turn off automatic connections. This will stop your device from connecting to random open hotspots.

To turn off automatic WiFi connections on Windows:

1. Navigate to the Settings menu.
2. Click Network & Internet > Wi-Fi > Manage Known Networks.
3. Right-click on any network you don’t want to automatically connect to.
4. Select ‘Properties’ and uncheck the option labeled ‘Connect Automatically When in Range’.

To turn off automatic WiFi connections on a Mac:

1. Navigate to the System Preferences menu.
2. Select ‘Network’.
3. On the left side, select any network you don’t want to automatically connect to.
4. Uncheck the box next to “automatically join this network”.
5. Click “Apply”.

It’s good to get into the habit of deleting public WiFi networks from your device. Keep a lean WiFi history to avoid the possibility that you’ll connect to a fake access point later.

It’s also best to turn off file sharing, Bluetooth and AirDrop on your device unless you intend to use them. Having them on all the time is unnecessary and increases the risk of malware-infected files finding their way into your system.

2. Enable Your Firewall

A firewall is a network security feature that monitors the traffic flowing to or from your network. It allows or blocks traffic based on a set of predefined security rules.

The firewall will work to prevent unauthorized or malicious access to your device.

Most computers now come with a firewall built-in.

If you’re not sure whether your firewall is on or off, it’s worth checking.

To enable the firewall on a Mac:

1. Open the System Preferences menu.
2. Choose ‘Security & Privacy’.
3. Select the ‘Firewall’ tab at the top of the page.
4. Unlock the window by clicking the lock in the bottom-left corner.
5. Click ‘Turn On Firewall’ to enable the firewall.

To enable the firewall on Windows:

1. Open the Start menu and navigate to Settings.
2. Choose ‘Security & Privacy’.
3. Choose ‘Update & Security’.>
4. Select ‘Windows Security’ and then ‘Firewall & Network Protection’.
5. Make sure the firewall is on.

3. Software Updates

It’s important to keep your computer, laptop, or phone as up-to-date as possible. Fortunately, most software updates are enabled automatically.

Software updates usually contain security patches. Staying up-to-date will protect you against known vulnerabilities that hackers can easily exploit.

It’s possible to trigger a fake software update on your computer if you’re on a public network. For this reason, you should never download software updates over public WiFi — particularly if the alert box pops up while you’re on that hotspot.

Make sure to disconnect and check for updates when you’re on a secure and private connection.

4Use Security Applications & Browser Extensions

Beyond your device settings, there are private and secure browser extensions, applications and services we recommend downloading to enhance your security on public WiFi networks.

HTTPS Everywhere is a great free browser extension. It’s available on Chrome, Firefox, and Opera and will push websites to use secure HTTPS connections wherever possible.

If you’re using Firefox, enable DNS over HTTPS in the browser’s ‘Network’ settings. We’ve verified that DNS requests are still exposed during HTTPS connections, so DNS over HTTPS (DoH) covers over those cracks by encrypting your DNS queries.

We also recommend installing trusted security software, too. Products like MalwareBytes offer real-time virus and ransomware protection, as well as malware and spyware cleanup tools.

Enabling two-factor authentication (2FA) on your online accounts also goes a long way to protect you against data theft.

With 2FA enabled, even if a hacker manages to get hold of your usernames and passwords, they won’t be able to log in to your accounts without additional verification codes.

Public WiFi is a free wireless internet connection point available to anyone in a certain area. Public WiFi hotspots usually have an easily available password or no password at all, making them unsecured networks.

The lack of a screening process means anybody can connect to them. As such, it’s easier to be hacked when using an unsecured network as they provide minimal security.

You’ll usually find Free WiFi hotspots in busy public places like shops, restaurants, airports, and hotels. Most users now expect to find a free network almost everywhere they go — something cybercriminals use to their advantage.

Is Public WiFi Safe?

The dangers of public WiFi are often exaggerated in an attempt to sell security products. The truth is, thanks to the rise of HTTPS, public WiFi networks have never been safer.

A public WiFi network is certainly less secure than a personal, private network because you don’t know who set it up or who else is connecting to it.

Traffic interception and eavesdropping tools are easily available for purchase online, and the size of the market for personal data is growing every day. It’s still disturbingly easy for an attacker to set up a fake WiFi hotspot to steal your information.

