Don’t have time to read the full article? Here are the highlights:
- Wi-Fi networks usually are vulnerable and unsafe browsing environments;
- Using public wireless networks unprotected put yourself at cybercriminals’ reach, jeopardize your device security and expose your sensitive data;
- That behavior can result in severe damages to your personal life, such as online banking credential and credit card number stealing, and identity theft;
- You can protect yourself by acting on three different fronts: using security software, taking defensive precautions, and changing bad habits;
- The most robust and effective measure you can take to access public Wi-Fi networks safely is to use a reliable VPN service.
Why is public Wi-Fi dangerous?
While Wi-Fi networks are a convenient way to browse the web, they can put your safety and privacy at risk.
The primary problem with public Wi-Fi is most networks simply aren’t secure as one might expect. And there are some fundamental reasons for that.
In the first place, many public wireless networks run over outdated equipment and software.
The second problem relates to the network security itself. Maybe for technical limitations or due to misconfiguration, some networks use below the average security measures.
Finally, and yet more dangerous, is the risk of joining a malicious rogue network, by chance, and getting hacked.
We’ll get into more details on those three issues later in this article. But, for now, it’s crucial to give you a brief idea of the inherent weaknesses of public Wi-Fi.
Wi-Fi vulnerabilities: how safe is public Wi-Fi?
The average public Wi-Fi out there offers weak network security and obsolete data encryption. In other words, they can be really dangerous.
Old wireless routers will hardly support cutting-edge security standards, as they didn’t exist when those routers were fabricated. On the other side, the lack of regular firmware (device’s native software) updates gives known security vulnerabilities a long life-cycle.
So, many public Wi-Fi networks still use the wireless encryption protocol (WEP), an obsolete security standard (and an easily hackable one). Moreover, even the dominant and more advanced Wi-Fi protected access (WPA) has its own reported and well-documented vulnerabilities .
Although the new WPA3 has fixed some of its former version flaws, WPA2 is supposedly still running on most networks. Data available shows an estimate of less than 0.01% percent of them currently using WPA3 encryption, based on the Wigle database sample with more than 750 million unique Wi-Fi networks .
As Wi-Fi certified manufacturers are only required to support the WPA3 since July 2020, it will probably take many years to become widespread and replace the older ones.
More concerning yet is that WPA3 had some design flaws found already. Hackers have been exploiting those flaws for some time now, with downgrading attacks and side-channel attacks, as a recent study demonstrated .
What are the security risks and dangers of using public Wi-Fi?
Although they might have an idea, people usually don’t know the real risks they are taking on public unsecured networks. When you find yourself at the mercy of a cybercriminal, not only your digital presence is in danger. Such misfortune may jeopardize your whole life.
A digital scammer can put you in serious trouble. Criminals can collect sensitive personal information like street addresses, names, IDs, social security numbers, login credentials, and significant passwords. It only depends on how careless you might have been.
At this point, you can easily imagine the potentially devastating outcomes. In possession of such data, they can “side jack” your logged-in session and impersonate you, taking complete control of your social profiles and service accounts. Further on, they can break into your online banking account, stealing your money and other economic assets.
In extreme cases, the consequences can be as harmful as identity theft, financial fraud, and crime imputation.
By now, it’s possible you’re worried and shocked at the same time. And suddenly, a question might pop into your head: how is that possible?
What malicious methods do public Wi-Fi hackers use?
Combine utterly negligent internet users with an unsecured network environment, and you’ll have a perfect playground for hackers. Unfortunately, that’s what makes places like cyber cafes, shopping malls, libraries, and airports prolific grounds for exploits and cyber attacks.
There are many malicious techniques cybercriminals apply to trick Wi-Fi users. These are the most common and dangerous ones:
A man-in-the-middle (MITM) attack is a scam where a hacker uses a malicious gizmo to intercept the traffic data on vulnerable networks. This gadget acts like an intermediary hotspot or a middle-man between the victim’s device and the visited website’s server.
It might sound like it was a sophisticated technique, but unfortunately, it’s straightforward and accessible.
All they need is an unsecured wireless network (you might be hopping on) and a “Wi-Fi pineapple” gadget. Actually, any teenager with minimal computer skills can get one from big online retailers for less than 100 bucks and become an attacker .
