The Hidden Dangers of Free WiFi

Free WiFi Is Everywhere — And So Are the Risks

Airports, train stations, hotels, coffee shops, restaurants, shopping malls, co-working spaces — free WiFi has become as expected as running water in public places. We connect without a second thought. We check our email while waiting for a flight, review bank statements over hotel WiFi, and browse social media at the corner cafe. It feels harmless. After all, millions of people do it every day.

But free WiFi is one of the easiest attack vectors cybercriminals exploit. A 2024 study by the WiFi security firm Coronet found that nearly 40% of public WiFi hotspots use no encryption whatsoever. Another survey by NordVPN revealed that 1 in 4 travelers have been hacked while using public WiFi abroad. The numbers are uncomfortable, but the reality is worse: most victims never even realize it happened.

The person sitting three seats away from you at the airport departure gate, casually working on their laptop, could be silently intercepting every unprotected request leaving your device. The equipment required costs under $100. The skills required can be learned from a YouTube tutorial in an afternoon.

The 5 Biggest Threats on Public WiFi

1. DNS Hijacking

This is arguably the most dangerous and least understood attack on public WiFi. On your home or office network, your DNS requests — the lookups that translate domain names like mybank.com into IP addresses — go to your ISP's servers or a trusted provider like Cloudflare or Google. On a malicious WiFi network, the router controls the DNS. And whoever controls the DNS controls where your browser actually goes.

This is not a theoretical attack. It is trivially easy to execute. Any laptop with freely available tools can act as a rogue WiFi hotspot with a custom DNS server. The attacker does not need to break any encryption — they simply answer your DNS questions with lies.

2. Man-in-the-Middle (MITM) Attacks

In a MITM attack, the attacker positions themselves between your device and the internet. Every packet you send passes through them first. They can read it, log it, modify it, or inject entirely new content into the pages you see. On an unencrypted WiFi network, this requires nothing more than enabling packet capture.

Even HTTPS does not make you fully immune. Sophisticated attackers use SSL stripping techniques to downgrade your connection, or present forged certificates. If a user clicks "proceed anyway" on a browser certificate warning — and studies show that a surprisingly high percentage do — the attacker gains full visibility into encrypted traffic. Hardware tools like the WiFi Pineapple have turned MITM attacks into a push-button operation, literally designed for penetration testers but freely available to anyone.

3. Evil Twin Networks

You are at a hotel. You open your WiFi settings and see two networks: Hilton_Guest_WiFi and Hilton_Guest_WiFi. They look identical. One is the hotel's legitimate network. The other is a laptop in room 412 broadcasting the same network name with a stronger signal. Your phone auto-connects to the strongest signal — which is the attacker's.

Once connected to the evil twin, all your traffic flows through the attacker's machine. They now have the same capabilities as a MITM attacker — with the added advantage that you voluntarily connected to them.

4. Session Hijacking (Sidejacking)

Even if a website uses HTTPS for the login page, session management can be flawed. After you log in, many websites issue a session cookie — a small token that proves you are authenticated. If that cookie is transmitted over an unencrypted connection at any point, or if the site has mixed-content issues, an attacker on the same WiFi can capture it.

With your session cookie, the attacker does not need your password. They paste the cookie into their own browser, and they are you — with full access to your email, social media, cloud storage, or shopping accounts. The session remains valid until you explicitly log out or the cookie expires, which could be days or even weeks.

5. Malware Distribution

The captive portal — that "agree to our terms" page that appears when you first connect to a hotel or airport WiFi — is itself a potential attack vector. A compromised or malicious captive portal can serve drive-by downloads, display fake "your browser is outdated — click here to update" pop-ups, or exploit browser vulnerabilities to install malware silently.

Some compromised WiFi networks go further: they intercept legitimate software download requests and replace the file with a trojanized version. You think you are downloading a PDF reader update; you are actually installing a keylogger. This technique, called a watering hole attack, is particularly effective because the user initiates the download themselves.

Why VPN Isn't Always the Answer

"Use a VPN" is the standard security advice for public WiFi, and it is not wrong — a good VPN encrypts all traffic between your device and the VPN server. But in practice, VPNs come with real-world friction that limits their effectiveness:

• Many free VPNs are themselves data collectors. A 2023 investigation by Top10VPN found that 72% of free VPN apps on the Google Play Store contained at least one tracking library. You are replacing one surveillance risk with another.
• VPNs add latency and slow your connection. Your traffic is encrypted, routed to a distant server, decrypted, then sent to its destination. The round trip adds 30-80ms of latency and often cuts throughput by 20-40%.
• Some public WiFi networks block VPN connections. Hotels, airports, and corporate guest networks frequently block VPN protocols (OpenVPN, WireGuard, IPSec) to prevent bandwidth abuse or enforce their own content policies.
• Battery drain on mobile devices. Maintaining an always-on encrypted tunnel consumes significant battery, especially on cellular fallback.
• You have to remember to turn it on. Every time. On every network. Most people forget, especially when they are in a hurry at an airport gate.