According to a recent Bloomberg investigation, cybercriminals are even checking into hotels just to collect the valuable network data:

“the leader had used his phone’s hotspot to create a new Wi-Fi network, naming it after the hotel. Within minutes, six devices had joined his spoofed network, exposing their internet activity to the hackers.”

If a network has no password, all of the HTTP traffic flowing to and from that hotspot is unencrypted. That means all of the data sent from your computer is transmitted in plain text format and you could be at risk of exposing your personal data when using the public WiFi in your hotel.

The best way to avoid these dangers is to understand them. In the next section, we’ll cover the five most common risks of public WiFi.

If you’d like to learn how to protect yourself, you can skip straight to our 4 essential security tips.

1HTTP & HTTPS

Many VPN companies will try to convince you that public WiFi networks are always dangerous. Thanks to something called HTTPS, this isn’t exactly true.

HTTPS stands for Hypertext Transfer Protocol Secure. It is an encrypted extension of the HTTP protocol, a basic internet standard that allows web pages to be requested and loaded.

On top of the basic functions of HTTP, HTTPS is designed to protect the privacy and security of data in transit.

HTTPS is more secure than HTTP as it provides encryption via TLS (Transport Layer Security), which secures the connection between a client (e.g. a web browser) and a server (e.g. example.org). This means any connection to an HTTPS website is encrypted, authenticated, and regularly checked for integrity.

HTTPS makes it much harder for an attacker to intercept communications between your browser and the website you are visiting because the data is no longer in plain text.

To check if the website you’re visiting is encrypted with HTTPS, just check the URL in the address bar. If it’s HTTPS-enabled, you’ll see a padlock in the top left-hand corner.

If you connect to a website on public WiFi that doesn’t secure itself with HTTPS, you leave yourself wide open to attack. Any third party can monitor your browsing activity, see what URLs you’re loading, and capture the data you’re submitting.

Fortunately, up to 95% of traffic across Google Services is now encrypted with HTTPS. That means the majority of websites you visit will be protected.

2Man-in-the-Middle (MitM) Attacks

The prevalence of HTTPS doesn’t make public WiFi completely safe. Most importantly, it won’t protect your DNS queries.

If you connect to an unsafe WiFi network it is possible for an attacker to intercept your DNS requests and send you to an alternative server under their control. This is known as a Man-in-the-Middle (MitM) attack.

Technically, a Man-in-the-Middle (MitM) attack refers to any scenario in which a third-party interrupts or alters the communication between two systems.

When a MitM attack occurs on public WiFi, the attacker is interrupting the connection between your computer and the web server you’re trying to connect to. According to a threat intelligence report by IBM, 35% of all malicious online activity begins with a MitM attack.

On an unsecure network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet.

An attacker could display a fake website or login form, replace links with malicious alternatives, add pictures, and much more.

Hackers can fool people to reveal or change their passwords, exposing highly personal information.

MitM attacks are popular because they are cheap, easy, and effective. All a hacker needs is a device like the WiFi Pineapple — a pocket-sized device that looks like a cross between a USB flash drive and a WiFi router, and costs just $99.

These simple devices enable virtually anyone to create a fake WiFi access point and carry out a MitM attack. They are commercially available and sold as standard in most computer hardware stores.

The WiFi Pineapple is able to interface with hundreds of devices at a time. Security researchers use it to execute attacks on public WiFi networks in order to test how safe the network is and learn how to protect it against attacks.

However, it’s clearly a dangerous tool in the wrong hands. Attackers can easily use the Pineapple to gather sensitive personal data from unwitting public WiFi users.

Find out how to protect yourself against MitM attacks in the next chapter of this guide.

3DNS Spoofing

DNS Spoofing or “DNS cache poisoning” is a specific type of Man-in-the-Middle attack designed to divert traffic away from legitimate servers and redirect it toward fake ones. This type of attack is particularly popular over unprotected public WiFi networks.

DNS queries are sent from your device every time you connect to a website. When you enter a URL into your browser’s address bar, you first contact a DNS nameserver which finds the matching IP address (e.g. 192.168.1.1) for the domain (e.g. example.com) you’re looking for.

DNS spoofing is when a third party changes the entries in a DNS nameserver’s resolver cache. This is like changing the phone number in a directory — if someone altered the entry for “example.com”, any user trying to access that website would be sent to a different IP address specified by the hacker.

There are two main reasons why an attacker might do this:

• To launch a “denial of service” (DDoS) attack. An attacker could alter the IP address listed for a common domain like Google.com in order to divert a huge amount of traffic to another server. If the alternative server is incapable of handling such high volumes it can often slow down or even stop. This kind of DDoS attack can take down entire websites.

