Public WiFi Security Risks: How to Stay Safe on Open Networks

Security Education: This article describes cyber threats for defensive awareness and education purposes only. Understanding how attacks work helps organizations and individuals protect themselves. Never use this information for unauthorized access or malicious purposes.

Free WiFi at coffee shops, airports, hotels, and libraries is convenient, but these open networks are hunting grounds for cybercriminals. Connecting to public WiFi without precautions exposes your data to interception, session hijacking, and credential theft. Understanding the specific attacks that target public networks is the first step toward protecting yourself.

How Attackers Exploit Public WiFi

Evil twin attacks are the most common threat. An attacker sets up a fake WiFi access point with a name matching or closely resembling the legitimate network, such as “Starbucks_WiFi_Free” next to the real “Starbucks WiFi.” Your device connects to the strongest signal, which may be the attacker’s laptop. All your traffic then flows through their system, where they can read, modify, or inject content into your browsing sessions.

Man-in-the-middle (MITM) attacks place the attacker between you and the access point. Using tools like Bettercap or Ettercap, they perform ARP spoofing to redirect your traffic through their device. They can then capture login credentials, read emails, and intercept file transfers. On networks without proper isolation, this attack takes minutes to set up.

Packet sniffing with tools like Wireshark allows anyone on the same network to capture and analyze network traffic. While HTTPS encrypts web traffic, DNS queries, unencrypted app traffic, and metadata such as which servers you connect to remain visible. An attacker can see which banking site you visit even if they cannot read the encrypted data.

Session hijacking captures authentication cookies transmitted over the network. If a website does not properly secure its session tokens, an attacker can copy your session cookie and access your account without needing your password. The Firesheep browser extension famously demonstrated this attack in 2010, and while HTTPS adoption has reduced the risk, many apps and services still transmit session data insecurely.

Captive portal spoofing exploits the login pages that public networks display before granting access. Attackers create fake captive portals that mimic the real network’s login page but also harvest any credentials entered, including email addresses, social media logins, or payment information.

Real-World Incidents

In 2024, Australian Federal Police charged a man who had set up evil twin networks on domestic flights and at airports, capturing credentials from passengers who connected and entered their email or social media logins on the fake captive portal. A 2023 investigation found that a European hotel chain’s WiFi network had been compromised for months by an APT group that used it to target diplomats and business executives staying at the properties.

How to Stay Safe

Use a VPN. A VPN encrypts all traffic between your device and the VPN server, rendering local network attacks useless. Even if an attacker captures your packets, they see only encrypted data. Enable your VPN before connecting to any public network.

Verify the network name. Ask an employee for the exact network name and password. Do not connect to networks with generic names or slight variations of expected names.

Use HTTPS everywhere. Modern browsers warn when you visit HTTP sites. Heed these warnings. Browser extensions like HTTPS Everywhere (now built into many browsers) force encrypted connections when available.

Disable auto-connect. Prevent your device from automatically joining previously used open networks. Attackers exploit this by broadcasting common network names like “attwifi” or “Free Public WiFi.”

Turn off file sharing and AirDrop. Disable Bluetooth, file sharing, and nearby sharing features when on public networks. These discovery protocols can expose your device to unwanted connections.

Forget the network when done. After disconnecting, tell your device to forget the public network so it does not reconnect automatically in the future.

Use your phone’s hotspot instead. When possible, tether to your phone’s cellular data connection rather than using public WiFi. Cellular connections are encrypted and far harder to intercept.

For Businesses

Organizations should implement always-on VPN policies for employees who work remotely or travel. Mobile Device Management (MDM) solutions can enforce VPN connections automatically when devices detect untrusted networks. Educate employees that public WiFi is equivalent to shouting their data across a crowded room unless a VPN is active.

For additional network protection, explore our guides on VPN selection and configuration and home network security to extend these protections to your other environments.