Public Wi-Fi security: Why public Wi-Fi may be vulnerable to attack

Free public Wi-Fi is available in a lot of places — airports, restaurants, coffee shops, libraries, public transit, hotel rooms, you name it, wherever you go chances are there is free Wi-Fi for you to avail of.

And while jumping on a free Internet connection can be a convenient way to access online accounts, catch up on work, and check emails while on the go, it can sometimes come with some privacy and security risks.

The best way to help protect your personal information is to avoid accessing sensitive information or performing sensitive transactions when connected to public Wi-Fi. And there are other safety measures that can help.

Why is your online privacy could be vulnerable to cyberattack on public Wi-Fi?

The average free public Wi-Fi connection may not be secure. Just because you need a password to log in, it doesn’t mean your online activities are encrypted.

Public Wi-Fi can leave you vulnerable for different reasons. One reason has to do with the encryption protocol used by some wireless networks. Another has to do with the possibility of joining a fake or rogue Wi-Fi hotspot.

Some wireless networks may use older standards for encryption which can raise your security risks. Wireless encryption protocol (WEP), one of the first encryption conventions for wireless networking devices, is considered weak and easily susceptible to being hacked.

Wi-Fi protected access (WPA) was intended to replace WEP as the standard for wireless networking devices, but it too was found to have weaknesses.

Users are especially at risk when connected to a wireless network that uses those outdated encryption protocols.

Another issue? When attempting to use free public Wi-Fi, you may be at risk of joining a rogue Wi-Fi hotspot. In such cases, an attacker creates a fake hotspot with the intent to perform man-in-the-middle (MITM) attacks on unsuspecting victims that join their rogue network. It may look like you are connecting to a legitimate Wi-Fi connection but in reality, it’s been set up to look like the real thing.

If successful, this type of attack allows cybercriminals to intercept the communication between you and the servers of the websites you visit, allowing them to read, insert, and modify messages and data.

With pre-built kits that can perform MITM attacks, even minimally skilled hackers can eavesdrop and monitor your online traffic to capture valuable information, such as login credentials or credit card numbers.

Signs you may be logged on to a rogue Wi-Fi

Devices look for known Wi-Fi networks, and cybercriminals can use this to their advantage.

An attacker’s rogue Wi-Fi hotspot can pretend to act as your home network or as a public network that you might come across at a coffee shop or airport, for example. Instead of connecting to a real public Wi-Fi hotspot, your device connects to the attacker’s fake hotspot. This means the attacker’s network is between your device and the actual Wi-Fi network, so they’re able to see your online traffic.

Here’s another tactic. A cybercriminal creates a public Wi-Fi network called “Free Wi-Fi” and waits for victims to join. A lot of people likely will try to connect, especially if a free Internet service is being offered.

And here’s one more tactic. You might be away from home — at a coffee shop, for instance — and suddenly your computer shows that you're connected to your home network. Chances are, someone could have intercepted your computer’s broadcast request.

In some cases, you might try to connect to a website, such as your bank or a favorite social media website, that you know should be encrypted — the web address begins with “https.” But the page is rendering in “http.” That means someone may be performing a man-in-the-middle attack and serving you the unprotected http version of the site in hopes of capturing your login credentials.

12 tips to help you stay protected on public Wi-Fi

Here are 12 public Wi-Fi safety measures to help keep your information protected.

1. Be careful what you access

Never use public Wi-Fi networks to access sensitive information. If you need to get online to browse for directions or do something else that’s less sensitive, you probably can do it. But if you’re trying to pay your bills or buy something, it can wait.

If it’s a dire situation — or if you regularly use public Wi-Fi — consider a virtual private network, commonly known as a VPN. You can find a variety of VPN services online, but if you want an effective service you’ll likely have to pay for it. Be sure to choose one from a reputable security provider.

2. Use your employer’s VPN access

If you need to use public Wi-Fi to do work and if your employer offers VPN access, use it. Once connected to the VPN, it creates a private network, or tunnel, through which you send information back and forth, adding an extra layer of security to your connection.

3. Stick with “https”

Only browse websites that start with “https” and avoid websites that start with “http” while on public Wi-Fi. Website addresses that start with https are encrypted, adding an extra layer of security and making your browsing more secure. If you connect to an unsecured Wi-Fi network and use regular http instead of https, your traffic could be visible to anyone else on the network.

4. Consider an extension

Consider installing an extension like HTTPS Everywhere* which will force all websites you visit to connect using https. This is a Firefox, Chrome, and Opera extension produced by a collaboration between the Electronic Frontier Foundation and The Tor Project.*

5. Adjust your settings

Configure the wireless settings on your devices to not automatically connect to available Wi-Fi hotspots. This ensures that you do not unknowingly connect to public networks.

You can do this by turning off the “Connect Automatically” feature on your devices so they don’t auto-connect and search for known Wi-Fi networks.

Doing this can prevent your computer or device from broadcasting that it’s trying to connect to “Home Wi-Fi” network and allow an attacker to create a bogus network with that name.

6. Consider using a privacy screen

If you must access sensitive information in public areas, consider putting a privacy screen on your devices. A privacy screen will blacken your display for everyone but you. Fraudsters seeking to copy or photograph sensitive information on your screen will be unable to.

7. Turn off file sharing

Make sure you turn off file sharing before accessing public Wi-Fi. If you keep file sharing on, it’s possible your folders may be accessible to anyone connected to the same public network.

8. Protect your passwords

When you’re using public Wi-Fi, cybercriminals could gain access to your passwords. One way to enhance your protection is by enabling two-factor authentication, or 2FA, on any services that offer it. When enabled, this added protection ensures that even if someone gains access to your password while you’re using public Wi-Fi, they still won’t be able to access your accounts. Usually, you’ll receive a second log-in step — a call or a code on your smartphone, for instance — that you’ll use to log in to your account.

9. Consider a password manager

A password manager can provide an additional layer of protection. Password managers are software applications that create complex, unique passwords for each of your online accounts and store your usernames and passwords, unlocking them with one strong master password.

This is especially helpful in terms of public Wi-Fi security. That’s because many password managers provide strong, high-level encryption, so cybercriminals won't be able to figure out your login credentials or passwords.

10. Keep your software updated

Always update your software as soon as patches and system updates are released. Security issues often happen when software patches aren't enabled and your devices lack the latest protections.

11. Remember to log out

When you’re done browsing, be sure to log out of any services you were using. Also check your settings to make sure your device will ‘forget the network’ and not automatically reconnect to that network again if you’re within range without your permission.

* The inclusion of products, websites, or links does not imply endorsement or support of any company, material, product and/or provider listed herein.