Why you shouldn’t use an unsecured Wi-Fi network

A bus with a WiFi sign on the back
(Image credit: Unsplash/Dreamlike Street)

How often do you connect to public Wi-Fi when you're out and about? Consider it - this includes anywhere that's not your private home network such as coffee shops, airports, public transport or the local pub. With the rise of the necessity to scan QR code menus, Apple Pay and mobile ordering, most venues are expected to provide Wi-Fi connection for basic business functionality. 

Research from NordVPN has found that 41% of Brits use unsecured public Wi-Fi if given the opportunity, despite 52% of us believing they were most at risk of a cyber attack when connecting to public Wi-Fi in hospitality settings and on public transport. Although  connecting to public Wi-Fi is convenient and sometimes necessary, dangerous cybercriminals are relying on this broadly blasé attitude around public Wi-Fi usage to infiltrate your devices and vital accounts. 

Marijus Briedis, Chief Technology Officer at NordVPN, notes that "convenience coupled with our love of using devices on the go means public Wi-Fi connections have flourished", although he reiterates that people are "right to be cautious about using them".

"Hackers are opportunists at heart, so it's understandable that some of the busiest venues like pubs and restaurants are those where people feel most nervous of logging on. The scope of threats varies from place to place but modern methods of hacking mean that even at work or in the security of our own home, we can still be at risk.

"Cyber awareness is important, and it's good to see people erring on the side of safety when using public connections, whether it's avoiding accessing sensitive information or clicking on pop-up ads. However, criminals still thrive on human errors, so technological solutions are a key backup that help to minimize risks," he adds.

The cyber risks of using public Wi-Fi

While connecting to public Wi-Fi is convenient and sometimes necessary for functions such as QR code menu scanning or mobile payments, cybercriminals are able to use lax security measures to infiltrate your devices and accounts.  

Concerningly, hackers can access your information and logins even when entered on a secure site, as well as being able to use public Wi-Fi to deposit malware onto your device.

Hackers stealing your data

A new kind of cyberattack called 'WiKI-Eve' was discovered in September 2023. WiKI-Eve was found to have been able to steal multiple passwords over Wi-Fi transmitted by most modern routers built since 2013. It is able to do this by exploiting a vulnerability in something called beamforming feedback information (BFI) technology that is present on all routers that have introduced 802.11ac, also known as 'Wi-Fi 5', which is the majority of routers! 

WiKI-Eve attacks have been found to be able to achieve a whopping 88.9% inference accuracy for individual keystrokes and up to 65.8% top-10 accuracy for stealing passwords of mobile applications.  These attacks can be carried out semi-easily by experienced cybercriminals who are able to launch the attacks from devices as small as a mobile phone that supports monitor mode.

In a demonstration of the vulnerabilities, the researchers investigating the WiKI-Eve cyber attack were able to set up a real-world case study where they are able to access a consenting victim's WeChat Pay information by only using an iPhone, accessing compromised credentials and information about digital payments.

This password-stealing ability is made even more concerning when considering the password hygiene of the average person. In a recent study,  SafetyDetectives found that 13 out of 30 of the most commonly used passwords feature only numbers, stating that "numeric patterns are worldwide favorite".  To make matters worse, when cybersecurity company Bitwarden surveyed 800 IT decision-makers from the UK and the US, it discovered that 90% of users reused passwords in the workplace. Many opted for simple, easy to remember, and therefore easy to guess, passwords such as "password", or "12345678". Others used the same passwords across multiple services, shared them with their friends and family, or wrote them down somewhere physically such as a post it note on a desk. 

Of those questioned, 54% of respondents managed passwords with documents on their computer whilst 45% tried to simply memorize login credentials. When investigating workplace password sharing habits, Bitwarden found that security measures were severely lacking, with 38% of respondents using shared online documents, while 41% simply sharing the passwords via email. 

With this epidemic of bad password practices, cybercriminals only have to exploit the vulnerability of one initial account to be able to access multiple and thereby cause incredibly impactful damage across all associated devices and logins. 

Cybercriminals infecting your device with malware

Cybercriminals can use vulnerabilities in public Wi-Fi to  infect your device with dangerous malware.  If a malicious actor connects their device to the same public network as you, they can use Address Resolution Protocol (ARP) poisoning to gain access to your data. By utilizing specialist tool, they can scan the public Wi-Fi network for your device's unique IP address as well as the main Wi-Fi router. They then send out fake ARP messages,to reveal the MAC (Media Access Control) address of both your device and the router. With these key pieces of information the hacker can impersonate your device and receive all the data that is transferred between you and the websites you visit, even if they are "secure". This is a common hacking method known as ARP spoofing. 

They can also use a technique known as 'DNS poisoning' or 'DNS spoofing'. DNS servers translate website names that you would you type into an address bar e.g. www.techradar.com and convert them them into machine readable IP addresses. If an attacker is able to access your device e.g. through ARP Spoofing, or tamper with the public Wi-Fi router, you could type in the address of a legitimate website such as www.amazon.com, and be secretly redirected to a criminal phishing site. In this scenario the address bar will still show the web address for the website you intended to visit, hiding the criminal intent. 