• Redirection. Corrupted DNS entries can be used to divert victims to fraudulent websites. Attackers use this to send users to phishing sites that look almost identical to the intended destination. These websites are designed to trick users into entering sensitive data such as their username and password.

Most attackers will choose to configure their own malicious DNS nameserver. They can then use several strategies to distribute DNS changer malware to a user’s computer, smartphone, or WiFi router.

DNS changer malware changes your device’s settings to point DNS queries to the hacker’s malicious server. The attacker can then divert traffic for legitimate websites toward malware and phishing websites.

The code for DNS changer malware is often found in URLs sent via spam emails. These emails attempt to frighten or trick users into clicking on the attached URL, which then infects their computer.

Reports have shown that these ‘phishing’ emails have increased dramatically since the outbreak of the COVID-19 pandemic. Banner ads and images — both in emails and untrustworthy websites — can also direct users to this code.

Aside from your device itself, attackers can also target routers with the same DNS changing malware. Routers can override a device’s DNS settings, which is a particular threat for users connected to public WiFi networks.

4Fake Hotspots & Evil Twin Attacks

Fake hotspots or “Evil Twin attacks” are among the most common and most dangerous threats on public WiFi connections.

An attacker simply imitates a public WiFi network with a seemingly legitimate name like ‘Free_Cafe_WiFi’ and waits for their victims to connect. Less sophisticated hackers may even choose names like “FREE INTERNET” in an attempt to entice people.

An Evil Twin attack is very easy to pull off — you can see this seven year-old doing it in 11 minutes.

WiFi Pineapples even include the native capacity to actively scan for SSID signals. These signals are used by phones to find and connect to known WiFi networks, and can be easily copied by malicious third parties.

This means that anyone with a WiFi Pineapple can trick your phone or laptop into connecting to a dangerous WiFi network just by being nearby. It appears to the user as if they’re connected to a familiar network that they’ve previously connected to.

It is incredibly easy to fall for a fake WiFi hotspot. At the 2016 US Republican Convention, more than 1200 people connected to dangerous free WiFi networks because they had targeted names like “I Vote Trump! Free Internet. ” This cost them their sensitive data, emails, and messages.

In fact, 68% of users at the convention exposed their identities through public WiFi in some way. These were fake networks set up in a test by Avast to make a point about public WiFi — but the consequences could have been severe.

Always be careful of auto-connecting to a network, particularly if its name or location seems suspicious. To minimize the implications of an “Evil Twin attack”, never enter your personal details, such as your banking information, when using public WiFi.

5Session Hijacking

Session hijacking is a type of Man-in-the-Middle attack that allows a malicious third party to gain full control of your online accounts.

Attackers can use this technique to take over the connection between your device and another machine. This could be a web server, an application, or a website with a login form.

“Sessions” are temporary states established between two communicating devices. The session serves to authenticate the two parties and allows details about their communication to be tracked and stored.

Sessions are established using various authentication protocols that ensure the two parties know who each other are. This includes an HTTP “session cookie” — a file containing details about your interaction with the web server.

When you log onto a website you are assigned a session cookie. As you browse the website, the server will continue to ask your machine to authenticate itself by resending this cookie.

Session hijacking exploits these cookies. The web server you’re interacting with relies on the session cookie to identify and authenticate your device. If it is stolen, the thief can also steal your identity.

The most valuable session cookies are those sent to users logging in to highly secure sites.

Armed with this information, an attacker could:

• Purchase goods in your name
• Move money between accounts
• Change your login details
• Lock you out of your accounts

Hackers can steal session cookies in various ways. Typically, they will infect a user’s device with malicious software that records their session information and sends the relevant cookies to the attacker.

On an unsecured network, attackers can also use specialized software called ‘session sniffers’ to identify and intercept your session token.

Session sniffing software is incredibly easy to access despite the fact that it is illegal to use it for eavesdropping and data snooping.

The most effective way to protect yourself against session hijacking is to avoid unsecured WiFi networks. You are much more vulnerable to hijacking if you are sending all of your session cookies unencrypted across a free network.

Generally speaking, session hijacking should not be possible if you’re connecting to a website using an HTTPS connection, because your cookies will be protected by a layer of encryption.

That said, clever hackers can trick your browser into visiting an HTTP version of a website in a process called HTTP spoofing, and then launch an attack via conventional methods.