Perhaps most importantly: a VPN does not protect you from malicious domains. If you click a phishing link while connected to a VPN, the VPN dutifully encrypts your connection to the phishing server. It delivers your credentials securely — to the attacker.

How Encrypted DNS Protects You on Public WiFi

DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNS-over-QUIC (DoQ) encrypt your DNS queries between your device and a trusted DNS resolver. This single change neutralizes several of the attacks described above:

• DNS hijacking becomes impossible. The malicious router cannot intercept or forge DNS responses because the queries are encrypted end-to-end with the trusted DNS server. The attacker sees an encrypted stream they cannot read or modify.
• DNS snooping is eliminated. On unencrypted WiFi, anyone can see every domain you look up — revealing which sites you visit, which apps you use, and your behavioral patterns. Encrypted DNS hides all of this.
• Evil twins lose their primary weapon. Even if you accidentally connect to a malicious network, the attacker cannot manipulate your DNS to redirect you to fake sites.

Encrypted DNS is also lighter than a VPN. Only the DNS lookup is encrypted through the secure tunnel. The actual web traffic uses standard HTTPS — which is already encrypted for over 95% of websites. You get protection where it matters most without the overhead of tunneling everything.

DNS Filtering on Public WiFi — Double Protection

Encrypted DNS alone prevents DNS hijacking and snooping. But when combined with DNS filtering, you get a second layer of defense that actively blocks threats:

• Phishing domains are blocked before they load. Even if you click a malicious link in an email or on a compromised page, the phishing domain simply does not resolve. Your browser shows an error instead of a convincing fake login page.
• Malware distribution domains are neutralized. The "update your browser" scam domains, the trojanized download servers, the command-and-control servers that malware phones home to — all blocked at the DNS level before any connection is made.
• Tracking injection is stopped. Some public WiFi operators inject tracking scripts or advertising into your browsing through DNS manipulation. DNS filtering blocks these tracking domains entirely.
• Ad injection from captive portals is prevented. Aggressive captive portals that insert ads into your browsing sessions rely on resolving ad-serving domains. DNS filtering cuts them off at the source.

Think of it as a personal firewall that travels with your device. It does not matter which network you connect to — the protection is always active, always up-to-date, and requires zero interaction from you.

How to Set It Up — 2 Minutes, Any Device

The setup is a one-time configuration. Once done, every WiFi network you join is automatically protected:

• Android (9+): Settings → Network & Internet → Private DNS → enter your DoT hostname (e.g., yourconfig.saas.unveildns.com). Done. Every app, every browser, every network.
• iPhone / iPad: Download a DNS configuration profile from your provider (one tap to install). It configures DoH system-wide, including cellular. Works across all apps.
• Windows 10/11: Settings → Network & Internet → your connection → DNS server assignment → set your DoH server address. Native support since Windows 11.
• macOS: System Settings → Network → your connection → DNS → set your encrypted DNS provider. Or install a configuration profile for system-wide DoH.
• Browsers (Chrome, Firefox, Edge): All three support DoH directly in their settings. Search for "secure DNS" or "DNS over HTTPS" in your browser settings. This protects browser traffic even if the OS-level DNS is not configured.

The Checklist — Before You Connect to Free WiFi

1. Is your encrypted DNS configured? Verify that DoH or DoT is active on your device. This is your first line of defense against DNS hijacking.
2. Is DNS filtering enabled? Confirm your DNS provider is actively blocking phishing, malware, and tracking domains — not just encrypting queries.
3. Verify the network name with staff. Ask a hotel receptionist or barista for the exact WiFi name. Do not guess between similar-looking SSIDs.
4. Avoid accessing sensitive sites if possible. Banking, healthcare portals, and tax filings can wait until you are on a trusted network. If you must, double-check the URL and certificate.
5. Forget the network when you leave. Go to your WiFi settings and remove the network after you are done. This prevents your device from auto-connecting next time you are in range.
6. Layer a VPN for maximum protection. On high-risk networks (airports, conferences), use a reputable VPN on top of encrypted DNS for belt-and-suspenders security.