/ Technology

How safe do you feel using free wi-fi hotspots?

Holidays can often mean hunting for free wi-fi hotspots in bars, hotels and restaurants to keep your mobile roaming bill under control. But there’s a sting in the tail with free hotspots – they’re not always very safe…

Free wi-fi is convenient when you’re on holiday, especially if you’re somewhere that your ISP charges you extra for data roaming, or if you can’t get a good enough signal to use your mobile data for getting online.

But there are risks: you could be logging on to a malicious ‘evil twin’ network, for example, or you could be inadvertently letting everyone else using the hotspot see into your laptop.

Or, if you’re outside the EU and thus outside the protections of the Europe-wide General Data Protection Regulation (GDPR), you could have to hand over all kinds of personal data and agree to being sent loads of marketing emails in return for access to the wi-fi.

Free wi-fi in a shopping mall could also mean you’re being tracked closely as you wander in and out of the shops and your online activities logged.

Security experts are unanimous in saying that it’s best if you don’t use free wi-fi hotspots when you’re out and about, whether that’s at home in Britain or abroad.

We’ve got more detailed advice on using wi-fi hotspots safely in the August issue of Which? Computing, but here are some quick tips to help you stay safe while you’re out and about.

Check what you’re connecting to

When you fire up the wi-fi on your phone or laptop, you’ll see a list of available hotspots. Don’t just connect to the first one you see: if you’re in a restaurant or bar, ask them which one is their hotspot and ask them for the password.

If there isn’t a password or the staff aren’t sure which is their hotspot, it’s better not to connect at all.

No password means that anyone nearby can connect to it, whereas a password-protected network does at least limit it to people with the password.

A hotspot without a password could also be an ‘evil twin’ network – one that’s been set up by a hacker to steal your information.

Be careful what you do online

If you must connect to public wi-fi, don’t do any online shopping or banking unless you absolutely have to.

Scammers could intercept your login details while you browse, or hijack the hotspot to send you to a fake landing page designed to steal your passwords.

Look for HTTPS

Make sure any website you’re looking at is encrypted – that means it is exchanging information between your device and the website securely, and that a hacker can’t intercept it.

We’ve got more detail on how that works here on our Helpdesk website.

Consider using a VPN

Security experts recommend using a VPN all the time when you’re away from home. A VPN sets up a secure link via a trusted third-party server that can hide your location and your IP address, and make it look as if you’re connecting from another country.

We think it’s worth paying for a good VPN, as there are trade-offs that could impact your privacy if you use a free VPN. We’ve got some more information about VPNs and how to choose one here.

Do you rely on free wi-fi hotspots, or do you prefer to stick with your mobile data connection? And have you got any tips about how to stay safe when you’re connecting while you’re out and about?


I have become wary about using free WiFi services because of concerns such as those Kate mentions in her introduction. When I’m away from home I use my host’s WiFi or use tethering to my mobile.

If there is no signal to allow me to use mobile broadband then I can live without access to Which? Convo for a day or two. 🙂

Tony says:
3 August 2018

Started using ExpressVPN about 3 years ago after I had my credit card info stolen. Using a VPN has honestly become like second nature to me at this point. I’d def recommend using one.

I would be interested in learning more about the benefits of using a VPN with regard to computer security and any drawbacks. I used FortiClient by Fortinet for years on Macs, mainly to allow me (legitimate) access electronic resources that were intended to be accessible only to users with university IP addresses.

I have in front of me a list of hacking tools for use with an Android phone , they come not from the Dark Web but from a legitimate “hacking ” website . Its entitled-Wi-Fi hacker-10 best Android and desktop Wi-Fi hacking apps free download , there is a list of 6 but it doesn’t stop there it copies commercial enterprise by giving you -“best cracker ” of – say 2016 and rates them . They are all downloadable, it does have a disclaimer though -quote- we recommend that these tools should be used for educational purposes and learning purposes only and warns against cyber-crime. Some specialize in hacking Windows 10 cracking encryption /recover network keys being able to obtain all your passwords , one boasts of being able to record VoIP conversations , obtain data caches , decode scrambled passwords and most worrying obtain ROOT protocol . Its even got a link to an IP scanner “helping ” you look for a port (doorway ) into a users system with a presentation of how it works with a GUI display , its pretty comprehensive . There seem to be those who think Win 10 is “super duper ” at stopping malware etc -sorry not as far as the hacking community is concerned . I wont be providing ANY links or naming any tools but they are freely available on the web , as I have said several times on Which ? I have wi-fi- not only stopped but not programmed into my system and I have done some programming to block its “self ” installation and running , I dont use it nor do I have any wi-fi apps on my system as looking at how easy it is to hack even on the so called “prestige ” Windows 10 (we keep you “safe ” ) -uh ! no you dont ! I have also disabled all remote access , yes I know you “lose ” this or that app , that doesn’t bother me leaving an open “windows type door ” does .

