Public Wi-Fi Defensive Computing

BEING SAFE on PUBLIC WI-FI

Public Wi-Fi is always dangerous, whether a password is required or not.

AVOIDING

One way to avoid public Wi-Fi is to use the 4G/LTE/5G data connection on a phone. With the hotspot feature, this data connection can be shared with a laptop. To do this, the phone creates a Wi-Fi network that the laptop connects to. Use a long WiFi password One, or both, of the devices should be connected to a VPN (more on VPNs below).
If possible, keep your main/regular computing devices away from public networks. A Chromebook is a great substitute as many things can be done in a web browser and they are much more immune to attack.
Even with all the protection in the world, there are some things, such as banking, that are best avoided on any public network.

INTERNET PROTECTION

Wi-Fi networks are like children, the people who create it can give it any name at all. Bad guys can create wireless networks with the same name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is pretending to be. Neither can a computer/phone/tablet, which will happily connect to the evil twin network. In addition to a name, each Wi-Fi network also has a MAC address (or multiple in the case of Mesh). But, even if you had software that displayed the MAC address, no public network tells you what the MAC address should be anyway. And, even if you knew, for example, that the network was created by a Netgear router, the MAC address can be spoofed by the bad guy running the Evil Twin.
Always use either a VPN or Tor on public Wi-Fi. If the VPN/Tor connection completes successfully, then an Evil Twin network can see nothing but encrypted junk. Even without an Evil Twin, both Tor and a VPN hide your Internet activity from the router creating the public network and the ISP providing it Internet access. A simple way to verify that a VPN or Tor is working is to check your Public IP address before and after connecting. When using a VPN, also check your DNS servers before and after. There is much more on VPNs, in the VPN topic here.
When you join a Wi-Fi network, you are assigned not only a local IP address, but also DNS servers. DNS is the system that translates a website name (cnn.com) into an IP address. Malicious DNS can send you to scam copies of websites or all sorts of malicious websites. The fake CNN site says you need to download software and bingo, your computer is hacked. Eating food found in the street is as just as safe as using DNS services from strangers. Another advantage to using a VPN is that it provides its own DNS services and those should be more trustworthy than DNS from strangers. Also, many VPN providers have tester web pages that confirm you are using their DNS system. DNS can get fairly complicated as there is an old insecure DNS system and a newer secure DNS flavor. There is much more on this on the test your DNS page at my RouterSecurity.org site.
Regardless of the DNS system the public network wants to use, and regardless of the DNS system your VPN wants to use, you can force desktop web browsers to use the newer secure DNS flavor from a trusted DNS provider. Again, this is just for one browser, not for all installed browsers and certainly not for the entire operating system. There are two types of secure DNS, DoH and DoT, both are fine. Again, more about this on the test your DNS servers page on my Router Security site.
A public Wi-Fi network will always learn the MAC address of the Wi-Fi adapter in your computing device, even when using a VPN. A MAC address is fairly unique, so in the old days it could be used to track you, even across different public networks. Now, many operating systems have an option to create a different MAC address for each different Wi-Fi network the device connects to. On both Windows 10 and Android 13, this feature is an attribute of each Wi-Fi network, there is no system-wide setting. Windows 10 calls it "Random Hardware Addresses", Android 13 calls it a "Randomized MAC". As of 2023, this is probably the default, still verify that this option is being used on your devices.
Note that a hotel offering an Ethernet port in your room is just as insecure as any public Wi-Fi network. The same rules/considerations apply.
Many Wi-Fi devices will automatically re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget about it.
- iOS instructions are in the iOS topic.
- Windows 10: System Settings -> WiFi Settings -> Manage known networks -> click on an SSID, then the gray Forget button.
- macOS: Wi-Fi symbol -> Network Preferences -> Advanced -> Preferred Networks -> Click on an SSID -> click the minus sign -> OK
- Android systems vary, search in the Settings for "Saved networks"
Disable Wi-Fi when you are not using it. It is not sufficient to simply disconnect from a public network.
In the old days, the fear with public Wi-Fi was limited to people intercepting plain text HTTP. Most websites now use HTTPS which encrypts data in transit and as a result some Art History Majors in the tech press argue that there is no need for a VPN. They are wrong. HTTPS is both flawed and complicated and it should not be your sole defense. The Qualys SSL Server Test is an excellent site for illustrating both the complexity of HTTPS and that many websites do it poorly. Also, you can not tell if a mobile app is using HTTPS or not. And, your operating system is always communicating in the background in ways that are not visible. There is no easy way to know if your OS is sending encrypted data or not. The solution: Tor or a VPN.
Consider a privacy screen protector to, hopefully, block people sitting nearby from seeing what you are doing on the screen. 3M sells privacy screens for laptops, tablets and phones. Both Dell and Lenovo sell them for their laptops. See Laptop Privacy Filters: What to Look For and Why You Need One by Brett Nuckles (June 2018)
FYI: Securing Wireless Devices in Public Settings from the NSA. July 2021. Turn these things off when you don't need them: Bluetooth, NFC, Wi-Fi. When possible, avoid public Wi-Fi altogether. Insure that the file sharing feature of your operating system is disabled. This mentions evil twin networks but offers no defense. When you are done with the public Wi-Fi network, log out of it and tell your OS to forget about it.

LAN SIDE PROTECTION

On a public network is it very likely that all the other users on the local network can see and try to contact your device. You need just as much protection on the LAN side, as you do on the WAN/Internet side.

A travel router offers the ultimate LAN side protection when using public networks. The router connects to the public network via Wi-Fi and then your device connects to the travel router, either via Ethernet or a private Wi-Fi network created by the travel router. The firewall in the travel router protects and hides your device(s). A LAN scan by bad guys only sees the travel router, your device is hidden. Likewise the router running the public WI-Fi network only sees the travel router. Up the security as high as it will go by running VPN client software in the travel router and have it make its own VPN connection.
Without a travel router, there is another way to hide on a network: a VPN. Some (not all, probably not most) VPN client software can block LAN side access while the VPN is connected. As with a travel router, bad guys can not attack a computer they can't see. The terminology for this feature is all over the map: Mullvad calls this "Local network sharing", IVPN calls it "Allow LAN traffic when IVPN firewall is enabled", Windscribe calls it "Allow LAN traffic", ProtonVPN calls it "Allow LAN connections" and OVPN calls it "Communicate with LAN devices". A couple warnings: 1) Any one VPN company may not offer this option on every operating system. 2) Test this to insure that the blocking works and that it works in both directions. To me, this seems like a very important feature, something worth switching VPN providers to get.
Speaking of hiding on the LAN: In August 2021, I wrote Hiding on a Wi-Fi network, about my stay at a Bed and Breakfast. The owners of the Inn told guests to use the private, password protected network, which, at first, I did. But, when I scanned for nearby networks, I saw that the Eero system they were using also had an open (no password) Guest network. I opted to use the Guest network because there, none of the other Guests could see my device. For over-the-air encryption, I used a VPN.
If you are not hidden, by either a travel router or a VPN, then the classic defense is the firewall in your device. The best way to look for holes in the firewall is to use the nmap utility to check all 65,500 TCP ports. Any open port can be trouble. This needs to be done on your home LAN, the online testers are pretty useless. Note that iOS always has an open port (at least one) that can not be closed.
Disable any file sharing options in your operating system.
On Apple devices, turn off Air Drop.
On iOS devices: Settings → privacy → Local network → review the apps that are allowed to communicate on the LAN
Even without open ports in a firewall, another device on a public network might be able to exploit a bug in your device, so keep your device up to date on bug fixes.