Public Wi-Fi Defensive Computing

BEING SAFE on PUBLIC WI-FI

TOPICS BELOW
Avoiding, Internet Protection, LAN Side Protection, SSIDs and Privacy

Public Wi-Fi is always dangerous, whether a password is required or not.

AVOIDING

One way to avoid public Wi-Fi is to use the 4G/LTE/5G data connection on a phone. With the hotspot feature, this data connection can be shared with a laptop. To do this, the phone creates a Wi-Fi network that the laptop connects to. Use a long WiFi password One, or both, of the devices should be connected to a VPN (more on VPNs below).
If possible, keep your main/regular computing devices away from public networks. A Chromebook is a great substitute as many things can be done in a web browser and they are much more immune to attack.
Even with all the protection in the world, there are some things, such as banking, that are best avoided on any public network.

INTERNET PROTECTION top

Wi-Fi networks are like children, the people who create it can give it any name at all. Bad guys can create wireless networks with the same name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is pretending to be. Neither can a computer/phone/tablet, which will happily connect to the evil twin network. In addition to a name, each Wi-Fi network also has a MAC address (or multiple in the case of Mesh). But, even if you had software that displayed the MAC address, no public network tells you what the MAC address should be anyway. And, even if you knew, for example, that the network was created by a Netgear router, the MAC address can be spoofed by the bad guy running the Evil Twin.
Always use either a VPN or Tor on public Wi-Fi. If the VPN/Tor connection completes successfully, then an Evil Twin network can see nothing but encrypted junk. Even without an Evil Twin, both Tor and a VPN hide your Internet activity from the router (or Access Point) creating the public network and from the ISP providing the Internet access. A simple way to verify that a VPN or Tor is working is to check your Public IP address before and after connecting. When using a VPN (this is not for Tor), also check your DNS servers before and after. There is much more on VPNs, in the VPN topic here.
Some VPN client software offers an option to block communication with other devices on the LAN. When using any public network, this option should be enabled (if it exists).
When you join a Wi-Fi network, you are assigned not only a local IP address, but also DNS servers. DNS is the system that translates a website name (cnn.com) into an IP address (151.101.131.5). Malicious DNS can send you to scam copies of websites or all sorts of malicious websites. The fake CNN site says you need to download software and Bingo, your computer is hacked. Eating food found in the street is as just as safe as using DNS services from strangers. Another advantage to using a VPN is that it provides its own DNS services. If your VPN is trustworthy, so too their DNS servers will be more trustworthy than DNS from a coffee shop or hotel or airport. In addition, many VPN providers offer ad blocking, tracker blocking and other types of DNS based filtering which makes you safer still. DNS can get fairly complicated as there is an old insecure DNS system and a newer secure DNS flavor. Many VPN providers have a tester web page that confirms you are using their DNS system. There is much more on DNS on the test your DNS page at my RouterSecurity.org site.
Regardless of the DNS system the public network wants to use, and regardless of the DNS system your VPN wants to use, you can force desktop web browsers to use the newer secure DNS flavor from a trusted DNS provider. Again, this is just for one browser, not for all installed browsers and certainly not for the entire operating system. There are two types of secure DNS, DoH and DoT, both are fine. Again, more about this on the test your DNS servers page on my Router Security site.
A public Wi-Fi network will always learn the MAC (Media Access Control) address of the Wi-Fi adapter in your computing device, even when using a VPN. A MAC address was intended to be globally unique, so in the old days it could be used to track you, even across different public networks. Now, many operating systems have an option to create a different MAC address for each different Wi-Fi network the device connects to. This feature is an attribute of a Wi-Fi network, so it can be on for one SSID and off for another. Windows 10 calls it a "Random Hardware Address", Android 13 and 14 call it a "Randomized MAC", iOS 17 calls it a "Private Wi-Fi Address" and it spits out a Privacy Warning when the option is disabled. Obviously, Apple can not refer to it as a MAC address because they make Mac computers. But to the rest of the world, the thingie being discussed here is a MAC address. As of 2023, this is probably the default, still, verify that this option is being used when connected to a public network. Interestingly, this is one area where ChromeOS falls down, as it does not support a randomized MAC address (last verified November 2024 with ChromeOS version 130).
Note that a hotel offering an Ethernet port in your room is just as insecure as any public Wi-Fi network. The same rules/considerations apply.
Many Wi-Fi devices will automatically re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget about it.
- iOS instructions are in the iOS topic.
- Windows 10: System Settings -> WiFi Settings -> Manage known networks -> click on an SSID, then the gray Forget button.
- macOS: Wi-Fi symbol -> Network Preferences -> Advanced -> Preferred Networks -> Click on an SSID -> click the minus sign -> OK
- Android systems vary, search in the Settings for "Saved networks"
Disable Wi-Fi when you are not using it. It is not sufficient to simply disconnect from a public network.
In the old days, the fear with public Wi-Fi was limited to people intercepting plain text HTTP. Most websites now use HTTPS which encrypts data in transit and as a result some Art History Majors in the tech press argue that there is no need for a VPN. They are wrong. HTTPS is both flawed and complicated and it should not be your sole defense. The Qualys SSL Server Test is an excellent site for illustrating both the complexity of HTTPS and that many websites do it poorly. Also, you can not tell if a mobile app is using HTTPS or not. And, your operating system is always communicating in the background in ways that are not visible. There is no easy way to know if your OS is sending encrypted data or not. The solution: Tor or a VPN.
Consider a privacy screen protector to, hopefully, block people sitting nearby from seeing what you are doing on the screen. 3M sells privacy screens for laptops, tablets and phones. Both Dell and Lenovo sell them for their laptops. See Laptop Privacy Filters: What to Look For and Why You Need One by Brett Nuckles (June 2018)
FYI: Securing Wireless Devices in Public Settings from the NSA. July 2021. Turn these things off when you don't need them: Bluetooth, NFC, Wi-Fi. When possible, avoid public Wi-Fi altogether. Insure that the file sharing feature of your operating system is disabled. This mentions evil twin networks but offers no defense. When you are done with the public Wi-Fi network, log out of it and tell your OS to forget about it.

