We've all used public Wi-Fi: it's free, saves on your data allowance, and is always helpful in speeding up loading times.You might love public Wi-Fi—but so do hackers.Here are just a few ways cybercriminals can hack devices on public Wi-Fi, get access to your private data, and potentially steal your identity. And, because sometimes you've very little choice but to use public Wi-Fi, how you can protect yourself from public Wi-Fi hacking.

1. Man-in-the-Middle Attacks

A Man-in-the-Middle (MITM) attack is a cyberattack whereby a third party intercepts communications between two participants. Instead of data being shared directly between server and client, that link is broken by another element.

The uninvited hijacker could then present their own version of a site to display to you, adding in their own messages.

Anyone using public Wi-Fi is especially vulnerable to MITM attacks. Because the information transmitted is generally unencrypted, it's not just the hotspot that's public; it's your data too.

A compromised router can vacuum up a lot of personal material relatively simply: hackers getting into your emails, for instance, gives them access to your usernames, passwords, private messages, and plenty more. They could even visit services, click the "Forgot your Password?" options, and reset your credentials, locking you out of all your accounts.

How to Protect Yourself From MITM Attacks

Public Wi-Fi might not be encrypted, but most major sites that request a password like PayPal, eBay, and Amazon employ their own encryption techniques. Check for this by looking at the URL. If it's an HTTPS address—that additional "S" meaning "Secure"—there's some level of encryption.

Don't input any data if you see a notification that a site might not be genuine, even if you're desperate. Most browsers will give you a warning message if you visit an unsecured site.

2. Fake Wi-Fi Connections

identical outfits

This variation of an MITM attack is also known as the "Evil Twin". The technique intercepts your data in transit, but bypasses any security systems a public Wi-Fi hotspot might have. Victims could be handing over all their private information, merely because they were tricked into joining the wrong network.

It's fairly easy to set up a fake Access Point (AP), and is well worth the effort for cybercriminals.

They can use any device with internet capabilities, including a smartphone, to set up an AP with the same name as a genuine hotspot. Any transmitted data sent after joining a fake network goes via a hacker.

How to Protect Against Evil Twin Hacks

There are some tips to keep in mind on how to spot "Evil Twin" public Wi-Fi. Be suspicious if you see two similarly-named network connections. If they're associated with a shop or eatery, talk to the staff there.

If you're at work and spot a fake AP, alert management.

You should also consider using a data-scrambling Virtual Private Network (VPN). This establishes a level of encryption between the end-user and a website, so potential intercepted data is unreadable by a hacker without the correct decryption key.

3. Packet Sniffing

It's an amusing name, but the actual practice of "packet sniffing" is far from a laughing matter. This method enables a hacker to acquire airborne information then analyze it at their own speed.

A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. That's right: it's free.

You'll even find "how to" guides online, teaching you how to use Wireshark. It can be used to analyze web traffic, including (ironically) finding security threats and vulnerabilities that need patching.

Packet sniffing is relatively simple, and not even illegal in some cases. IT departments do this regularly, ensuring safe practices are maintained, faults are found, and company policies are adhered to. But it's also useful for cybercriminals.

Hackers can obtain an abundance of data then scan through it at their leisure for important information like passwords.

How to Protect Against Packet Sniffing

You need to rely on strong encryption, so invest in a VPN and make sure sites requiring private information have SSL/TSL certificates (i.e. look for HTTPS).

4. Sidejacking (Session Hijacking)

Sidejacking relies on obtaining information via packet sniffing. Instead of using that data retroactively, however, a hacker uses it on-location, in real-time. Even worse, it bypasses some degrees of encryption!

Login details are typically sent through an encrypted network and verified using the account information held by the website. This then responds using cookies sent to your device. But the latter isn't always encrypted—a hacker can hijack your session and gain access to any private accounts you're logged into.

While cybercriminals can't read your password through sidejacking, they could download malware to obtain such data, including on video chat platforms like Skype. Furthermore, they can get plenty of information to steal your identity. A wealth of data can be inferred from your social media presence alone.

Public hotspots are especially appealing for this hack because there's typically a high percentage of users with open sessions.

How to Protect Against Session Hijacking

Standard encryption methods combat sidejacking, so a VPN will scramble information to and from your device.

As an added security measure, make sure you always log out when you're leaving a hotspot, or you risk letting a hacker continue to use your session. With social media sites, you can at least check the locations where you're logged in then sign out remotely.

5. Shoulder-Surfing

watching while entering your PIN
Image Credit: Richard/ Flickr.

This might seem obvious, but we often forget these sort of simple security measures.

Whenever using an ATM, you should check those around you, making sure no one's peeking as you enter your PIN. It's also a danger when it comes to public Wi-Fi. If someone is hovering around when you're visiting private sites, be suspicious. Don't submit anything personal like a password. It's a very basic scam, but one that certainly still works for hustlers and hackers.

A "shoulder surfer" might not even need to be behind you: just watching what you type can give criminals something to work with.

How to Protect Against Shoulder Surfers

Be vigilant. Know who's around you. Sometimes, paranoia can help. If you're not sure of those around you, don't go on anything private.

Don't underestimate the importance of what you're filling out or reading either: medical information can be useful to identity thieves, for example. If it's a document or webpage you wouldn't want anybody else seeing, take precautions to stop that from happening.

Another option is to purchase a privacy screen; these limit what people see on your screen.

How Can VPNs Protect Against Public Wi-Fi Hacking?

The core concern with public Wi-Fi is the lack of encryption. VPNs scramble your personal information so without the correct decryption key, it can't be read (in most cases, anyway). If you regularly use hotspots, a VPN is essential.

Fortunately, you can find VPNs that are completely free, both for laptops and devices like smartphones. But you should stay open-minded and consider paying for one too; it's worth it to save your personal information.

The vast majority of us use public Wi-Fi, but we need to be more careful about it.