Is free wifi really that risky?

Dangerous might be too strong a word for everyday use. But free wifi carries real risks that most people ignore.

When you connect to free wifi at a Starbucks in Connaught Place, at the Pune airport, at a Cafe Coffee Day in Koramangala, or at a railway station waiting room, you are joining an open network. Open means anyone within range can connect. Unlike your home router, which has a password and a limited number of known devices, a public wifi network is shared with every stranger in the building. The guy two tables over at the cafe, the person sitting across the aisle in the departure lounge, the group of college students at the next bench on the railway platform. All of them are on the same network as you.

That matters because traffic on an open wifi network can be monitored by anyone else connected to it. The software required for this is free, runs on a regular laptop, and does not require any advanced technical ability to use. A person with modest computer skills and about thirty minutes of YouTube tutorials could set up a packet capture tool and start watching what other people on the same network are sending and receiving. In security research experiments conducted at Indian airports and cafes, researchers using nothing more than a standard laptop and a freely available tool called Wireshark were able to capture email addresses, browsing histories, and session tokens from other users on the same wifi network. No special equipment. No hacking expertise. Just a laptop and curiosity.

Does this mean someone is definitely snooping on you every time you connect to cafe wifi? No. Most of the time, nobody on the network is running a packet capture tool. Most people at a cafe are just drinking their coffee and scrolling through Instagram like you are. The odds of encountering an active attacker on any given visit to any given cafe are probably low.

But you have no way of knowing whether this time is the exception. There is no indicator on your phone or laptop that tells you someone else on the network is monitoring traffic. Your pages load normally. Your apps work fine. Your video calls connect. Nothing in your user experience changes when someone is intercepting your data. That is what makes public wifi risky in a way that is hard to gauge in the moment. The risk is invisible, and the absence of visible problems is not evidence that everything is fine.

The places in India where free wifi is most commonly used are also the places where large numbers of strangers congregate in close proximity. Railway stations served by RailWire, airports in Delhi, Mumbai, Bengaluru, Hyderabad, and Chennai, cafe chains like Starbucks, Cafe Coffee Day, and Blue Tokai, shopping malls like Phoenix Marketcity and Ambience Mall, co-working spaces, and hotel lobbies. These locations have hundreds or thousands of simultaneous connections on a single network, which means two things: first, an attacker blends in completely, and second, the potential pool of targets is large enough to make the effort worthwhile for someone with bad intentions.

Person connecting to free public WiFi with data interception shown as red streams

Can someone actually see my browsing on public wifi?

It depends on what you are doing and which websites you are visiting, and the answer has gotten more nuanced over the past few years as encryption has become more common.

If a website uses HTTPS, which you can identify by the padlock icon in your browser’s address bar, the content of your communication with that website is encrypted. An attacker sitting on the same wifi network cannot read the specific pages you visit on that site, the text you type into forms, the passwords you enter, or the messages you send. Most major platforms use HTTPS by default now. Gmail, Instagram, Facebook, Twitter, WhatsApp Web, all major Indian banking sites, Google Pay, PhonePe, Paytm, and Amazon and Flipkart all use HTTPS. So the actual content of your interactions with these platforms is protected by encryption even on an open wifi network.

But HTTPS has limits. Even when you are visiting an HTTPS site, an attacker on the same network can still see which websites you are visiting. They can see the domain names, meaning they know you went to gmail.com, then to your bank’s website, then to a health forum, then to a dating app’s web version. They cannot see what you did on those sites, but the list of sites you visited can be revealing on its own. They can also see how long you spent on each site and roughly how much data you transferred.

Then there are websites that still do not use HTTPS. There are fewer of these than there were five years ago, but they still exist. Smaller Indian websites, local news portals, some state government service pages, older forums, and various niche sites still run on plain HTTP with no encryption. Anything you type into a form on one of these sites while connected to public wifi is sent in plain text. If you enter your email address, your phone number, or a password on an unencrypted site, anyone monitoring the network can read it as clearly as if you wrote it on a piece of paper and held it up.

The more concerning scenario is something called a man-in-the-middle attack. To explain this without jargon: normally, when you connect to wifi and open a website, your phone talks directly to the wifi router, and the router talks to the internet. Think of the router as a postal worker who carries your letters back and forth. In a man-in-the-middle attack, someone inserts their device between your phone and the router. Your phone thinks it is talking to the router, and the router thinks it is talking to your phone, but actually there is a third device in between that is reading every piece of data that passes through.

The attacker does this using a technique called ARP spoofing. ARP is a protocol your devices use to figure out which device on the network is the router. The attacker sends fake ARP messages telling your phone “I am the router,” and telling the router “I am that person’s phone.” Both believe the lie, and now all your traffic flows through the attacker’s machine. Setting this up takes a few minutes with free, widely available software. You would never notice it happening. Your internet keeps working normally, pages load at the same speed, and nothing on your screen looks different. The only change is that a stranger is now reading everything you send and receive that is not encrypted.

