At a Glance

There’s something really freeing about taking your laptop or mobile device down to your local coffee shop, grabbing a cup of your favorite brewed beverage, and sitting down to surf the web.

But are you aware of how vulnerable you are when you’re using your favorite WiFi hotspot?

The Dangers of Using Public WiFi

In May of 2016, a newspaper columnist reported that he became a member of the mile-high hacked club while using American Airlines’ Gogo inflight internet service. USA Today’s Steven Petrow says a fellow passenger dropped a bombshell bit of information on him after the flight.

“I hacked your email on the plane and read everything you sent and received. I did it to most people on the flight.”

In related news, a seven-year-old girl recently showed how easy it is to hack unprotected public WiFi hotspots by using information and techniques readily available on the internet. The girl hacked a WiFi hotspot in a South London coffee shop in just 10 minutes and 54 seconds after watching a YouTube tutorial.

In the first six months of 2021, in the U.K. alone, identity fraud was up 11% from the year before, with almost 180,000 instances filed in the first six months of the year.

Most WiFi networks that are created for home and business use are password-protected and encrypted. However, most public WiFi hotspots are set up strictly for convenience – not security. The idea is for customers to be able to connect, browse the web, and hopefully stick around long enough to purchase another Grande, iced, sugar-free, vanilla latte with soy milk.

When you’re using an unprotected public hotspot, whatever you do online while connected to the internet is wide open for viewing by bad guys, hackers, government agents, and other various creeps. That means your messages, emails, banking and shopping information, and every login under the sun is an open book to anyone who knows how to intercept your wireless connection.

In addition to electronically eavesdropping on you, bad guys can also set up a network honeypot to entice you to connect to it, thinking you’re connecting to the usual free wireless hotspot. They can then steal your logins and passwords, trick you into giving up other information, and more. Even IT pros like myself can fall for something like this if we’re not careful.

In this post, I’ll be sharing tips on how to avoid such an embarrassing – and possibly very costly – situation.

In addition to the bad guys, you also have to look out for your fellow users. You can’t count on them being smart. It sounds mean, but you don’t know if they’ve kept their operating systems up to date, or if the last update they ran was when some guy from Texas was in the White House.

While we’d like to think everyone runs antivirus and has their computer’s firewall turned on, you know there’s always that one guy who’s still running Windows XP – and has who knows what nastiness gunking up the gears in his machine.

Researchers discovered in 2014 that it is entirely possible for a computer virus to spread via WiFi. Think of it as if you are computing with everyone the other WiFi users computed with, and everyone they have computed with, and everyone they have computed with, and…

Even if you run antivirus, practice safe computing, and never stick your network connection anywhere it shouldn’t go, we have to remember other users might not be as conscientious – and who knows where their connections might have been.

In this article, I’m going to discuss the dangers of connecting to an unprotected WiFi hotspot. I’ll also discuss how you can protect yourself by staying aware of the dangers and what you need to know in order to stay clear of said dangers.

We’ll take a look at some of the software and hardware tools the bad guys use to try to steal your data and personal information. We’ll also take a look at the best practices and tools you can use to foil their nefarious schemes. (Sorry, I always wanted to use “nefarious schemes” in a sentence.)

Don’t worry if you’re not an IT expert. I’m going to explain everything without using too much tech talk and instead try to keep everything on a level that even your folks would understand.

By the end of this article, you’re going to be able to walk into any internet cafe, coffee shop, or airport boarding area, open up your laptop or pull out your mobile device, and laugh in the face of the guy running the “Free Airport WiFi” honeypot on his computer.

The Dangers of Using an Unprotected WiFi Hotspot

The dangers of using an unprotected WiFi hotspot, such as those found in coffee shops, airport boarding areas, hotels, and other public areas are many.

You must assume that other parties can monitor any traffic you send or receive via a public WiFi hotspot. That includes every personal message or email, login and password, or funds transfer from your bank account.

When you are using an unprotected WiFi access point, you are leaving yourself open to a number of attacks by the bad actors of the world. We will discuss them in this section.

Account and Password Information Capture

If your apps or a website you connect to do not use an encrypted connection, instead sending login and password information via clear text, it’s child’s play for a hacker to intercept the transmission and capture that login information. Once a hacker has that info, they can access your personal accounts at their leisure.