LAN SIDE PROTECTION top

On a public network is it very likely that all the other users on the local network can see and try to contact your device. You need just as much protection on the LAN side, as you do on the WAN/Internet side.

A travel router offers the ultimate LAN side protection when using public networks. The router connects to the public network via Wi-Fi and then your device connects to the travel router, either via Ethernet or a private Wi-Fi network created by the travel router. The firewall in the travel router protects and hides your device(s). A LAN scan by bad guys only sees the travel router, your device is hidden. Likewise the router running the public WI-Fi network only sees the travel router. Up the security as high as it will go by running VPN client software in the travel router and have it make its own VPN connection.
Without a travel router, there is another way to hide on a network: a VPN. Some (not all, probably not most) VPN client software can block LAN side access while the VPN is connected. As with a travel router, bad guys can not attack a computer they can't see. The terminology for this feature is all over the map: Mullvad calls this "Local network sharing", IVPN calls it "Allow LAN traffic when IVPN firewall is enabled", Windscribe calls it "Allow LAN traffic", ProtonVPN calls it "Allow LAN connections" and OVPN calls it "Communicate with LAN devices". A couple warnings: 1) Any one VPN company may not offer this option on every operating system. 2) Test this to insure that the blocking works and that it works in both directions. To me, this seems like a very important feature, something worth switching VPN providers to get.
Speaking of hiding on the LAN: In August 2021, I wrote Hiding on a Wi-Fi network, about my stay at a Bed and Breakfast. The owners of the Inn told guests to use the private, password protected network, which, at first, I did. But, when I scanned for nearby networks, I saw that the Eero system they were using also had an open (no password) Guest network. I opted to use the Guest network because there, none of the other Guests could see my device. For over-the-air encryption, I used a VPN.
If you are not hidden, by either a travel router or a VPN, then the classic defense is the firewall in your device. The best way to look for holes in the firewall is to use the nmap utility to check all 65,500 TCP ports. Any open port can be trouble. This needs to be done on your home LAN, the online testers are pretty useless. Note that iOS always has an open port (at least one) that can not be closed.
Disable any file sharing options in your operating system.
On Apple devices, turn off Air Drop.
On iOS devices: Settings → privacy → Local network → review the apps that are allowed to communicate on the LAN
Even without open ports in a firewall, another device on a public network might be able to exploit a bug in your device, so keep your device up to date on bug fixes.

SSIDs AND PRIVACY top

Wi-Fi devices generally keep a record of the networks/SSIDs they have connected to. This makes it easy or automatic to re-connect to known networks. Fine. Except, when they broadcast this list, it exposes the places you have visited to anyone able to record this broadcast. It may also expose where you live or work.

For some additional privacy, periodically review the list of saved SSIDs and delete the ones you do not expect to use in the future (or the ones you do not want anyone to know about).

iOS version 17: Settings -> Wifi -> Edit (link in the top right corner)
Windows 10: Settings -> Network and Internet -> Wi-Fi -> Manage known networks -> Click on a network -> Then click the gray Forget button
Android 14 (on a Pixel phone): Settings -> Network and Internet -> Internet -> Saved Networks -> Click on an SSID you want to delete, then Forget.
macOS: From Apple: How to forget a Wi-Fi network on iPhone, iPad, or Mac Last Updated September 16, 2024. The procedure is different on macOS Ventura and later compared to earlier macOS versions.
ChromeOS 130: In the bottom right corner of the screen, click on the Time and Wi-Fi indicator. In the pop-up window, click on the gear icon at the bottom next to the battery percentage. Then click on Wi-Fi (the current SSID is just underneath it). Then Known networks. Click on any network you want to forget, then on the Forget button.