We’ve all come to rely heavily on access to the internet. Our smartphones, in particular, are mostly useless without it. Even games that have no need to connect to the internet to function still require access anyway (pssst: probably because they want to track you to make money). But we also have Kindles and laptops and smart watches and other devices that feel rather useless without a connection to the internet. And so many businesses offer free public Wi-Fi to entice customers to come in and to stick around longer. But you should just say no.
You Haven’t Come Such a Long Way, Baby
Despite several improvements to Wi-Fi security protocols over the years, there are still several inherent problems that may never be fixed. First of all, for the sake of backward compatibility, most devices still support all the older, insecure connection protocols. And because your devices never want to bother you, they will quietly negotiate on your behalf, usually in favor of connecting any way they can. And malicious actors can (and do) actively exploit these convenience-oriented default settings using something called a downgrade attack.
Second, most devices will happily reconnect to any Wi-Fi that they’ve connected to before. Some devices will even promiscuously connect to any available Wi-Fi that doesn’t require a password. But Wi-Fi network names, or SSIDs, are not required to be unique. There’s nothing stopping me from creating my own malicious Wi-Fi network called “Starbucks” or “LAX Airport Free Wi-Fi”. I can even buy a $99 device to help me do this. This creates a “honeypot”, attracting victims and allowing me to insert myself between them and the internet.
In either case, if I can see the data packets traveling between your device and the rest of the internet, I can steal personal information, redirect you to fake websites, or even steal your login session. Thanks to public efforts like Let’s Encrypt and browser plugins like HTTPS Everywhere, the vast majority of internet traffic today is encrypted using HTTPS (the “S” being for “secure”), but we’re not at 100% yet. And there are still other ways I can mess with your data and even your device.
Just Say No to Public Wi-Fi
But thankfully, there’s an easy fix for this. Just stop using free public Wi-Fi. For smartphones, just keep using your cellular data plan. For e-readers, tablets and laptops, use the Wi-Fi hotspot feature on your cell phone to access the internet. Most of us have enough data in our cell phone plans to cover some light web surfing. The hotspot feature may cost you a little extra money, but in my view, it’s worth it.
Now, to be clear, your cellular provider (who in this case is acting as your internet service provider, or ISP) is probably monetizing you by tracking your web browsing and location information (because the US government let them). But at least they’re (so far) not trying to hack your accounts.
Of course, you can always use a VPN like Warp or ExpressVPN over your cellular connection. But I’ve found this to be very flaky, personally, and I usually don’t bother. Cellular providers still know where I am – they have to in order to send texts and calls to me. And again, most of my web traffic is encrypted, anyway. However, if you are forced to use public Wi-Fi for some reason, then definitely use a VPN.
You’ll also want to change some settings on your devices to prevent them from connecting to open Wi-Fi networks automatically (ones that do not require a password) and to “forget” any past Wi-Fi network names that you’ve previously connected to. Of course, you can leave your home Wi-Fi network in the trusted auto-connect list. You can also leave your work Wi-Fi network in there, if you’re okay with them monitoring your internet traffic.
Note that all of this applies to free wired networks, too – like at a hotel. But those are less common today.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!