For you Wavechange VPN,s –the truth , not from an novice but straight from Mike LIeberman- 35+ years working with IP/WAN networks — there are links to more info on VPN,s on the right . All the posters are professional software engineers even an ex tech. at Deutsche Telekom so this is no “kiddies ” website https://www.quora.com/Is-using-a-VPN-safe-Is-it-possible-that-my-personal-information-can-be-caught-by-some-technical-methods-during-the-time-I-am-using-a-VPN-If-it-can-be-done-how-does-it-work all your questions answered —seriously .

Thanks Duncan, but it does not inspire me with much confidence. Thinking just about free WiFi services I think my approach of avoiding using them is the best one for me. Most friends have home WiFi that I can use and tethering works in more locations than it did years ago. I was signed up for a couple of popular free WiFi services but one started sending me junk email so I terminated the account and had no further problem.

I might ask what former colleagues at work use on their Macs.

DerekP says:
4 August 2018

I agree with wavechange here.

If I can use my existing mobile broadband, then I’ll use that in preference to “free” wifi.

Some smaller hotels to see to offer genuinely free wifi – with no strings attached. If you’re a guest, they already have your personal data – so they have no compelling need to steal more data from you.

The last such hotel I stayed in, during a work visit to Barrow, even gave me free beer after I’d checked. How’s that for service?

If a “free” wifi hotspot requires me to “register”, then I usually don’t bother.

With it being holiday time, I think the Which? article is aimed at overseas travellers, especially those off to countries where they be charged extra for data roaming or where they won’t have the option of mobile broadband. In my terms that would be a bit like going to a cottage in Wales that didn’t have wifi. On other words, when not on the beach, a great time to use real books and maps and physical DVDs instead of ‘tinternet.

DerekP says:
4 August 2018

I loved the intro W?C’s posted link:

“Many people are familiar with using a VPN to connect to work resources such as your email or documents when you’re away from the office, but what about ordinary people?”

🙂 🙂 🙂 I love unintentional humour.

Yes, that unwitting put-down by a Which? writer was rather revealing, wasn’t it?

Ordinary people get on fine without all that hoo-ha. We don’t need to be constantly connected. “Ordinary” is the superior state in my book.

I think this topic is over-hyped. You’re far more likely to have your mobile phone physically stolen than you are to suffer a security breach through use of a public wifi network. I use wifi everywhere without any concerns.

NFH the public wi-fi network is constantly being hacked , even your computer wi-fi is not guaranteed safe , especially with the IoT being heavily advertised to the public in which all kinds of remote cameras/ baby alarms/ garage door cameras / “talking ” toys / etc are being hacked constantly . Thats over and besides data gatherers and those hackers taking over control of your computer . The so called “protection” over the IoT is very bad , all I am doing is pointing out reality as many posters come here wondering why so much private data is known about them and many sad stories of key loggers getting their bank details and removing large amounts . It a lot easier to hack a wi-fi network than it is a LAN cable , most people allow remote access to their computers for social purposes , thats a start to easy access , I have that blocked . Even young people hack your wi-fi bandwidth and I can access , if I wanted to , apps that would not only allow me to “sniff ” other networks but to HACK them and can be available on the ordinary web not the “dark web “.

DerekP says:
6 August 2018

I tend to agree NFH. The opening Which? articles read like advertorials for VPNs and for Which? reviews of them.

I still won’t use “free” wifi if I don’t have to, but I have been content to use it in the past, especially when staying in hotels.

I remember when I was still at school being able to go to the local library and look up everyone who lived in my road, find their telephone numbers, check the rateable value and see how much in rates they paid on their house – but that was about it, and those opportunities are now closed to the law-abiding citizen. And the other big difference is that there was not much I could do with the information, and certainly not find out how much they had in the bank. Today we are all extremely exposed and, although I do not subscribe to all the dire warnings, hacking does happen and in the data trawl ordinary people get their personal information sold to fraudsters. I have never used free wi-fi and would not do so unless it was really necessary; it seems to me to be too easy a place for criminals to start – although the pickings might not be worth the effort.

Dire warnings could be counterproductive but this Conversation and maybe an accompanying article in the magazine could help people to realise that there are risks from using free WiFi services. There is now little incentive for me to use free WiFi when my laptop is already registered to access routers belonging to friends and family that I visit and that mobile network coverage has improved and allows me to tether to my own phone. Anything to do with banking is still done at home.