Intercepting Messaging and Website Traffic

Hackers can intercept unencrypted instant messaging apps and requests you send to websites. The bad actor can then monitor that traffic, gleaning useful information from the data stream between you and the other party.

While most popular messaging apps and commercial websites now encrypt their traffic, there are some that don’t. Make sure your messaging app uses encryption to protect your messages.

As an example, WhatsApp and Apple’s Messaging app provide end-to-end encryption, with both companies claiming they couldn’t decrypt a protected conversation even if faced with a court order. Meanwhile, a normal SMS text message is not encrypted.

Make sure the messaging app you use is from a reputable developer. Do some research before making a choice as to which messaging app to use by checking out my article about the best encrypted messaging apps.

If a hacker can intercept the traffic between two points, they can also change the data you’re sending.

This could be something as simple as changing your personal “I love you” message to your significant other to something like “I can’t stand you, you stink.”

What you said​

What they actually saw

It could also be something as horrible as intercepting delivery information so that the new laptop you just ordered is delivered to their doorstep instead of yours.

Accessing Data on Your Machine

This one is particularly dangerous to users of unprotected hotspots. If you have file sharing turned on, anyone on an unprotected WiFi network could connect to your computer and copy files to or from the device’s hard drive.

Hackers can use this hole to steal files from the folders on your computer’s drive or to drop malicious files onto the drive and use them to take over your machine. They would use your computer for their nefarious schemes, while you were none the wiser.

See my “Good Practices to Protect Yourself” section for how to turn off sharing on your device.

The Types of Attacks that Hackers Use

In this section, we’ll discuss the types of attacks a hacker could use in an unprotected WiFi environment like those you’d find at your local coffee shop and other locations.

Afterward, we’ll discuss the ways you can protect yourself from these attacks.

The Fake Access Point “Evil Twin” Attack

The Fake Access Point attack is also known as the “Evil Twin” or “Honeypot” attack. This type of attack involves a hacker setting up a fake WiFi connection in order to steal login credentials and other important personal and business information.

This attack method involves the hacker setting up their own “free WiFi” access point that appears similar to the genuine access point set up to allow patrons of a business to access the internet while they drink a coffee, wait for a plane, or browse a store.

Hackers will set up an access point and name it an inviting label so users will feel comfortable accessing it. They might name this access point “Starbucks Free WiFi” or “Target Guest WiFi.”

If you see an access point with a name such as this while you’re blowing the foam off of your cappuccino or trying on that new blouse, you’re liable to connect without a second thought.

Once you connect your computer or mobile device to it, the fake access point can then monitor and collect your login information, banking information, and more.

It can quietly sit in the background and collect the data as it passes through, or it can actively try to fool you into thinking it is the website or service you are attempting to connect to. It does this via the “Man-in-the-Middle” method.

The Man-in-the-Middle Attack

Apple reports concerns that a man-in-the-middle attack may be stealing iCloud users’ login credentials. The U.S. National Security Agency is reportedly running man-in-the-middle attacks that imitate Google’s servers. British spies use a form of the same type of attack to target employees of the Global Roaming Exchange.

These are only a few of the real-life examples of how everyone from crooks to the government (or am I being redundant?) are using this form of attack against internet users.

Typically, communication flow occurs between a server and a client and is authenticated in various ways.

A well-known scenario of this type is when you’re connected to Amazon or another online merchant to browse products. In order to purchase anything from an online merchant, you are usually required to send your login information (username/password) and the Amazon server checks your credentials and sends back either a confirmation of your successful login or notification to re-enter your info.

Once you’re logged in successfully, Amazon then allows you to purchase and pay for any merchandise you order via the payment information you have on file. It will then ship your purchase to the address it has on file for you.

The “Man-in-the-Middle” attack is when an attacker secretly intercepts and relays the communication between two parties that believe they are directly communicating with each other.

In the case of our Amazon example, the attacker can intercept the flow of data between a user and Amazon, possibly changing the data along the way. It can also collect information that the two parties send back and forth, such as the user’s login and password information, the order information, credit card info, or where the order is to be delivered.

