Five ways hackers can steal your data on public Wi-Fi

If you're away from home and don't use mobile broadband, public Wi-Fi is one of your only options. 

It's almost certain that, at some point in time you will need to connect to public Wi-Fi. Luckily, most providers of public Wi-Fi hotspots make them "open", which means anyone can join the network without a password. However, this comes at a price. When you’re on the network, bad actors like hackers & identity thieves can target your data.

In this guide, you'll learn 5 common ways hackers try to target your personal information & how to protect yourself. Also, don’t forget to take some time to read our Why you need a VPN guide on why you should always use a VPN on public Wi-Fi. 

ARP spoofing

When you connect to a public Wi-Fi network to access the Internet, you never know who else is connected to it as well.

If a hacker connects their device to the same network as you, they can use Address Resolution Protocol (ARP) poisoning to try to gain access to your data.

The hacker can use specialist tools to scan the public Wi-Fi network for your device’s unique IP address as well as that of the main Wi-Fi router. By sending out fake ARP messages, they can then discover the MAC (Media Access Control) address of both your device and the router. This allows the hacker to impersonate your device and secretly receive all the data that is transferred between you and the websites you visit.

These types of attacks are known as “Man in the Middle” attacks and leave you vulnerable only if the websites or services you’re connected to are not using encryption. 

You can protect yourself when you have to use public Wi-Fi by making sure you only access pages secured by SSL/TLS encryption. Better yet, sign up with a reliable VPN provider & all your internet data will be encrypted before it leaves your device, making it much more difficult for hackers to access.

Why not check out our roundup of the best VPN Providers for 2023?

DNS poisoning

DNS poisoning or "DNS spoofing" can be an extremely dangerous type of attack, as most people are unaware it’s happening.

DNS servers act as a sort of virtual phone book for the internet. They take the human-readable website names you type into an address bar e.g. & translate them into machine-readable IP addresses. 

At home, your ISP usually provides you with DNS servers to help direct your connection requests but if an attacker is able to access your device e.g. through ARP Spoofing, or tamper with the public Wi-Fi router, you could easily type in the address of a legitimate website such as, only to be redirected to a fake "phishing" site set up by the hacker. 

The address bar still shows the correct web address for the website you want to visit, so you’re none-the-wiser when you enter your passwords or other sensitive information. 

You can configure your own Wi-Fi network to use a more secure form of DNS such as DNSSEC, or use a public DNS server, such as those offered by Google. However, If you’re using public Wi-Fi though, you can't do these things. 

The simplest way to stay safe is to use a reliable VPN provider such as ExpressVPN which routes all connection requests through their own servers, wherever you’re connecting from.   

SSL stripping

When an attacker is connected to the same Wi-Fi network as you, they can use SSL stripping to lay bare your sensitive personal data.

SSL/TLS is a suite of security protocols that encrypt the connection between your device & a web server. So, if your data is intercepted it’ll be almost impossible for a hacker to read.

Read more about exactly how TLS works in our TLS guide.

If a hacker is able to manipulate your connection though e.g. through ARP Poisoning, they may try to force your device to use the unencrypted versions of secure websites, rather than those protected with an SSL certificate.

If you’re using public Wi-Fi, stay safe by checking each website you use begins with “https://” in the address bar, not “http://”. Most browsers also display a padlock next to the address bar to show the site is secure. 

Almost all modern browsers such as Google Chrome can now be configured to use only secure HTTPS connections where available. 

The world web is slowly coming round to providing secure websites but in the meantime, by using a VPN, all your traffic is encrypted, both HTTP & HTTPS.

SSL certificate on a Wikipedia page


Hackers can inject malware onto your device through an unsecured network and by other means. For example, if you click a link from a suspicious email. They may also try to actively hack your device but they’re more likely to use techniques like ARP Spoofing & DNS Poisoning to redirect you to malicious links, which will download malware to your device.

This is very dangerous, as not only could an attacker access all the data on your device, once your machine's infected, they may well be able to access it even when you disconnect from a public Wi-Fi hotspot and connect to another, say in your home.

Make sure to install & update reliable antivirus software (yes, even if you use an Apple Mac!)

You can also prevent most harmful malware links from loading by using an ad-blocker

The honeypot

Given how popular public Wi-Fi is, some hackers & identity thieves take things a step further by setting up their own "honeypot" or "evil twin" hotspot. These days this is very easy to do by using equipment freely available on the web and has very scary implications.

In an airport, a hacker can set up an unsecured wireless network called "FREE AIRPORT WIFI". Then, anyone who connects to this network will have their data harvested by the person that set up the network.

The first way to stay safe is to check with the management of the premises that you have the right Wi-Fi network name. 

Once again, if you use a reliable VPN to connect to the Internet, all your traffic is encrypted, including DNS requests to visit websites no matter what network you’re on. This would make it extremely difficult for an attacker to gather any useful information about you, even if you did connect to a honeypot by accident.

To get started, check out our safest VPN guide to the very best VPNs available for 2023. 

TechRadar VPN disclaimer

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.