It is easy to see what others pay in council tax since the charge bands are published online, and so is the band for each property, at leasts in England. With the move to mobile phones and ex-directory landlines, phone numbers are less accessible but other residential phone numbers can easily be looked up.

I dont believe in waiting till after it happens the public should be kept informed as witnessed by the 100,s of posts in each convo relating to this issue , do you wait till that roof leak becomes a flood, or that rattle in the engine blows up on the motorway ? Its government and Google/Amazon/ etc policy to tell the public -get on the internet —its “”safe ” like hell it is ! I did like John,s comment –to law abiding citizens -that shows you the morality – of Google etc who have so much data that the NSA/CIA use it and have built a new super fast computer to store the fabled but real – Big Data . Its one thing backing government propaganda which aims to increase profit for businesses , its another when the WWW is filled with people complaining of being hacked . I told you both governments cant cope with all the hackers and are recruiting them but obviously not believed.

So what’s your solution, Duncan? Close down the free wi-fi services? If people stop using them that will happen anyway I suppose.

It has been no secret that GCHQ is recruiting people who have experience on the darker side of the web. It’s entirely believable and an obvious place to look for surveillance experts and interceptors and it has been extensively covered in the press.

John-The least you can morally do is keep people informed even if most ignore you , one or two might take note and thats one or two less people who could be hacked.

Absolutely, Duncan. I sometimes fear the message does not reach many people but perhaps they just don’t want to hear it.

In the scale of hacking sources, where does free wi-fi stand? Direct hacking of people’s accounts appears to be No.1. Insider hacking must be a high scorer. I don’t know enough about this to identify other hacking origins so free wi-fi could be a biggie.

Every new train and many older ones now come with free wi-fi as a government directive. Are travellers being placed in jeopardy by the government in promoting this use for idle brains and hands?

I occasionally used free WiFi until about three years ago. I think it was a combination of reading terms and conditions and receiving a few unwanted emails that put me off, but it’s possible that security concerns was another factor. Perhaps the last time I used free WiFi was on a very long train journey and it was only free for 15 minutes. After that I just used mobile broadband. I now see free WiFi as a small risk and not one I need to take.

Many rejected advice to install antivirus software on their computers years ago, but eventually complied. Sadly some waited until it was too late.

It’s difficult to quantify the risk of using free WiFi because that will depend on what it is being used for and the nature of the service offered.

Wavechange, believe it or not you can hack train wi-fi to get it free and its well publicised on the web.

I thought it was free on the train, as it is on the buses in my area. This is what puts more people at risk [if there is a serious risk].

I don’t doubt that but I will just continue to use mobile broadband when I can get a signal.

Before I answer that John both you and Wavechange have a look at LI-Fi – company based in Scotland but designed by Professor Harald Haas https://purelifi.com/technology/ then read – cyber criminals hacking passenger wi-fi on trains –dated -May-16-2018 https://www.informationsecuritybuzz.com/expert-comments/cybercriminals-hacking-passenger-wi-fi-on-trains/

I would prefer to have a link to British experience on trains if possible, Duncan.

I don’t really know, Duncan. I can see that the convenience of advance technology is going to be offset by security concerns in future. In the days of the transistor radio, pocket calculator and home computer I was an early adopter. Now I am not, for a variety of reasons and security is in there.

While I am getting a British answer for John here is how our security services watch your phone data Dear supporter,

You know that mobile phone you carry around with you every day? Well, the police can use intrusive ‘IMSI catchers’ to remotely and secretly identify you in public, based on your phone data. In effect, they can use an IMSI catcher to turn your phone into your ID card. And you wouldn’t even know that you’d been IDed.We are really worried about the police’s use of this highly intrusive and secretly deployed surveillance tech. After almost two years of effort to get more transparency from the police, today we filed an appeal challenging UK police forces’ refusal to disclose information on their use of IMSI catchers.

Some IMSI catchers can also intercept data, including the content of calls, text messages and internet traffic, and even edit your communications or block your service.

An IMSI catcher is able to gather data about everyone’s phone in its vicinity. The technology could be used at public events such as demonstrations to help identify everyone in attendance. You can read our explainer or take a look at our explainer graphic.We believe that you shouldn’t forfeit your privacy when you go out in public. And neither should you be identified simply because you are exercising a democratic right to peacefully protest on an issue you care about.

We will update you as our legal challenge proceeds. In the meantime, we want to raise public awareness about the police’s use of IMSI catchers, so please consider sharing our graphic on social media. Yes John this is British info as I opted for UK security info as some here dont like American info.

As a matter of interest, what is the source of that information, Duncan?

I don’t have a problem with it and most people have probably realised for some time that the security services have these resources. Those with nothing to hide have nothing to fear, and the notion that the police are going to make a list of everyone protesting about something or other is fanciful in my opinion.

