It can be, and even probably is, mostly; but there’s always risk.
This was in response to a recent Ask Leo! Tip of the Day suggesting you be on the lookout for “fake” public hotspots.
The issue is that even if the hotspot itself is the correct and trusted hotspot, what about all the other users?
Indeed. What about all those other users?
Become a Patron of Ask Leo! and go ad-free!
Sharing Wi-Fi
While sharing a Wi-Fi hotspot is generally safe, risks exist. These include trusting the hotspot provider, avoiding ‘fake’ hotspots, and securing your device from other users connected to the same network. Choose your hotspots wisely, ensure your firewall is on, and consider using a VPN for extra security if warranted.
Risk management philosophy
I have to start with a little bit of philosophy.
There’s no such thing as “secure”. We can never reach 100% or complete security. We can only be more secure or less secure.
When it comes to security, then, our job is to stack the deck in our favor. That means understanding the pragmatic risks of what we’re dealing with and making decisions that (hopefully) increase our security in the situation. Looking at it in the other direction, we try to make decisions that reduce risk.
So, with that as the goal, let’s look at some of the pragmatic risks involved in using and sharing a public Wi-Fi hotspot.
Hotspot risk #1: the owner
When you’re using a Wi-Fi hotspot connected to someone else’s internet, they’ve become your ISP, or Internet Service Provider, because in a very real sense they’re providing you with internet service. That gives them access to… things.
This is true whether you’re connecting wirelessly via a hotspot or are physically cabled to an ethernet port. It’s still someone else’s internet.
You need to trust that person or company. Specifically, you need to trust that they’re not attempting to snoop on what you’re doing, or worse, maliciously interfering with your connection. They could, for example, attempt to route you to malicious websites in response to your attempts to go to the sites you normally and safely go to.
In most cases, this is a very small risk. Having just returned from a trip, I wasn’t at all concerned that the airport Wi-Fi or the in-flight Wi-Fi providers were at all interested in whatever I was doing online. Same for when I visit a local business such as a coffee shop. They’re just not interested in causing problems.
However…
Hotspot risk #2: the faker
The Tip of the Day talked specifically about hotspots set up with malicious intent. They often masquerade as similar-sounding hotspot names that they hope you’ll connect to.
For example, while at the airport here in Seattle I used a hotspot I found called SEA-FREE-WIFI. It’s a hotspot available throughout the airport, and one I’d used before, so my device simply auto-connected.
If, on the other hand, there were another hotspot — perhaps called SEATAC-FREE-WIFI — how do you know it’s not legitimate? Honestly, unless the facility in question documents it somewhere, you probably don’t. It could easily be someone in a corner with their laptop acting as a bogus access point and hoping you’ll connect. Once you do connect, they can try to interfere with your connection, once again attempting to route you to malicious websites in response to your attempts to go to the sites you expect.1
Signs that a hotspot might be fake include things like not being everywhere in the facility (in large facilities such as airports), or not being there every time you visit. Another possibility is that you might be asked to sign in to one of your accounts when you would normally not need to.
The good news here is that the risk is also low. While it’s certainly possible, it’s not a rampant problem. Simply paying attention to the hotspot you’re connecting to and being appropriately skeptical is all you really need. When in doubt, don’t connect, or ask what the proper hotspot name is.
Hotspot risk #3: your peers
When you use a Wi-Fi hotspot, you’re sharing that hotspot with anyone else in the area using the same hotspot. That’s the risk our questioner is asking about.
There are two levels of risk: open hotspots and password-protected hotspots.
Open hotspots are something we’ve discussed for years. The concept is simple: the communication between your device and the hotspot is not encrypted. Thus, anyone within range with another device capable of connecting to that hotspot can see what’s being transmitted back and forth.
This has become much less of an issue than it once was because while your connection to the hotspot itself is not encrypted, the connections you make to various sites and services often are, courtesy of HTTPS and SSL connections. At best, someone “listening in” could see that you’re visiting, say, your bank, but they’d not be able to see what’s being said.
Password-protected hotspots are those where you need to enter a password into your device (not a webpage, but your actual device) in order to even connect to the hotspot. Usually based on WPA2 or WPA3 encryption, this secures your connection from being snooped on by others nearby.
Or does it?
Hotspot risk #4: networking
When you’re at home, you’ve likely set up a wireless hotspot and, for security’s sake (and to prevent your neighbor from mooching your internet), set a WPA password of some sort.
Yet, you can still use networking to connect from machine to machine. When properly configured, you can connect from one machine to another, copy files between them, and even share devices such as printers. “Network discovery” even allows you to identify the other machines on your network.
The network you’ve connected to elsewhere is really no different. It’s sometimes interesting to run network discovery2 and notice how many people are connected, what their machine names are, and in some (now rare) cases, you can even see what’s on their hard drives.3
This used to be a huge issue, and you’re right to be concerned. The good news is that almost all operating systems now come pre-configured with firewalls enabled to prevent exactly this type of access.
On top of that, many, though not all, routers can be configured to prevent this type of cross-machine access. I would hope (but would not assume) that the routers used in public settings would be set this way.
Do this
Choose your hotspots wisely. Make sure they’re provided by someone you trust, and that you’re connected to the hotspot they are actually providing.
Then ensure your firewall is on — which it almost certainly is.