By using entrance techniques like ARP Spoofing and DNS Poisoning hackers can then deposit malware on your devices by redirecting you unknowingly to malicious links which will download the malware. Once your device is infected, they can continue to access it even when you disconnect from a public Wi-Fi hotspot and reconnect at home.

Beyond accessing your login credentials, security researchers have uncovered new malware components to the 'Smokeloader' malware that can use Wi-Fi triangulation to determine your devices real world location. 

"Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," researchers at Secureworks say. "The location returned by Google's geolocation API is then sent back to the adversary."

The purpose of this frightening new geolocation is yet to be determined. Secure Works researchers suspect that learning the infected devices location could be used for intimidation tactics such as pressuring a victim into complying with their demands. 

Although it can be scary, your device being infected with malware is not necessarily the end of the world.  By ensuring your have malware removal and antivirus programs installed you can stop an infection in it's track and reverse any damage. Malware removal tools on the are able to  effectively remove viruses, malware, and ransomware, as well as fortify your computer against future attacks. While it is more important than ever to protect your devices than ever, the good news is it's also easier than ever to install comprehensive and effective protection with a combination of the best malware removal tools and best antivirus software.

How to protect yourself on public Wi-Fi

Virtual Private Networks, commonly referred to as 'VPN’s' are an important cybersecurity measure that can help to mitigate the risk of connecting to an unsecure public Wi-Fi network and enhance your online security. A VPN encrypts your online identity while you browse, ensuring that your browsing history is not stored on your device. It achieves this by establishing a digital connection between your device and a remote server owned by your VPN provider, encrypting your data in the process.  This also allows you to conceal your IP address and bypass geographic specific content blocks or firewalls whilst browsing. The encrypted connection provided by a virtual private network adds an extra layer of protection, safeguarding your data from potential threats on unsecured Wi-Fi networks. 

By utilizing a virtual private network, you are able to protect your privacy as well as fortify your online presence against a large array of cyber threats, creating a vitally more secure and private browsing experience.

How to pick a VPN to secure your device

 

Virtual Private Networks (VPNs) serve as an essential cybersecurity tool for encrypting your online connection and securing your device, particularly when connecting to unsecured and public Wi-Fi networks. But with so many different options on the market it can be difficult to know where to start with comparing the plethora of different aspects that each of the leading Virtual Private Networks bring to the table. 

The first that you will need to consider is how you intend to use your VPN, determining whether it will be exclusively for personal, business purposes, or a combination of both.

Think about how you will incorporate different aspects in your day to day use and how hands on you want to be,  whether this is just to keep yourself safer online or if you plan to use additional capacities to stream geographically restricted content, or to access torrents and gaming. 

Ensure that you are taking into considering these key factors when selecting a VPN to meet your personal user needs including:

Simultaneous connections: Assess how many devices you intend to secure with your new VPN. Make sure you check the limit on the number of devices a VPN service allows you to protect simultaneously, making sure it accommodates your current requirements as well as any additional devices you may add in the near future.

Additional Features: Evaluate the additional features offered by VPN providers to determine which ones may justify any extra cost for you. For example with purchase, NordVPN offers built-in ad blocking or Express VPN's 24/7 customer support which could save you money on purchasing multiple programs and further fortify your digital security. Check out any plan upgrades offered that may include a full security suite with antivirus, cloud storage, and data breach tracking.

Unblocking capability: Assess if the unblocking of location specific content on streaming services like Netflix or BBC IPlayer is a priority for you and if so opt for a VPN with the capability to bypass such restrictions quickly and effectively. Some VPN services offer dedicated servers for different uses,, like streaming and torrenting, which make it more convenient to unblock your favorite content, regardless of where you are.

Apps: Consider how you plan to access your VPN, keeping in mind the compatibility with your devices. Some VPNs offer apps for Windows, Mac, iOS, and Android but may lack support for smaller platforms such as Linux, routers, and smart TVs. Be sure to try out the associated apps to assess the user interface and ease of navigation across all of your devices.

Price: Once you've pinpointed the essential functionalities for robust cybersecurity on your devices,  you can then compare the cost of applicable VPNs that meet your criteria. Be cautious not to compromise on quality and therefore compromise on your digital security. Don’t miss our list of the best cheap VPN services for our favorite secure options that are budget friendly.

The best VPN in 2024

Virtual Private Networks (VPNs) are an integral tool for fortifying the cybersecurity of your personal or business accounts and devices. They provide a secure and encrypted connection, safeguarding sensitive data from potential breaches, especially when connecting to unsecure public Wi-Fi. 

By encrypting your personal or business data they help to protect your devices and accounts from cybercriminals seeking unauthorized access to personal information,  confidential data and communications. They are also able to mask IP addresses  and bypass geographic specific content blocks or firewalls whilst browsing. Their private, encrypted connection owned by the VPN provider adds an extra layer of protection, safeguarding your data from potential threats. 

By utilizing a virtual private network, you are able to protect your privacy as well as fortify your online presence against cyber attacks, creating a vitally more secure and private browsing experience.

