Introduction
You walk into a coffee shop, open your laptop, and connect to "CoffeeShop_Free_WiFi." You check your email, log into your bank, maybe do some online shopping. It feels normal. It feels safe. It isn't.
Public WiFi networks are, by design, shared environments. Everyone on the network can potentially see everyone else's traffic. And the tools to intercept, analyze, and exploit that traffic are free, easy to use, and fit on a laptop. For an attacker, a busy public WiFi network is a target-rich environment where every connected device is a potential victim.
How It Works
The most common public WiFi attack is the man-in-the-middle (MITM) attack. The attacker positions themselves between you and the access point, intercepting all traffic flowing in both directions. On an open (unencrypted) WiFi network, this can be as simple as running a packet sniffer like Wireshark. On encrypted networks, techniques like ARP spoofing redirect traffic through the attacker's machine.
Evil twin attacks are even more straightforward. The attacker creates a WiFi access point with the same name as a legitimate network — "Starbucks WiFi" or "Airport Free WiFi." Devices that have previously connected to a network with that name may automatically reconnect to the attacker's version. All traffic then flows through the attacker's hardware, giving them complete visibility and control.
SSL stripping downgrades HTTPS connections to HTTP, allowing the attacker to see traffic that should be encrypted. While modern browsers and HSTS (HTTP Strict Transport Security) have made this harder, not all websites implement HSTS, and the initial connection can sometimes be intercepted before the HTTPS redirect occurs.
Session hijacking captures authentication cookies from unencrypted traffic, allowing the attacker to impersonate the victim on websites they're logged into. DNS spoofing redirects the victim to fake versions of legitimate websites. Captive portal attacks exploit the login pages that public WiFi networks display, potentially harvesting credentials or installing malware.
The Impact
The consequences of public WiFi attacks range from embarrassing to devastating. Intercepted credentials can lead to account takeover. Captured session cookies provide immediate access to logged-in accounts. Stolen financial information leads to fraud. Corporate data intercepted on hotel WiFi during business travel has been linked to corporate espionage.
The DarkHotel APT group specifically targets business travelers by compromising hotel WiFi networks. Active since at least 2007, they've used hotel networks to deliver malware to executives and government officials, demonstrating that public WiFi attacks aren't just the domain of opportunistic criminals — they're used in sophisticated, targeted operations.
How to Protect Yourself
Use a VPN. A Virtual Private Network encrypts all traffic between your device and the VPN server, making it unreadable to anyone on the local network — even if they're intercepting every packet. This is the single most effective protection for public WiFi use. Choose a reputable, paid VPN provider with a no-logs policy.
Verify the network name with staff before connecting — don't just join the first open network that appears. Forget public WiFi networks after use so your device doesn't automatically reconnect. Disable auto-join for open networks in your device settings.
Use HTTPS everywhere and check for the lock icon in your browser before entering credentials. Enable two-factor authentication on important accounts — even if credentials are intercepted, 2FA provides a second layer of protection. Avoid accessing sensitive accounts (banking, email) on public WiFi unless you're using a VPN.
For maximum security, use your phone's cellular data connection or a mobile hotspot instead of public WiFi. Cellular connections are significantly harder to intercept than WiFi.
The Bigger Picture
Public WiFi is a fundamental tension between convenience and security. The same openness that makes it easy to connect makes it easy to attack. While HTTPS adoption has significantly reduced the risk (most sensitive traffic is now encrypted end-to-end), the attack surface hasn't disappeared — it's evolved. Evil twin attacks, SSL stripping on non-HSTS sites, DNS manipulation, and metadata analysis all remain viable. Until every public WiFi network requires WPA3 Enterprise authentication (which would eliminate most of these attacks but also eliminate the convenience), the advice remains the same: treat every public WiFi network as hostile. Because it might be.