This is only one form of the “Man-in-the-Middle” attack. There are other ways to use this type of session-hijacking to benefit the bad actor. Users can also change the data sent between the two parties or sniff data packets to steal cookies and gain access to the genuine user’s session with the server.

WiFi Pineapple

Hackers can perform both of the attacks above using a devious little piece of hardware called the “WiFi Pineapple.”

While supposedly sold for the purpose of network auditing to test a network’s security setup, budding hackers mostly use it to set up false access points in order to perform man-in-the-middle and evil-twin types of attacks.

The WiFi Pineapple connects to a hacker’s machine via USB or an Ethernet connection, and with just a web browser and an internet connection, it can pose as a wireless access point. This allows the bad guy to monitor all of the unprotected data traffic of any user who connects to the fake access point.

By using the WiFi Pineapple, and making use of a number of readily available scripts and apps created for the Pineapple, anyone can easily steal information from an unsuspecting user. The Pineapple offers an easy-to-use web-based interface that allows even novice hackers to easily set up an attack on unsuspecting users.

The WiFi Pineapple is available for as little as $99.99, which gets the buyer a WiFi Pineapple NANO, and for as much as $250 for the Pineapple TETRA TACTICAL. The devices are available from the WiFi Pineapple website and anyone can purchase one.

There are a number of websites out there where new Pineapple owners can get information about using the device for all sorts of unsavory purposes. This makes it particularly dangerous, as any reasonably-informed computer user can set up and make use of a Pineapple device, with no previous hacking knowledge required.

While sales of the device to the general public have led to claims that there are no legitimate uses for the device, Darren Kitchen, one of its creators, says to tell that to the government agencies and corporate IT penetration testers the company has sold the devices to.

You’ve likely seen the terms and conditions agreement many companies require WiFi users to “read” and agree to in order to connect to the free access point. This is generally a good thing to see, indicating that in most cases, the WiFi access point is legitimate.

However, a hacker can also set up the WiFi Pineapple to convincingly mimic the legitimate agreement page, making the “evil” connection appear to be the usual legal mumbo-jumbo page with the button that everyone clicks to accept the terms without ever reading them.

Interesting fact: ​In a 2014 experiment, several Britons agreed to a WiFi hotspot terms and conditions agreement that actually contained a “Herod clause” which said the WiFi was available only if “the recipient agreed to assign their firstborn child to us for the duration of eternity.”

Do you think they didn’t actually read the terms or were their children just that horrible?

Good Practices to Protect Yourself

The aim of this article is not to warn users off of using unprotected WiFi hotspots altogether. After all, an unprotected hotspot might be your only internet connection option if your wireless provider has lousy coverage in the area you’re in. However, I cannot stress enough how dangerous they are.

Luckily, there are a number of good practices you can follow to protect yourself when you’re connected to such a hotspot.

Find Out the Name of the Genuine Hotspot​

This is probably the easiest way to ensure you don’t fall victim to connecting to a fake hotspot. Ask an employee what the name of the hotspot is.

Sure, they’ll probably roll their eyes and scoff a bit, but they’ll tell you – or, at the very least, point to the sign on the wall. (Oh yeah, many businesses will post the name of the WiFi hotspot on the wall, or maybe the menu board. If you’re lucky, they also include a password, which means it’s encrypted.)

Usually, when you check into a hotel or motel that offers free in-room WiFi, they’ll hand you a slip of paper with a network name and password you can use to connect once you’re settled in. If all they tell you is a network name, be sure to make use of the following ways to protect yourself while connected.

While being alone in your room might make you feel a bit more secure, you are still connected to a WiFi hotspot that everyone else is sharing. It’s just spread out over a much larger area.

Use a VPN

Once upon a time, VPNs were for the rich or were used mostly for corporate network access by employees working from home or from the road. However, this has changed in the last few years. There are numerous companies that offer great protection to the average computer or mobile device user at a reasonable price.

Wait, what’s a VPN? Good question, you there in the front row. A VPN is a Virtual Private Network. A good VPN provider offers a number of excellent protections for the average internet user.

However, there’s just one protection we’re interested in right now: the ability to encrypt an internet connection.