Evil twin attack
Hackers take advantage of people’s lack of cybersecurity knowledge to trick them into a scam known as the Evil twin attack.
Simply put, they use deceptive tactics to make users connect to rogue Wi-Fi networks artificially created by the attackers instead of legitimate local businesses. Unfortunately, it’s easy to find free, open-source tools suitable for this task.
When you connect to the fake network, the hacker can eavesdrop on your activity and traffic sent back and forth. The attacker can then capture sensitive data  and use it in many nefarious ways, such as impersonation, identity theft, and financial fraud.
Hackers can inject malicious codes (malware) into your device’s system through sworn hotspots. I mean all kinds of coded menaces such as computer viruses, trojan horses, spyware, worms, and ransomware. Once infected, the network will spread the virus.
The possible consequences range from data-stealing to attackers taking total control over your laptop or smartphone.
After gaining access, a cybercriminal can corrupt your system, resulting in financial and data losses, or remain silent, sneaking in search of a way to benefit from the hack.
Network packet sniffing
Another dangerous yet common practice with a strange name is packet sniffing. The sniffing part here refers to the data packets, pieces of information sent within web traffic. They might carry any information, including sensitive data and passwords.
When unencrypted, packets can be easily collected and read by anyone using free software known as a network protocol analyzer.
Although those tools were initially created to help with network security testing, you know, sometimes the medicine and the venom have the same formula.
How to use public Wi-Fi safely?
When it comes to preventing this type of scam or attack, you can usually take three distinct paths. But, like most things in cybersecurity, you’d better go through every one of them, as they complement each other.
To hit the ground running, start by eliminating bad habits and taking proper precautions beforehand. But keep in mind those are just additional steps to enhance your safety on public Wi-Fi. The most significant action you can take to protect yourself is to use advanced security tools.
As for my recommendations, I will try to order safety measures from the most influential ones to those with a complementary impact. For that reason, we’re going to talk software first.
Use a VPN
Right off the bat, you should install a VPN client on all your wireless devices. That is the most efficient way to secure your connections on public networks and demands little effort to set up (such as signing up for a reliable provider, downloading and installing the app wherever you want to use it).
VPNs encrypt all traffic sent by your device and make it unreadable to malicious snoopers online.
VPNs Protect You on Public Wi-Fi networks
Take a look at this VPN selection to pick one the suits your cybersecurity needs.
Make sure you enable your device’s built-in firewall. It can sometimes be very unpleasant, but it would definitely help, even if you have a VPN switched on.
It’s a good practice to keep them working together, especially if your VPN doesn’t come with malware blocking functionality or a firewall of its own.
You can also use a dedicated firewall or threat protection software. That would give you more control over your firewall and how it works. You can configure it to only operate on Wi-Fi connections, for example.
Use an antivirus
You should have antivirus software installed. It would be best to protect your devices from within, as well, for a broader defense against malicious codes.
Whether they are computer viruses, ransomware, or nasty rootkits, you should have a way to identify and block any strange actor trying to reach your device.
Many antiviruses have also incorporated firewall and VPN solutions. None of them can deliver the best of the three worlds, but you can get great deals for complete security suites.
Always go for SSL and HTTPS
There are some cases when you may find yourself browsing insecure HTTP web pages without the “S” at the end.
A MITM attacker, for example, can serve you with an unencrypted HTTP version of the URL you’re trying to access. Moreover, a small percentage of websites still don’t use SSL certificates or make it only available on specific pages, such as login forms. In either case, your data would be completely exposed and readable.
To free up your mind, you can force your devices only to connect to HTTPS web services. The easiest way to do that is to install a browser add-on called HTTPS Everywhere . It’s a tool developed by the Electronic Frontier Foundation (EFF) and the Tor Project, non-profit organizations that advocate for digital rights and privacy.
Unfortunately, that’s not a hundred percent solved issue, as scammers can create fake websites with security certificates. If a victim accesses this website, data will be encrypted between the device and the website but still available to the malicious hacker.
Enable two-factor authentication wherever available
Most websites dealing with sensitive data such as personal accounts and financial operations offer two-factor authentication. You should definitely take advantage of it.
If you’re not familiar with the expression, it refers to security measures that require extra device validation besides login credentials. It usually means you’ll receive a random code on your device to input on the website before gaining access to it.