On HTTPS sites, the attacker still cannot read the content because it is encrypted end-to-end between your browser and the website’s server. But on unencrypted sites, or for any app that does not properly encrypt its traffic, the man-in-the-middle sees everything. And even for encrypted traffic, they can see the metadata: which sites, when, for how long, and how much data.

How do fake wifi networks work?

These are called evil twin hotspots, and they are simpler to create than most people would expect.

Imagine you are at Indira Gandhi International Airport in Delhi. You are in the departure terminal, waiting for your flight, and you want to connect to wifi to kill time. You open your phone’s wifi settings and see several networks. “Airport_Free_WiFi.” “DEL_Airport_WiFi.” “DIAL_Free_Internet.” Which one is the real airport network? You probably tap the one that looks most official, or just try all of them until one works. But one of those networks might not be operated by the airport at all. It could be a fake network being broadcast from someone’s laptop a few seats away.

Setting up a fake wifi network requires nothing more than a laptop and a USB wifi adapter. The adapter costs less than 2,000 rupees on Amazon. With free software, the attacker creates a wifi network with a name that mimics the real network at that location. The fake network looks identical to the real one in your wifi settings list. There is no visual difference. No warning. No way to tell from the name alone.

Once you connect to the fake network, the attacker controls your internet connection. All your traffic flows through their laptop before reaching the actual internet. They can see all your unencrypted traffic. They can redirect you to fake versions of websites. When the fake network presents you with a login page that looks identical to the real airport wifi portal, and you type in your email address and phone number to connect, those details go straight to the attacker. If the fake login page asks you to sign in with Google or Facebook, and you do, the attacker captures those credentials too.

This attack works especially well at busy locations where multiple wifi networks are visible and nobody knows which one is legitimate. Railway stations, airports, hotel lobbies, and large cafes are ideal settings because the volume of people makes it impossible for anyone to notice or question a new network appearing in the list.

Your phone can make the problem worse. When you connect to a wifi network, your phone saves the network name. The next time your phone detects a network with that same name, it connects automatically without asking you. This means that if you connected to “CCD_Free_WiFi” at a Cafe Coffee Day once, your phone will automatically connect to any network called “CCD_Free_WiFi” that it encounters in the future, even if that network is being run by an attacker in a completely different location. The attacker does not even need to be at a Cafe Coffee Day. They just need to broadcast a network with the same name, and your phone will walk right into it.

Jio hotspots present a similar concern. Jio offers free wifi at many locations across India, and millions of phones have saved Jio wifi network names. An attacker broadcasting a network named “JioNet” or “JioNet_5G” in a crowded area could catch dozens of phones auto-connecting without their owners even realising it.

The fix is simple but tedious, and most people never bother with it. After disconnecting from any public wifi network, go into your phone’s wifi settings and tap “Forget this network.” This removes the saved network name and prevents auto-connection in the future. On Android, you can find this in Settings, then Network and Internet, then Wi-Fi, then tap the network name, then Forget. On iPhone, go to Settings, then Wi-Fi, tap the (i) icon next to the network, then Forget This Network. It takes about five seconds and eliminates the auto-connect risk entirely.

Should I use a VPN every time?

If you are going to use public wifi for anything beyond watching videos or reading news, then yes, a VPN is a good idea. A VPN encrypts all the traffic between your device and the VPN server, which means even if someone on the same wifi network is monitoring traffic or running a man-in-the-middle attack, all they see is encrypted gibberish. They cannot see which websites you visit, what data you send, or what you receive.

Two free VPN options that are trustworthy and work well in India are ProtonVPN and Cloudflare WARP. ProtonVPN is made by the same company that runs ProtonMail, has a free tier with unlimited data and servers in multiple countries, and has been independently audited for security. Cloudflare WARP is simpler and faster, designed more for speed than for privacy features, but it encrypts your connection effectively and is completely free. Either one is a solid choice for protecting yourself on public wifi.

The honest answer is that a VPN is not necessary for everything. If you are just reading news articles, watching YouTube, or browsing Wikipedia on public wifi, the risk of interception is low and the consequences of interception are minor. Nobody gains much from knowing that you watched a cooking video at the airport. A VPN adds the most value when you are doing things where interception would cause real damage: logging into accounts, checking email, making payments, accessing work documents, or doing anything that involves passwords, personal information, or financial data.

Avoid free VPN apps from unknown developers. The Google Play Store is full of free VPN apps with millions of downloads and vague privacy policies. Many of these apps do the opposite of what they promise. They log your browsing activity and sell it to advertisers and data brokers. Some inject ads into your browsing. Some have been found to contain malware. A bad VPN is worse than no VPN because it gives you a false sense of security while actively harvesting your data. Stick with established, audited providers.

Are airport and hotel wifi networks safer?

Not meaningfully safer from a technical standpoint, no. Airport wifi and hotel wifi are still open networks shared with large numbers of strangers. An attacker at Bengaluru airport blends into the crowd just as easily as an attacker at a random cafe. The networks at major Indian airports like Delhi, Mumbai, Bengaluru, Hyderabad, Chennai, and Kolkata handle thousands of simultaneous connections, which means the potential for interception exists at scale.

