What an eavesdropper sees when you use an unsecured Wi-Fi hotspot

“You’ve probably read at least one story with warnings about using unsecure public Wi-Fi hotspots, so you know that eavesdroppers can capture information traveling over those networks,” Eric Geier reports for PC World.

“But nothing gets the point across as effectively as seeing the snooping in action,” Geier reports. “So I parked myself at my local coffee shop the other day to soak up the airwaves and see what I could see.”

Geier reports, “My intent wasn’t to hack anyone’s computer or device—that’s illegal—but just to listen. It’s similar to listening in on someone’s CB or walkie-talkie radio conversation. Like CBs and walkie-talkies, Wi-Fi networks operate on public airwaves that anyone nearby can tune into.”

Read more, including how to use Wi-Fi hotspots securely, in the full article – recommended – here.


  1. A brief list of approaches and solutions:

    Using iOS devices over Wi-Fi in open Wi-Fi spots remains dangerous. There are some solutions with more on the way.

    Web: The best approach if you’re using the web is to only connect to any website via HTTPS (via SSL/TLS). If a website doesn’t offer HTTPS, rant like hell at them as there is no excuse not to us HTTPS these days. No excuse. Nope. No excuse. None.

    Email: Seek out an encrypted email app.

    On the Mac, it can be useful to use:

    1) Keep your Mac’s firewall ON
    2) SFTP (not FTP).

    1) DNSCrypt (In perpetual beta at OpenDNS.org)
    2) HTTPS Everywhere (from EFF.org)
    Again: There is no excuse for websites to not use HTTPS.

    1) Use Apple’s TLS certificate when sending iCloud via Mail to allow source to server encryption. Other email services offer their own source to server encryption.
    2) Encrypt your email via PGP/GPG, but keep in mind that your receiver must be using it as well.

    1) Use an end-to-end encrypted synchronizing service. (Ideally, the service should use pre-encryption BEFORE sync in order to stop unconstitutional US federal snooping crime at the server end of the service, etc. Examples: Arq and SpiderOak).

    Please add to my list…

    1. Using https is expensive for the operator. There’s the small matter of getting a certificate from a CA (not cheap) and the considerable rigmarole with all the verification stages on has to go through to get one

      A better solution: IPv6.


      1. Yes, ’tis true. Some certificate authorities are more reasonably priced than others. But if you’re a commercial website, I still contend: No Excuses. None. 👿

        IPv6 has security built into the protocol. Someday the WORLD will be on IPv6! But not much of the world so far. 🙁

  2. His info is incorrect in one regard, right at the end. On an encrypted hotspot using WPA or newer, each individual session with each individual device is separately and individually encrypted, using MAC address, device name and timestamp info to make the key individualized to that session and that device.

    Others can NOT read unencrypted traffic for such sessions, even if logged into the same router!

  3. This is why what you want to do is go into a public spot, broadcast your own WiFi signal like “StarBucks Free WiFi!” or some such nonsense. Set it up so that when people connect they can connect to a fake version of some of the more popular social networks like FaceBook. When they try you give them a realistic looking login failure, but meanwhile you’ve captured their username and password and most likely they use that same password everywhere.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.