The VPN app on the user’s device encrypts the data you’re sending and receiving on the device, and the encrypted data stream is sent to the VPN provider’s server, where it is then forwarded to the intended recipient, be that a website, email server or another web-based service.

Many VPN providers also provide browser extensions that allow users to toggle VPN protection on and off directly from their browser. Also, if all you care about is protecting your browser traffic from prying eyes, and you don’t want to pay for a VPN, be sure to look into downloading Opera’s latest browser, which includes a built-in free VPN.

Encryption prevents any outside party from viewing the information you are sending and receiving. While it’s true that no level of encryption is completely unbreakable, I’d venture to say that most hackers are looking for an easy mark, and when they see that you’re using an encrypted connection, they’ll move on to the next prospect. Remember, the main reason the hacker is poking around on the Starbucks WiFi access point is that it’s unencrypted.

Here at Pixel Privacy, I’ve studied the best VPNs for public WiFi hotspots. Be sure to take a look at that article once you’re finished with this article for more information about the highest-rated VPN providers.

Enable Your Computer’s Firewall

When using your home WiFi, a firewall protects your computer. (More about that a bit later.)

However, an unprotected public WiFi access point usually offers no firewall protection at all. If you’re not using a VPN to protect your connection, make sure your computer’s firewall is enabled before connecting to a WiFi hotspot.

How to turn on the macOS firewall

1. To turn on your Mac’s firewall, click the Apple icon in the upper left-hand corner of your Mac’s desktop. Click “System Preferences…” in the pull-down menu.

2. Next, click “Security and Privacy” in the System Preferences icon menu.
3. Click the “Firewall” tab, as shown below, and then click the lock in the lower left-hand portion of the window to make changes.
4. Next, click the “Turn on Firewall” button to enable your Mac’s firewall. Click the lock again to prevent any further changes. (If the button instead says “Turn Off Firewall,” the firewall is already enabled.)

Note: You may have to enter an administrator password after you click the lock.

How to turn on the Windows firewall

1. Click “Start,” then scroll down to “Windows System.”

2. Under Windows System, click “Control Panel.”
3. In the Control Panel, click “System and Security.”
4. In System and Security, click “Windows Firewall.”
5. It might ask you for an administrator password or to confirm your selection. Next, select the networks you want to change settings for, then click “OK.”​​​​

Keep “Sharing” Turned Off

When you’re connected to a public WiFi network, even one that is actually password-protected, you won’t want to be sharing anything stored on your computer.

That means you’ll want to make sure things like file sharing are turned off in your settings. Windows users will find those settings in the Control Panel, while macOS users will find the “Sharing” settings in their System Preferences.

Here’s how to turn off sharing in Windows 10/8/7 and macOS/Mac OS X:

How to turn off sharing in Windows 10

1. Click on the Windows icon, then click “Settings” -> “Network and Internet” -> “Wi-Fi.”
2. Next, scroll down until you see the Advanced sharing settings.
3. Click “Turn off network discovery” and “Turn off file and printer sharing” to turn them off. Save your changes.

How to turn off sharing in Windows 8

1. Go to the Control Panel and click “Network and Internet” -> “View Network Status and Tasks” -> “Change Advanced Sharing Settings.”
2. Turn off “File and Printer Sharing” and “Network Discovery.” Save your changes.

How to turn off sharing in Windows 7

1. Go to the Control Panel and click “Network and Sharing Center” -> “Change Advanced Sharing Settings” -> “Home or Work.”
2. Turn off “File and Printer Sharing.” Save your changes.

Windows users can also disable Sharing by choosing the “Public” option when connecting for the first time to a new network. Windows will take care of temporarily turning off sharing while you’re connected to the selected network.

How to turn off sharing in macOS

1. Click the Apple icon in the upper left-hand corner of your Mac’s Desktop.
2. Click the “System Preferences…” menu option. When the System Preferences window opens, click the “Sharing” icon.
3. Make sure the “File Sharing” option doesn’t have a checkmark next to it. If it does, click it to clear the checkbox. Close the window.

Use SSL Connections for Websites

If you don’t have the ability to connect to the internet via a VPN, you can still make use of encryption to protect at least some of your data via an SSL (Secure Sockets Layer) connection to the websites you use. Most banking, shopping and other websites that require you to verify your identity before using them offer an SSL connection.