But the bigger issue with airport and railway station wifi in India is not the risk from attackers on the network. It is the data collection by the wifi providers themselves.

RailWire, the wifi service available at over 6,000 Indian railway stations, is operated by RailTel Corporation. To connect, you need to provide your phone number and verify it with an OTP. Every session is logged: your phone number, the station, the date and time, the duration of your session, and your browsing activity. RailWire’s privacy policy states that this data can be used for “analytics and marketing purposes” and may be shared with “business partners and affiliates.” Millions of commuters use RailWire daily on their way to work, at their station of departure, during connections, and at their destination. Each use adds another data point linking their phone number to a time and location. Over weeks and months, this builds a pattern of where someone travels and when.

Airport wifi works the same way. At Delhi’s IGI Airport, Mumbai’s Chhatrapati Shivaji Maharaj International, and Bengaluru’s Kempegowda International, the free wifi tier typically requires your phone number or a social media login. Some airports have advertising partnerships where the registration data feeds into traveller profiles. Which airports you visit, how frequently you fly, what time you travel, what you browse while waiting for your flight. When you register with your phone number, that number becomes the link connecting your airport wifi session to any other data the advertising partner already has about that number.

Some airports offer a premium wifi tier that promises faster speeds in exchange for logging in with your Google or Facebook account. Be cautious with this. Depending on the OAuth permissions requested, you might be sharing your name, email address, profile photograph, and contact list just to get thirty minutes of faster internet while you wait for boarding.

Hotel wifi tends to be password-protected, which gives people a false sense of security. The password is usually printed on a card at the front desk or is the room number or the hotel name followed by a few digits. Every guest in the hotel has the same password. A password-protected network where everyone knows the password is not much different from an open network in terms of security. The encryption only protects against outsiders who do not know the password. Other guests, who all have the same password, can still intercept traffic on the network using the same tools that work on open networks.

Mall wifi at places like Phoenix Marketcity, Ambience Mall, DLF Mall of India, and Select Citywalk also collects data. Even when you do not connect, if your phone’s wifi is turned on, the mall’s systems can detect your phone’s wifi probe requests and log your device’s presence. The mall knows you walked through on Tuesday evening, spent forty-five minutes in the food court area on Thursday, and have visited three times this month. All from your phone’s wifi signals, without you ever connecting to the network or agreeing to anything.

Phone showing free WiFi networks list with warning icons on unsecured networks

One rule that covers most situations

Mobile data is safer than public wifi by a wide margin. Your cellular connection runs through your telecom operator’s encrypted network. An attacker cannot intercept it by sitting nearby with a laptop. They would need a fake cell tower, which is expensive, illegal, and extremely difficult to deploy without detection. The gap between the difficulty of intercepting wifi traffic and the difficulty of intercepting cellular traffic is enormous.

India has some of the cheapest mobile data in the world. A Jio prepaid plan gives you 1.5 GB per day for around 189 rupees per month. Airtel and Vi offer similar plans in the 200 to 300 rupee range. At those prices, your daily data allowance costs less than a cup of tea at most cafes. The financial argument for using public wifi instead of mobile data has mostly disappeared in India over the last few years. Unless you are downloading large files or streaming video for hours, a standard mobile data plan covers normal daily usage with room to spare.

There are situations where public wifi is your only realistic option. Basements with no cellular coverage. Remote areas where network signal drops to zero. Locations inside large buildings where walls block mobile signals. Situations where you need to download a large file and your data limit is close to being used up. In those cases, use a VPN. Turn it on before connecting to the wifi network. ProtonVPN or Cloudflare WARP, both free, both reliable. The VPN encrypts your traffic so that even if someone is monitoring the network, they cannot read anything useful.

But for most daily use, the rule is simple.

Use mobile data for anything involving money or passwords. Banking, UPI, logging into email. Save the free wifi for YouTube and reading articles. That one rule covers ninety percent of the risk.

A few additional habits that help: keep your phone’s wifi turned off when you are not actively using it, which prevents automatic connections to remembered networks and blocks passive tracking by mall and store wifi systems. Forget public networks after disconnecting, which removes them from your phone’s saved networks list and prevents the evil twin auto-connect problem. Check your phone’s saved wifi networks list every month or so and delete any you do not recognise or no longer need. These are small habits that take seconds each and remove a meaningful amount of risk over time.

If you travel frequently by train and use RailWire often, consider using a secondary phone number for wifi registration, one that is not linked to your bank accounts, UPI, or primary online identity. The same goes for airport wifi. A secondary SIM from Jio or Airtel costs almost nothing and keeps your primary number out of wifi provider databases.

None of this requires technical knowledge. None of it costs money. It is just a set of small decisions, each one taking a few seconds, that together make public wifi significantly less risky. Perfect security does not exist, but a reasonable level of caution eliminates most of the practical threats that ordinary people face on public networks in India.