"Don't use public Wi-Fi" is advice everyone has heard and almost no one follows. Here's what can actually happen to you on public Wi-Fi, what the real risks are in 2024, and how to protect yourself when you have no choice but to connect.
The Real Risks of Public Wi-Fi
Evil twin attacks. An attacker creates a Wi-Fi hotspot with the same name as a legitimate network ("Starbucks WiFi," "Airport Free WiFi"). Your device connects automatically, and all your traffic passes through the attacker's equipment. They can see everything you do.
Man-in-the-middle attacks. On unsecured networks, an attacker can position themselves between your device and the router, intercepting traffic. Even on "secured" public Wi-Fi (where a password is posted on the wall), other users on the same network can potentially see each other's traffic.
Packet sniffing. On unsecured networks, unencrypted traffic can be captured with freely available software. Any site you visit over HTTP (not HTTPS) sends its data in plain text.
What's Actually Protected
Most modern browsing is more protected than it used to be:
- HTTPS encrypts the content of your communications with websites. An attacker can see that you visited a site, but not the content of the pages or any data you submitted.
- Banking apps and most major services use end-to-end encryption, so even on a compromised network, your transactions are encrypted.
The higher risks on public Wi-Fi in 2024 are: connecting to a malicious hotspot that injects malware, having unencrypted app traffic intercepted (some apps still use HTTP), and being targeted by network-level attacks if you're a high-value target (executive, journalist, researcher).
How to Protect Yourself on Public Wi-Fi
Use a VPN. A VPN encrypts all your traffic before it leaves your device, including DNS requests. Even on a malicious hotspot, the attacker sees only encrypted traffic. This is the most effective protection for public Wi-Fi.
Verify the network name. Ask a staff member for the exact Wi-Fi network name before connecting. Don't assume the network your device found automatically is legitimate.
Turn off auto-join for public networks. In iOS: Settings → Wi-Fi → Ask to Join Networks (set to Ask or Notify). In Android: Wi-Fi settings → Wi-Fi preferences → turn off auto-connect. This prevents your device from silently connecting to fake networks with familiar names.
Stick to HTTPS. Check for the padlock icon in your browser's address bar. Never enter credentials on a site without HTTPS on public Wi-Fi.
Avoid sensitive tasks. Don't access your banking, enter payment information, or handle sensitive work documents on public Wi-Fi without a VPN.