How often do you visit a coffee shop and jump on the open WiFi network? No need for a password, just connect and you’re online. It’s almost too easy.

Well, actually it is too easy. No password means nothing to stop someone accessing the data that’s being transferred. Sure, secure websites (using HTTPS) encrypt your web traffic but that doesn’t stop other valuable information being intercepted and decrypted.

It’s worth remembering that WiFi broadcasts data to everyone in reach of the signal and so anyone in the vicinity can receive it. You are only as strong as the encryption on the WiFi connection and on many open WiFi hotspots there is no protection at all.

And that’s assuming that the WiFi hotspot is what it says it is. The even bigger risk is that we tend to try to find a hotspot that offers free connectivity. Attackers know this and so it’s trivially simple for them to take advantage of it and set up a connection that appears to provide internet access but is actually channeling everything through a malicious network.

Is this just alarmist conjecture? Well, not according to Europol. It sponsored a project to investigate and says, “We have got reports from member states that criminals have provided free WiFi in areas where they want to steal people’s information. So we have already seen this in operation.“

You don’t need to be an IT guru to create a fake WiFi hotspot or to monitor the traffic on a real one. YouTube has plenty of videos that will explain how to do it step by step. There’s a purpose-built version of Linux that has all the tools required to monitor a WiFi connection, capture data transferred over it, decrypt that data and set up a hotspot.

Of course you don’t actually need to go to the trouble of creating a hotspot. Most of us leave our WiFi connectivity activated when we travel around. This means that our smartphones and laptops are constantly transmitting signals to check whether there’s network available to which we’ve connected before. In itself, that information could be valuable in building up a profile about you.

So, we have a technology that more than 75% of UK households use but which is inherently insecure. How on earth could we have ended up like this? Well, the reality is that WiFi was never designed to do what we expect it to do today. It was designed to provide connectivity, not to provide secure connectivity.

This has been exacerbated by the increasing move towards blending WiFi and cellular connectivity to provide a more seamless user experience. Go down an escalator in the London Underground and you’ll see this in operation. Make no mistake, ubiquitous connectivity combining WiFi and cellular is a reality being devoutly pursued in order to ensure we are connected wherever we are.

This means that it’s essential to take some basic precautions when we use WiFi , whether at home or in public.

It’s simpler at home. The network is under our control so at least we don’t have to rely on anyone else to stay safe. First, change the defaults. Don’t use the network (SSID) name that the router comes with -- but don’t replace it with something that could identify you (one security researcher tells a story about locating a celebrity because he’d used his own name for his home WiFi ). While you’re changing the network name, update the administrator password and make sure it’s not accessible remotely over the web. And check the firmware is up to date.

When leaving home, we should get into the habit of turning off our WiFi . Yes. This is a hassle. But it’s easy to demonstrate the amount of information about us that our devices leak through WiFi so it’s worth the effort. Using WiFi in public places is a risk so we need to assess what we’re doing and decide whether it has to be done right there and then. If it involves sensitive or valuable information, then perhaps it can wait. The analogue equivalent is the businessman (yes, it’s usually a bloke) braying sensitive information in the airport lounge. Of course, there will be times when there’s work that has to be done. If so, a Virtual Private Network (VPN) is essential. This cannot guarantee safety but, once launched, it will protect any data transferred over the network by encrypting it.

Wherever we use WiFi, we should check the encryption being used. The Wired Equivalent Privacy (WEP) protocol has been vulnerable to password cracking since 2001. The WiFi Alliance officially retired it in 2004 but, despite offering no effective protection at all, it’s still used. WiFi Protected Access (WPA), WEP’s replacement, was an improvement but is also vulnerable. The latest protocol is WPA3 which is replacing WPA2, but researchers have already found vulnerabilities in the new version.

For anything sensitive, we believe it's safer to use mobile data, especially given the enormous allowances that many cellular plans provide. 

We demonstrate just how insecure WiFi is with a device the size of a cigarette pack that anyone can buy for £120. The issues with public WiFi have been catalogued since 2001 and are common knowledge. Now we are all used to being connected seamlessly wherever we go, it’s not much of a leap for criminals to spot the opportunity. We shouldn’t let them capitalize on it.