To see what potential hackers could see on a shared network, we invited professionals from cybersecurity company Avast to “compromise” my home network (all with my consent). We logged onto the same network at the same time, just like we would at a coffee shop, to see how much data a bad actor with a few free tools could learn about an unassuming WiFi user.
What we found might be a relief for the coffee shop crowd.
After a few minutes clicking around my finance, work, streaming and social media accounts, Avast’s team could see the sites I’d visited (though not what I’d done there), the time of day and the specific device I used (in this case, a MacBook Pro). It’s not nothing, but it wouldn’t do hackers much good if they were looking to rip me off. It’s also relatively reckless for hackers to sit around messing with public networks, said Chester Wisniewski, a principal research scientist at security company Sophos.
“That type of data isn’t only low yield, it’s high risk,” he said. “If I can phish your password from my chair in Moldova and have zero risk of going to jail, why would I get on an airplane and go to your local Starbucks?”
In the internet’s earlier days, the vast majority of web traffic was unencrypted — meaning anyone savvy enough to eavesdrop on a network could see everything you type into a website. By 2017, the balance had shifted, with more than half of all web traffic using the encrypted “HTTPS” protocol you may recognize from the top of your browser, according to data pulled from the Firefox browser. Today, few legitimate sites remain unencrypted, with more than 90 percent of webpages loaded in the United States obscured from prying eyes, according to the Firefox data. (If you’re curious whether a given site is encrypted, look for “HTTPS” in the URL, or site address. Pages with “HTTP” are unencrypted. Unfortunately, there’s no way to tell at a glance if a mobile app encrypts its traffic.)
This means even if someone used a public network to spy on you, what they’d discover probably wouldn’t be very valuable, Wisniewski said.
Government employees, dissidents and anyone else dealing with sensitive data can use a trusted virtual private network (VPN) to cloak their activities, said Russ Housley, founder of cybersecurity consultancy Vigil Security. Since VPNs hide your IP address and web activity from everyone except the VPN provider, they help guard against both hacking and invasive advertising. Keep in mind that not all VPNs are trustworthy and many fail to protect against government surveillance if you’re traveling overseas, Housley noted.
Still, for the rest of us, public WiFi networks aren’t totally threat-free. Mom-and-pop shops are unlikely to keep up with necessary WiFi maintenance such as firmware updates and strong passwords, said Aaron Rinehart, co-founder and chief technology officer at cybersecurity company Verica. A truly committed criminal could impersonate a public network or website to try to steal credentials, he said.
But that’s a lot less likely than someone taking advantage of, say, your reused passwords or outdated software. Focus your energies on cybersecurity chores within your control — such as setting strong passwords, saying “yes” to software updates and learning the signs of a scam — and don’t sweat the public WiFi too hard.
“Generally, using public WiFi is safe so long as your computer is up to date and you encrypt all of your data,” said Eric Rescorla, chief technology officer at Firefox-maker Mozilla.
If a site, link or app seems sketchy, steer clear. And check out our Cybersecurity Reset guide for more tips on avoiding hackers and malware.