This story is over 5 years old.


How to Use Public WiFi Without Getting Hacked

If you must use it, here’s how to stay safe.
Art by Ashley Goodall

This article originally appeared on VICE Australia.

Free public WiFi is the best, right? I personally love it because I am a writer, and I love to sit Carrie Bradshaw–style in a cafe with my laptop, usually ordering exactly one of the cheapest menu items, and taking up the best table for at least four hours.

I've been basically leeching off of public WiFi hotspots ever since they were invented. Some of my favorites include those found at McDonald's—hot tip, don't torrent while using them or you get a lifetime ban.


However, I have recently been made aware that public WiFi is actually a dystopian scam that none of us should be connecting to, ever. This isn't even hyperbole—using public WiFi networks, such as those sponsored by airports, local councils, or shopping malls, poses a huge risk to your personal privacy.

My free internet dream is dead, and here's why yours is too.

Yes, marketing companies really are using your data to sell you shit

"Do marketing companies collect information about you as you browse? Absolutely," Justin Warren, managing director of IT consulting firm PivotNine, tells me. "Every chance they get. They convince themselves that they're doing it to 'make the experience better,' but there's no such thing as a free lunch. You're paying for the WiFi one way or another."

So how does this work? "Any WiFi network you connect to will see your MAC address of the WiFi chip in your device, which is a unique code. It's required to make the WiFi work. Just connecting to the network will tell the people running the WiFi something about you, and they can cross-match that unique device code with other datasets available for sale by data brokers. Collected from other public WiFi networks you've connected to in the past, for example. Or possibly uploaded by apps that you gave permission to look at ID information on your device. The amount of information you can find out about someone using these datasets can be astounding."


You are extremely vulnerable to hackers

OK! Maybe you don't care about marketing companies monitoring your every move. That's fine. Honestly, it's happening, and maybe we just have to deal with it. Unfortunately, using public WiFi poses other more personal risks—especially if it is of the super convenient kind that doesn't require a password.

"Public WiFi networks at cafes and public spots can be a risk because they may not require authentication to establish a network connection," explains Dr. Suelette Dreyfus, a lecturer at the University of Melbourne's School of Computing and Information Systems. "An intruder may be able to slip in between your laptop and the network. If you are file sharing on a network, perhaps he inserts a malicious piece of software. Or maybe he just eavesdrops, slurping up your credit card or personal information sent over an unencrypted connection."

When you're scanning for free WiFi and that long list of weird network names comes up, that's the moment in which to be extra vigilant. Because a device called a WiFi Pineapple—anyone can buy one online for under $100—allows hackers to trick you into inadvertently connecting to the wrong hotspot. "They can pretend to be common networks like Starbucks, airports, and hotels so your device joins them automatically or manually," Warren explains. "Or they can listen to see your cellphone join your home network, and immediately start pretending to be that network so your phone automatically joins it. Convenience is often the enemy of security."


Once your connection is intercepted by a pineapple, they stage what's known as a "man-in-the-middle" attack in order to steal personal information and passwords. "Using HTTPS web pages helps prevent this, but if you're using plain HTTP, everything you do can be seen by these devices," says Warren.

You have to take a number of annoying steps to avoid all this from happening

The first thing to take note of is that password-free WiFi networks should be avoided at all costs. "Unsecured public WiFi is the kind you can log into without a password. Anything sent over this network can be seen by others on the network because the traffic isn't encrypted by the WiFi connection itself; you need to add encryption on top of it. If it's a secured WiFi network—one that needs a password to connect—then it's going to be using some form of encryption on the WiFi itself, which provides some protection," Warren says.

Secondly, always use a VPN [virtual private network]. "Basically, the easier it is for you to join a WiFi network, the easier it is for someone else to eavesdrop on whatever you're doing on that network. You need some form of encryption layered on top of the raw WiFi connection to protect you."

A VPN is ideal for this—but there are good ones and bad ones, so do your research. Warren recommends Freedome VPN by F-Secure. And if you're unwilling to fork out the cash for good encryption, you want to at least be using secure websites over HTTPS, not old HTTP. "This protects the content of what you're sending and receiving to the website, but unlike a VPN, it does expose that you're visiting that website. The people running the WiFi network can see the URLs you're browsing, how often you look at different sites, how much data you send, and the amount of data you receive. Most of the major websites do this by default now, but you still need to be careful."


But VPNs won't necessarily protect us forever. Not to get all Julian Assange on you, but your privacy is under attack every single day. The Australian government, for example, is currently proposing laws that would force technology companies to make their systems decryptable, in order to intercept potential terrorist communications. For Dreyfus, this is a huge issue.

"It so important to have and use strong encryption software to shield all your communications from prying eyes. And therefore, a reason why proposals by some governments—such as Australia's—to demand software makers break their products by design is so risky to us all," she explains.

So basically

We should all move to an island where "big data" can't find us? I don't know. I hear they have a lot of drones at their disposal so that's probably pointless. The big takeaway here is that… I'm probably not going to stop using public WiFi hotspots. I am lazy. I am poor. But now at least I'm aware of how exactly I'm being taken advantage of, and am subsequently mad as hell about it.

Warren doesn't advise we give up on the utopian public WiFi dream for good but admits that cellular roaming is a more secure way to go if you need to get online on the go. "At least for now—as with all things security, it's a trade-off between how much value you feel you're getting out of it, and how much risk you're willing to take," he muses. "Humans are really bad at assessing risk."

Follow Katherine Gillespie on Twitter.