If you feel you need additional security — as I sometimes did while I was travelling — then invest in a VPN. While this does not eliminate the need for your firewall, it does ensure that all your communications are encrypted across the Wi-Fi and its network.
Consider subscribing to my free newsletter, Confident Computing! Each week I offer advice, such as this, as well as solutions, answers, and tips, right in your inbox.
Podcast audio
Footnotes & References
1: Even https can be compromised in the form of a man-in-the-middle attack, though it’s difficult. It requires installing, or tricking you to install, an additional root certificate that would legitimize otherwise bogus https connections. Again, the risk here is extremely small.
2: There are several approaches, but one common one that exposes some (but not all) is to just expand the “Network” node in Windows File Explorer and wait.
3: Someone drove this point home at a tech conference some years ago by copying (benign) files to all the machines they could find on the network. Let’s just say several people improved their security immediately thereafter.
We recently went back to renting a modem and router from our ISP after a disastrous experience with a “top of the range” $425 gateway that lasted only 8 months before becoming a brick.
We decided we would ask our ISP to remove the hotspot that had been automatically set, and they did it without question.
Reading this great article, although it is looking at it from the user, not the provider perspective, I believe we likely did the correct thing. As you wrote, we can make ourselves more secure or less secure.
That’s not a solution for most people as it also prevents you or anyone in your home from using WiFi. Lately, laptops don’t include Ethernet ports, so you’d have to get a USB Ethernet adapter.
A strong WiFi password offers protection and you can add a layer of security if when you connect to the network, you tell it you are on a public network even if you are at home. That will block sharing files on the network but at home, it’s not difficult to transfer files manually with a thumb drive.
Opera offers a VPN mode and there are VPN extensions for all Chromium based browsers. I don’t fully trust them as they are not true VPNs. I only use them to access otherwise regionally blocked content such as YouTube videos and Google Bard on my Ubuntu machine that doesn’t support Tunnel Bear. If that were my travel machine, I’d switch a VPN that supports Linux.
They claim to offer encryption to protect your data, so they might help in a pinch. What do you think about that, Leo?
Mark … the reply button on your response did not work so I will partially quote you “That’s not a solution for most people as it also prevents you or anyone in your home from using WiFi.”
In my original post, I must have not used the correct technical terms to describe my action.
By “hotspot” the term used by my ISP, I was referring to the fact that any passing customer of my ISP could get on the internet using my equipment to log in, not my household using our own wireless home network. We did not want unknown people to be able to, so we had the ISP remove that option from our rented equipment.
Even at our ages my wife and I continually learn from this website, thank you for being an active part of Leo’s team, we appreciate it.
For example, most Comcast/xFinity customers in the US also provide a hotspot (called xfinity, I believe) that any other Comcast/xfinity customer can use if in range. This is separate from any hotspot you set up yourself, and requires contacting the ISP to have it turned off.
The feature that allows other subscribers to your ISP to use your Internet is called a Mobile Hotspot. A hotspot is how people connect to your internet.
Mobile hotspots don’t give access to you home network, although they can slow down your internet connection.
A mobile hotspot is a portable device, like a MiFi. What we’re talking about here is the modem in your home setting up a Wi-Fi hotspot accessible to other customers of the same ISP.
I googled to get the term “Mobile Hotspot” before posting that comment.
According to Verizon:
In the IT world, naming conventions have little consistency.
“A Mobile Hotspot lets you share your Verizon network connection with other devices so they can access the internet.” this is true for both scenarios.
One’s a choice, portable, and share-able with anyone you choose. The other is on by default, mostly out of your control, and shared by default with other ISP customers, and takes extra steps to disable.
Thanks Leo., for your response and all the great articles.
That is exactly what I was trying to describe! A quick call to the ISP and they turned it off.
I will comment on ‘free’ WIFI connections, as I have experienced a couple that fall into this category.
The cost of these WIFI connections is not monetary, but in the form of personal information.
E-mail addresses, mobile numbers, home addresses, any number of details that ‘legitimate’ free WIFI providers ask for (I once tried to connect my tablet to the WIFI in a popular fast food restaurant, and could not because the tablet did not have a mobile number and I refused to provide a different one).
This sounds to me like potentially anyone passing by can connect to your ISP by way of a default hotspot you may unwittingly be providing. Am I wrong to suspect some are un-aware of hosting a default hotspot? I know I’m wondering if I am doing so. How can I easily verify for myself if I am or am not? (short of calling the ISP and taking their word)
Many are completely unaware. If you scan for hotspots locally (near your router), and you see one available with the name of your ISP, AND it has roughly the same signal strength as your own, then you may be hosting such a hotspot. THEN absolutely contact the ISP.
People using your router’s public hotspot have no access to your network or Internet traffic. It might slow down your Internet bandwidth a tiny bit as it competes for bandwidth with everyone in your area with that ISP, but no more than it would affect you if they got their Internet from a neighbor using the same ISP.
Hotspot risk #5: What you do. If you get on a public WiFi and do your banking then you’re putting yourself at risk. If you’re looking at cute cat videos then you’re probably OK.
As for ISP hot spots: Buy your own modem and router. Get these as two separate pieces of equipment, not an all-in-one internet thingy.
Banks use SSL (https:) connections which are encrypted end-to-end. Those protect against sniffing. The cat videos can be on sites that inject malware. :-)
Just to be sure, I use a VPN when traveling. Still, with a VPN, that cat video site can still inject malware.