Turn off auto-connect
All devices have a convenient setting to connect you to the available Wi-Fi seamlessly. But it could be dangerous, as you’ll have no control over your device’s choice of networks. So you’d better keep it turned off all the time.
Just look for it on your device’s network settings to ensure it will not connect to public networks on autopilot.
Make sure you remove public network credentials from your devices
Additionally, it would help if you always made your device “forget” public network credentials after using them.
When you’re done browsing, go to your device settings, find the Wi-Fi network you want to remove, and select the option to Forget or Remove it, depending on your device’s OS.
You should do that every time you disconnect from a public hotspot or, at least, from time to time.
Turn off sharing
Another practical yet potentially risky feature your device provides is the sharing function. Even though it can make your daily life easier, it also opens a backdoor to your system.
To better control your security options, you have to cut down the device’s tasks in the background to the minimum. Unless they are security solutions designed to protect your device, turn them off.
Keep your software (apps) updated
That is by far the biggest reason why hackers can break into people’s devices. Over time, software gets its flaws exposed either by security hackers or attackers. No matter the case, it offers an opportunity for developers to fix their software and release security updates.
Cybersecurity is an ongoing activity, and all software companies are constantly updating their products, thus fixing bugs and reported vulnerabilities.
The problem is there’s always an opportunity window for malicious hackers to exploit a security flaw before it gets fixed and updated on users’ devices.
Kaspersky found that 50% of internet users worldwide usually put off software updates . That’s a mistake, especially when it comes to security fixes.
Use your mobile phone data or turn it into a hotspot
If you’re going to access the internet from your smartphone and have a data package available, that’s the go-to solution.
This tip is precious if you don’t trust the website or app you’re about to use. Typically, your mobile carrier will encrypt your data already. So, in doubt, do not save data, but your data.
Avoid sensitive data exposure
One of the best tips you can get to be safe on public Wi-Fi is this: avoid using services that involve sensitive data and financial operations at all costs.
By sensitive, I mean personal information, social media credentials, and anything else that can expose your identity or yourself as an individual. The financial part refers to digital transactions, online banking, and every other activity that could expose your monetary wealth.
If you do need to deal with those matters on Wi-Fi, you must prepare yourself (and your devices) accordingly previously.
A combination of VPN, firewall and antivirus is a must in that case. But you should also follow the other digital safety recommendations in this article for sure.
Don’t get fooled by criminals
Always look for legitimate networks and access credentials. When trying to mislead users, cybercriminals will likely choose a credible name for its fake network, close to the original. See if you can find official info about the local Wi-Fi or ask the staff for the correct network name and password.
Don’t forget to log out after finishing your stuff
Safely log in, do whatever you need to do, and log out when you’re done. That’s it. An inactive but authorized session on a website can offer bad actors an opportunity to hijack your access and impersonate you. Remember: whenever you log in, log out as well.
Keep Wi-Fi off
That is the safe rule. The exception is to turn it on when you need to use it. Despite that slight inconvenience, mainly if you need to check your social media regularly, it will prevent your device from being accessible (and exposed) when you’re not browsing.
Don’t ignore your browser’s warnings
A modern browser can guess security hazards and block your access to suspicious websites and unsecured connections.
So, every time you get one of those warning screens when trying to reach a website, consider them. Of course, it’s possible to get false positives either. But, unless you know and trust the website, don’t put yourself at risk.
If you follow these recommendations and behave responsibly on public Wi-Fi, you should be fine. It may seem a lot to worry about at first sight, but you’ll get used to it in no time.
The safest and straightforward approach is to equip your wireless devices with proper defenses. Turning your firewall on, having an antivirus running, and using VPN all the time can get you more than halfway there.
The rest of it is about being aware and careful like you’d in other aspects of your life.
References and additional resources
- Ars Technica. Serious flaw in WPA2 protocol lets attackers intercept passwords and much more. October 2017.
- Wireless Geographic Logging Engine (Wigle). Database stats on Wi-Fi network encryption worldwide. June 2021.
- Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd. PDF document.
- Amazon.com. Hak5 MK5 WiFi Pineapple Mark V Auditing Platform Wireless Testing Tool.
- InfoSec Write-ups. How I made a fake access point to harvest login credentials. August 2018.
- HTTPS Everywhere. Security extension by EFF and Tor.
- Kaspersky. Online survey on people’s device update tendencies conducted by Savanta. April 2021.