It can be, and even probably is, mostly; but there’s always risk.
The issue is that even if the hotspot itself is the correct and trusted hotspot, what about all the other users?
Indeed. What about all those other users?
Become a Patron of Ask Leo! and go ad-free!
While sharing a Wi-Fi hotspot is generally safe, risks exist. These include trusting the hotspot provider, avoiding ‘fake’ hotspots, and securing your device from other users connected to the same network. Choose your hotspots wisely, ensure your firewall is on, and consider using a VPN for extra security if warranted.
Risk management philosophy
I have to start with a little bit of philosophy.
There’s no such thing as “secure”. We can never reach 100% or complete security. We can only be more secure or less secure.
When it comes to security, then, our job is to stack the deck in our favor. That means understanding the pragmatic risks of what we’re dealing with and making decisions that (hopefully) increase our security in the situation. Looking at it in the other direction, we try to make decisions that reduce risk.
So, with that as the goal, let’s look at some of the pragmatic risks involved in using and sharing a public Wi-Fi hotspot.
Hotspot risk #1: the owner
When you’re using a Wi-Fi hotspot connected to someone else’s internet, they’ve become your ISP, or Internet Service Provider, because in a very real sense they’re providing you with internet service. That gives them access to… things.
You need to trust that person or company. Specifically, you need to trust that they’re not attempting to snoop on what you’re doing, or worse, maliciously interfering with your connection. They could, for example, attempt to route you to malicious websites in response to your attempts to go to the sites you normally and safely go to.
In most cases, this is a very small risk. Having just returned from a trip, I wasn’t at all concerned that the airport Wi-Fi or the in-flight Wi-Fi providers were at all interested in whatever I was doing online. Same for when I visit a local business such as a coffee shop. They’re just not interested in causing problems.
Hotspot risk #2: the faker
The Tip of the Day talked specifically about hotspots set up with malicious intent. They often masquerade as similar-sounding hotspot names that they hope you’ll connect to.
For example, while at the airport here in Seattle I used a hotspot I found called SEA-FREE-WIFI. It’s a hotspot available throughout the airport, and one I’d used before, so my device simply auto-connected.
If, on the other hand, there were another hotspot — perhaps called SEATAC-FREE-WIFI — how do you know it’s not legitimate? Honestly, unless the facility in question documents it somewhere, you probably don’t. It could easily be someone in a corner with their laptop acting as a bogus access point and hoping you’ll connect. Once you do connect, they can try to interfere with your connection, once again attempting to route you to malicious websites in response to your attempts to go to the sites you expect.1
Signs that a hotspot might be fake include things like not being everywhere in the facility (in large facilities such as airports), or not being there every time you visit. Another possibility is that you might be asked to sign in to one of your accounts when you would normally not need to.
The good news here is that the risk is also low. While it’s certainly possible, it’s not a rampant problem. Simply paying attention to the hotspot you’re connecting to and being appropriately skeptical is all you really need. When in doubt, don’t connect, or ask what the proper hotspot name is.
Hotspot risk #3: your peers
When you use a Wi-Fi hotspot, you’re sharing that hotspot with anyone else in the area using the same hotspot. That’s the risk our questioner is asking about.
There are two levels of risk: open hotspots and password-protected hotspots.
Open hotspots are something we’ve discussed for years. The concept is simple: the communication between your device and the hotspot is not encrypted. Thus, anyone within range with another device capable of connecting to that hotspot can see what’s being transmitted back and forth.
This has become much less of an issue than it once was because while your connection to the hotspot itself is not encrypted, the connections you make to various sites and services often are, courtesy of HTTPS and SSL connections. At best, someone “listening in” could see that you’re visiting, say, your bank, but they’d not be able to see what’s being said.
Password-protected hotspots are those where you need to enter a password into your device (not a webpage, but your actual device) in order to even connect to the hotspot. Usually based on WPA2 or WPA3 encryption, this secures your connection from being snooped on by others nearby.
Or does it?
Hotspot risk #4: networking
When you’re at home, you’ve likely set up a wireless hotspot and, for security’s sake (and to prevent your neighbor from mooching your internet), set a WPA password of some sort.
Yet, you can still use networking to connect from machine to machine. When properly configured, you can connect from one machine to another, copy files between them, and even share devices such as printers. “Network discovery” even allows you to identify the other machines on your network.
The network you’ve connected to elsewhere is really no different. It’s sometimes interesting to run network discovery2 and notice how many people are connected, what their machine names are, and in some (now rare) cases, you can even see what’s on their hard drives.3
This used to be a huge issue, and you’re right to be concerned. The good news is that almost all operating systems now come pre-configured with firewalls enabled to prevent exactly this type of access.
On top of that, many, though not all, routers can be configured to prevent this type of cross-machine access. I would hope (but would not assume) that the routers used in public settings would be set this way.
Choose your hotspots wisely. Make sure they’re provided by someone you trust, and that you’re connected to the hotspot they are actually providing.
Then ensure your firewall is on — which it almost certainly is.
If you feel you need additional security — as I sometimes did while I was travelling — then invest in a VPN. While this does not eliminate the need for your firewall, it does ensure that all your communications are encrypted across the Wi-Fi and its network.
Consider subscribing to my free newsletter, Confident Computing! Each week I offer advice, such as this, as well as solutions, answers, and tips, right in your inbox.
Footnotes & References
1: Even https can be compromised in the form of a man-in-the-middle attack, though it’s difficult. It requires installing, or tricking you to install, an additional root certificate that would legitimize otherwise bogus https connections. Again, the risk here is extremely small.
2: There are several approaches, but one common one that exposes some (but not all) is to just expand the “Network” node in Windows File Explorer and wait.
3: Someone drove this point home at a tech conference some years ago by copying (benign) files to all the machines they could find on the network. Let’s just say several people improved their security immediately thereafter.