Need a quick answer on which VPN to download? These are our top three picks:

1. ExpressVPN - our top overall VPN pick

1. ExpressVPN - our top overall VPN pick
ExpressVPN is widely praised for its lightning-fast speeds, unbeatable quality,  user-friendly applications, and dependable geographic content unblocking. Key additional features include round-the-clock customer support for swift issue resolution and the added convenience of an integrated password manager, elevating both security and user-friendliness. 

If you want a VPN that you can set and forget, ExpressVPN's auto-connect feature means that you can connect once, and remain protected. They also conduct regular audits and have a  ‘no-logs policy’- this means that they do not store any data about your online activity, including your IP address, browsing history, or DNS queries, ensuring that your data is private and safe. 

2. NordVPN - the fastest option with key additional features

2. NordVPN - the fastest option with key additional features
NordVPN stands out from competitors with its incorporation of built-in ad blocking and malware protection as standard features, complementing its comprehensive VPN solution. It showcases rapid server speeds over 950 Mbps, multiple customizable options, and an expanding array of functionalities. For a mid-priced VPN, Nord VPN strikes the perfect balance between cost security, usability, performance, and unblocking capability.

3. SurfShark VPN - best cost effective VPN

3. SurfShark VPN - best cost effective VPN
Despite being the most budget friendly at just $2.29 per month SurfShark manages to hold its own against pricer competitors. It provides top-notch security features including geographic content unblocking, making it a great option for users in search of a cheap yet trustworthy VPN solution. It repeatedly came up as one of the fastest VPNs in our checks, with server speeds averaging above 950 Mbps. 

They have also launched a data protection innovation called ‘Incogni’ which is a service that automatically requests the deletion of personal data stored by data brokers. Overall Surfshark is an exceptional value for money Virtual Private Network, with unparalleled speeds and unlimited simultaneous connections. 

How we test VPNs

TechRadar’s team of experts use the top VPNs daily across their personal and work devices, but to make sure we’re continuously updating we conduct a complete comprehensive analysis of the top 30 VPN services every 6 months.

Our thorough evaluation of virtual private networks begins by collecting exhaustive details on the service and the features it claims to offer, directly from its website. We sign up as anonymous as possible and verify server claims by connecting to multiple different test locations.  We then read through privacy policy documents and analyze the small print to ensure robust security and, where possible, test privacy claims. 

To gauge the performance of each VPN provider, we conduct extensive speed tests, over 120 times across two sessions, using both a US home connection and a 1 Gbps UK data center to show us a provider's potential and the real-world use case application. 

Any good virtual private network should be able to unblock multiple streaming services seamlessly. To assess this, we attempt to access geographically exclusive content from Netflix, Amazon Prime Video, Disney Plus, and BBC iPlayer, repeating the test from at least three different locations around the world to get an idea of how the service performs in a real life equivalent scenario.  We carry out constant real-world testing to make sure our analysis is always relevant and accurate to the latest version of the VPN.

We don't just trust what we see on the surface of a VPN provider's website. We go further by checking its RAM contents and, if possible, decompiling and examining its source code to find out what's going on behind the scenes and whether the service gives genuine protection or falsifying security measures.

To learn about our full VPN testing methodology visit our VPN testing methodology page.

Using a VPN FAQs

Are VPNs safe?

Yes. Virtual Private Networks (VPNs) are considered very safe and are widely utilized as an essential tool for fortifying personal and business cybersecurity. They encrypt your internet connection, adding an extra layer of security and privacy to your time online. By leveraging encryption protocols, VPNs create a secure tunnel for your data travels. This encryption makes it challenging for cybercriminals to infiltrate and compromise your online data. This heightened level of protection ensures that your online activity including communications, transactions, and personal data are shielded. 

Is it legal to use a VPN?

The legality of using a VPN depends on the country where you are planning to use it. In many countries, including the UK and US, VPNs are legal and commonly used. However, in some countries such as China and Russia, there are major restrictions on the use of VPNs. It's crucial to note that while using a VPN itself may be legal in your country, engaging in any illegal activities while connected to a VPN remains illegal. 

Are VPNs easy to use?

Yes, modern VPNs are designed to be incredibly, intuitive and user-friendly. For example, ExpressVPN offers an easy to use one-click to connect function for seamless connections. If you want a VPN that you can set and forget, ExpressVPN's auto-connect feature means that you can connect once, and remain protected.  As well as this, many VPNs, like those utilizing the Lightway protocol, automatically select the best server and encryption for your specific needs, further enhancing the user experience with little user intervention. The Lightway VPN Protocol makes your VPN experience speedier, more secure, and more reliable. Designed to not overload your device, Lightway runs faster, uses less battery, and is easier to audit and maintain.

Olivia Powell
Tech Software Commissioning Editor

Olivia joined TechRadar in October 2023 as part of the core Future Tech Software team, and is the Commissioning Editor for Tech Software. With a background in cybersecurity, Olivia stays up-to-date with all things cyber and creates content across sites including TechRadar Pro, TechRadar, Tom’s Guide, iMore, PC Gamer and Games Radar. She is particularly interested in threat intelligence, detection and response, data security, fraud prevention and the ever-evolving threat landscape.

With contributions from