When you’re connecting to a secure site, you’ll see a little green padlock in the address field, as seen above. If you click the lock, it will display the information about your encrypted connection.

SSL is a layer of encryption that web browsers use to protect your data.

One means of access hackers use to steal your information is to divert you away from an SSL-protected website following your login, or to spoof the address with an unencrypted website, which steals your login credentials before forwarding you to the real website.

You can ensure you’re protected by forcing your browser to always use HTTPS on websites you frequently access that require a login. The way to do that is to use the HTTPS Everywhere extension, which is available for the Firefox, Chrome and Opera browsers. HTTPS Everywhere automatically activates HTTPS encryption for all known parts of websites that support HTTPS.

After collecting a user’s login information, hackers can try the login credentials on various websites in an attempt to gain access to all of the websites a user may frequent. They attempt this due to the fact that too many users re-use their login information on multiple websites.

This is a bad habit to fall into. Always make sure to use a different password on each site, and if possible, never reuse the username. You can use a password manager to keep track of all of these unique passwords.

Keep Your WiFi Turned Off When Not Using It

If you don’t currently need an internet connection for your computer or device, turn off the WiFi connection. Even if you aren’t actively pulling data down from the internet, your computer is still connected to the unprotected access point, and hackers could gain access to your device – especially if you’ve left Sharing turned on. (See above.)

By disabling your device’s WiFi capabilities when not in use, you turn it into an isolated island, preventing anyone who doesn’t have physical access to your computer from accessing it.

As an extra benefit, you’ll find that by turning off the WiFi radio on your computer or mobile device, you’ll also extend the battery life just a bit. I’m not talking hours here, but sometimes even a few extra minutes of battery life can make a difference.

Install Malware Scanners and Antivirus Apps

While most folks think malware scanners and antivirus apps are strictly for the Windows crowd, it’s a fact that macOS computers are becoming more and more attractive to hackers due to their increased popularity. While macOS is a fairly secure operating system, it still doesn’t hurt to install a malware scanner and maybe an antivirus app.

Connecting to an unprotected WiFi hotspot is similar to having unprotected sex. You are running a good risk of catching something. It may not make your hard drive fall off, but it could still screw up your life. (Remember that guy I mentioned earlier who’s still running Windows XP? You KNOW he’s got something nasty to share with everyone.)

Use an Encrypted Messaging App

When using public WiFi (or even your own WiFi), always use an encrypted messaging app to communicate with others.

If you’re using an unencrypted SMS texting app, such as the one included on Android devices, then your carrier, your government, and hackers could monitor you. An encrypted messaging app – like Apple’s Messages app, Signal, WhatsApp, Wickr Me, and others – keeps your messages encrypted end-to-end, preventing outsiders from seeing your communications.

How to Protect Yourself at Home

While you should feel safe in your own home, you also shouldn’t lull yourself into a false sense of security either. When using your own WiFi connection at home, make sure you keep it safe from prying eyes.

Sure, everyone wants to be a great guy and help a neighbor out, but I always draw the line at leaving my WiFi router’s signal unprotected. I always have my network password protected with WPA2 encryption, and you should too. I’ll help a buddy out and supply the guest network password to most of my friends and family when they visit. But there’s no way I’m going to allow my next-door neighbor or someone walking down the street to access my private network.

At the very least, leaving your WiFi access point unprotected or using the access point’s default password will leave your network open to being used by outsiders. This can be especially upsetting if you’re on a metered data plan, and suddenly discover that your internet connection has been throttled or shut down because your monthly data cap has been reached.

At the very worst, you may find that you’ve been locked out of your own WiFi network because an outsider has changed the password to both the connection and the router’s admin page. You may also find that bad actors have stolen data stored on your computer or a networked drive, or even worse have turned loose nasty malware that corrupts your data or holds it for ransom.

In addition to leaving yourself open to outside attacks that could possibly steal your data and corrupt your computers and other devices connected to your network, you also leave yourself open to being responsible for an unauthorized user’s actions.

Police have literally dragged some home WiFi network owners from bed early in the morning to confiscate their computer equipment and other electronic devices due to suspicion of being involved in stealing copyrighted content, or even worse – collecting Child Sexual Abuse Material (CSAM).

