On a recent work trip to South Korea, I stayed in two hotels that had free Wi-Fi, with no passwords needed to connect to them.
Most guests would likely find the lack of a password more convenient, but I found it alarming. A user ID and password doesn’t just authenticate you to the hotel’s network, it also authenticates that you’re actually on the hotel’s network.
Without some way to verify that you’re on an official network, it’s trivial for a malicious person to pretend to be that network.
Here’s an easy way to think about it: Say the hotel sets it network’s SSID to ‘hotel_wifi’. In your room, you set up your own network using a mobile hotspot, named ‘hotel_wifi2’ and you disable passwords as well. If any guests in your area unsuspectingly log onto your router, then you can see and capture whatever they’re doing online.
In fact, during my stay at one hotel, I noticed that a secondary network with the same name, but in all-caps, suddenly appeared during the afternoon and never appeared again after. Was it a malicious network? I can’t say for sure, but I never connected to it.
To be sure, public Wi-Fi is notoriously insecure, even with passwords, and should never be trusted. Bad agents can easily see what you’re doing online and steal your personal data if you’re not careful. If you don’t believe me, watch this video.
If you want to continue using public Wi-Fi safely, you’ll need to use a Virtual Private Network (VPN), which encrypts your connection to keep your communications secure. The video is an ad for Norton’s VPN service, but there are dozens of alternatives out there.
Without a VPN, your computer or smartphone connects to the router and then jumps out to servers on the internet. If you don’t use encryption, a bad agent can easily see what you’re doing on the network, like the sites you’re looking at and even intercept sensitive data like passwords.
If someone has compromised the public router or has tricked you into logging onto his router, he can even feed you fake websites that look the same as the ones you asked for, like a Facebook login page. Once you enter your credentials, he can steal your account.
With a VPN, your device connects to the provider’s servers through the router, using an encrypted tunnel, and then jumps out to servers on the internet. By encrypting the traffic between you and the VPN’s servers, anyone who tries to intercept your communications can only see that you’re connecting to the VPN’s servers and nothing else.
You should know though, that a VPN is not without its problems. Even though a VPN prevents snooping middlemen from intercepting your data, the VPN provider itself can potentially monitor your data — so it’s a question of whether or not you trust it with your data.
All VPNs keep logs of your use, even if they say they don’t (it would be difficult to run such a service without doing so). The best you can hope for is to consult its privacy policies to see how long it keeps these logs for and if any person actually looks at them.
You should also know that a VPN is more about security rather than anonymity. While a VPN masks your actual IP address, you can still be identified via the cookies in your browser and your device’s MAC or IMEI number.
You’ll also need to be prepared to pay for a proper VPN, as there are many dodgy free ones out there. A recent study found that many free Android VPNs were potentially malicious, letting third parties spy on their users.
(If you want to put on your paranoid hat, setting up a VPN is actually a great way to spy on other people, whether you’re a state-sanctioned operation or a bad agent.)
As a long-time VPN user, I’ve also found that it’s more inconvenient. My devices would sometimes fail to connect or drop connections, while my friends’ VPN-less devices wouldn’t. A VPN also routes your connection, making it slower than usual.
It’s a tug of war between convenience and security, but I would caution security over convenience.
Here’s what a Virtual Private Network (VPN) can do for you:
*Although it’s not recommended for heavy use, as a VPN is inherently slower than a direct connection. For this specific use case, it’s more advisable to use a proxy.
And here’s what a VPN won’t do:
**F-Secure’s Freedome service actually does block harmful sites.
Because public Wi-Fi is so insecure, if you connect to other people’s Wi-Fi often, then I’d recommend using a VPN to keep your passwords, accounts, and private data safe.
However, you should know that even though a VPN will keep your communications secure from being intercepted, your VPN provider can potentially see your data and keep logs of it.
Compounding that, there’s a clear lack of transparent, independent reviews of VPN services. Both Ars Technica and The Wirecutter found it difficult to recommend any single VPN above the rest as absolutely trustworthy.
(For another layer of security, install the HTTPS Everywhere extension on top of using a VPN, which forces your browser to use encrypted connections with websites that support it. With the extension running, your VPN can still see what site you’re connected to, but not what you’re doing on it. In fact, whether you run a VPN or not, I’d highly recommend you install this extension anyway.)
VPNs can also slow down your connections, and sometimes fail to connect at all. Security is always in a tug of war with convenience, and you’ll have to be willing to trade keeping your data safe for minor inconveniences.
For myself, I use Cloak for iOS and macOS. Cloak doesn’t have the security pedigree of a company like F-Secure, but it’s convenient — the service automatically turns itself on whenever I connect to an untrusted network.
If you remain convinced about how insecure public Wi-Fi is, but unconvinced about how secure VPN providers are and need to constantly connect to outside Wi-Fi, then you have two other options.
Either you create your own VPN, which is a pretty technical endeavor, or you only use 4G networks to access the internet.
If you’re traveling, get a local prepaid SIM or subscribe to your telco’s overseas data service, create a personal hotspot using your smartphone and connect your devices to that. Or get a mobile hotspot with a local prepaid SIM, secure it with WPA2 and a strong, random password that’s 16-character and above, and connect to it for your internet access.