Are you having a problem with your single apostrophe key? It’s being replaced by other symbols. Are you using the same key that has ‘@’ on it but without the shift? I have noticed for some time that you usually use a comma instead of an apostrophe for abbreviations and in the possessive sense.

You might not believe me John but am a member of a USA civil rights organization I had the choice of USA info or British so they send me British info, again its info I cant easily get in this country for some reason. The reason for the “gobbledygook ” is I transfer it wholesale from one browser to another then the whole lot gets posted here, I think it’s their way of showing they control the copyright. Try this source, John https://thebristolcable.org/2016/10/imsi/

But what’s the problem? I suppose if I’m talking to Ivan about smuggling the new codes for the palm-sized fusion reactor he’s selling me then there might be a problem. But otherwise my whereabouts are no secret, and I don’t care if anyone listens into my (comparatively few) ‘phone calls, except before Christmas,when I’m buying pressies.

And frankly, my credit card history says a lot more about me than any mobile ‘phone call possibly could. Should we all give up using them?

DerekP says:
7 August 2018

Also Ian, if I’m sat behind you, I can look over your shoulder and see exactly what you’re doing on your MacBook. My headcam will record everything you type.

Or I might sit next to you and strike up a conversation, i.e. for some “social engineering”, as they say in espionage circles.

And, never mind the authorities tracking you via IMSI, they’ve also got “public safety” CCTV and face recognition software.

I don’t know why some groups and individuals make out it’s so clandestine and that they’ve opened the lid on something frightful. So long as we have had security services we have had espionage, wire taps, surveillance, tracking, listening devices, and intercepts, The difference today is that we no longer need to have rooms full of spooks sorting it all out, taking it to pieces, and reassembling it in a card index. They can run it through a big computer and correlate it with all the other indices from DWP and HMRC to Ladbroke’s and Coral’s. It’s not what you gather but how you use it that’s important. I don’t think many people are getting the knock in the night despite the consternation.

They are in America John ,using AI to make judgement s has resulted in police “killings ” of innocent people , homes raided at 2.30am including the wrong homes due to computer data .

DerekP says:
8 August 2018

“…including the wrong homes due to computer data”

Straight of “Brazil” that one…

And it’s been happening here for as long as I can remember. No need for AI to manage that one…

Yes, Duncan; I am sure things are dreadful in America, but that isn’t the situation here so I am not going to worry about it.

You should John, everything that the US does “migrates ” over here, for those that think I am lying I could make them very embarrassed by posting actual-real American news items but it would take many web-pages to do it.

I don’t suppose anyone thinks you are lying, Duncan. We know how awful things can be in the USA. Did you see the programme on BBC2 with Ed Balls witnessing and reporting on Donald Trump’s America? Luckily, not everything that America does migrates over here. Now that we have stopped idolising all things American its influence has declined considerably. Recently, some of the really bad things have come from Russia. Take out the language, some shared history, and a diminishing amount of shared ancestry, and the USA and the UK don’t have that much in common actually.

Of course, if you wanted to establish the veracity of what you’re saying. Duncan, you don’t need to start “posting actual-real American news items”, simply the links…

I am waiting for a link myself Ian .

Okay John got a British one -Ken Munro-Partner at Pen Test Partners writing in the Global Railway Review https://www.globalrailwayreview.com/article/70324/hacking-train-wi-fi/ goes into technical detail , he is using gov.uk references -check References at the bottom.

Thank you for that, Duncan. It’s very interesting. It does not reveal how many hacking attempts on passengers’ data have occurred but the fact that it is possible because of inadequate protection from other channels is worrying; I hope the train operating companies and Network Rail are getting on top of this. Warnings in the carriages about the risks of using on-board Wi-Fi might be a good idea.

What is rather more disturbing to read in that document is that it is technically possible for an external agent to interfere with the digital train control system and the ‘driver to central control’ communications network because they are not sufficiently isolated from other data channels nor adequately protected from interference. Since the UK network still runs on static signalling there is time to get this right but there is a growing amount of automatic route setting, electronic train control, train system monitoring, and track condition surveying carried out by regular service trains that rely on secure radio and other telecoms links so any compromise to the fidelity of the systems must be prevented. Luckily for most safety-critical applications there are three data paths and at least two must be in concordance to execute a command. The digital railway is only a year or so away now and trials are already taking place.

DerekP says:
8 August 2018

“On no Thomas, you’ve been hacked!”

You can get Vaseline for your “hacks ” Derek.

Meanwhile back on topic, here is some advice from a commercial source: https://www.kaspersky.co.uk/resource-center/preemptive-safety/public-wifi-risks

Good advice.

Just use the free WiFi and enjoy life