In one documented case, a nearby neighbor had used a family’s unprotected WiFi signal to download CSAM. You do not want to go through that!

Take the following steps to protect your home wireless network so that you and your family can rest easy.

Change the Default Administrator Login and Password

Most wireless routers use a default username and password to allow you to access their settings right out of the box. This default login information is well known for most, if not all, manufacturers and is readily available on the internet. In some cases, directly from the manufacturer’s website.

Change this immediately!

Turn on Network Encryption

All but the oldest of wireless routers support some form of encryption. If yours doesn’t, throw it away and buy a more modern router.

Set your router to WPA or WPA2 encryption, following the instructions you received with your router. This will help keep any unauthorized parties from tapping into your wireless network.

Change the Router’s Default SSID

A router’s SSID (Service Set Identifier) is simply the name of the network. When you’re at Starbucks and you look for and connect to their wireless network, which is named “Starbucks Free WiFi,” that name you look for in the network listing on your device is the SSID of the router.

A network that is still named the same as when it came out of the box indicates the owner of the network might be a bit lax and slacked a bit on things like security too. It’s almost the same as sending out a “please hack me” message to the world.

When you rename your wireless router, name it something fun. Don’t just name it “Johnson_WiFi,” name it something cool like “FBI_Surveillence_Van_2371” or “Pretty Fly for a WiFi.” It’s not a requirement, but it might make that scamming neighbor of yours at least think twice before trying to connect to your wireless network.

Make Sure Your Router’s Firewall Is Enabled

While most routers come out of the box with the firewall turned on by default, it is simply a good practice to double-check that it is indeed enabled.

While you can put other measures into place, like enabling MAC filtering, disabling SSID broadcast, and a load more, the four steps above are a great start.

Recap: The Best Ways to Protect Your Public WiFi Connection

WHEW! We’ve covered a lot of ground in a short amount of time, so let’s go back over the highlights to make sure we’ve covered everything. (Don’t worry though, there won’t be a test.)

As we’ve learned, hackers can easily monitor or intercept your connection to unprotected public WiFi, allowing the bad guys to steal your personal and business information. We’ve also learned what you can do to foil a hacker’s nefarious schemes.

1. Make sure you know the name of the genuine free WiFi hotspot in a coffee shop, hotel, or other public location

This cuts down on the chances of connecting to a similarly-named or “Free WiFi”-spoofed connection.

2. Use a VPN app

Installing a VPN app allows you to connect to any unprotected WiFi network, secure in the knowledge that your connection is encrypted and kept safe from the prying eyes of anyone attempting to monitor or steal your logins, banking information, and other important info.

3. If you don’t have a VPN app, at least make sure your computer’s firewall is turned on

It just takes a few clicks on any Windows 10 or macOS computer to enable the firewall. This keeps the bad guys from probing vulnerable ports that they could use to access your computer.

4. Turn off sharing

Always make sure you have Sharing turned off when using your computer to access an open WiFi connection. Believe me, you don’t want to share anything on your computer with anyone who uses a public WiFi hotspot.

5. Always use SSL connections to any websites you use while on a public hotspot

This keeps any information you’re sending or receiving encrypted. This is especially important for any banking or shopping sites where you’ll be exchanging sensitive info such as checking or credit card account info.

6. Install antivirus and anti-malware apps on your computer

Allow antivirus and anti-malware apps to scan your computer on a regular basis. Yes, even if you use a supposedly “safer” Mac computer.

7. Keep your computer’s WiFi turned off if you’re not using it for the internet

If you’re writing the next great American novel in Word, you don’t need an internet connection. Besides, it’ll probably improve your productivity without any distractions. Plus, you get the side benefit of better battery life!

8. Have fun, but stay safe!

Public WiFi hotspots offer a great way to stay in touch with friends, family, and business associates. While it sometimes seems like it’s a 21st-century “wild west” out there, using open hotspots can be safe – as long as you follow the advice I’ve laid out here.

Be sure to practice safe computing while you’re out and about, and you’ll be able to keep your personal and business information safe and sound.

Dangers of Public WiFi FAQs