The security of any Wi-Fi connection depends entirely on the encryption protocol used. It’s crucial to understand the difference between outdated and modern standards.

While the ancient WEP protocol can be cracked in seconds today and should no longer appear in any configuration, WPA2 (Wi-Fi Protected Access 2) remains the global standard. It uses strong AES encryption, which is generally considered secure. However, WPA2 has a vulnerability in the so-called “handshake”—the moment when the device and router agree on a password. Attacks were possible at this point in the past (keyword: KRACK).

The future therefore belongs to WPA3. This new standard closes the gaps of its predecessor with a method called SAE (Simultaneous Authentication of Equals).

The decisive advantage: Even if a user chooses a relatively weak password for their Wi-Fi, WPA3 prevents attackers from guessing this password offline through brute-force attacks. Users who can should therefore switch their router to “WPA2/WPA3 Mixed Mode” or, if all devices support it, to pure WPA3.

Public Wi-Fi networks in hotels, trains, or cafes are convenient, but from a technical perspective, they are “untrusted networks.” Anyone who has to use them should establish multiple lines of defense.

The most important protection is a VPN (Virtual Private Network). A VPN establishes an encrypted tunnel through the insecure public Wi-Fi network. Even if a hacker is sitting in the same cafe and intercepting the data traffic (“sniffing”), they will only see an unreadable data stream. The endpoint of this tunnel is a secure server belonging to the VPN provider or even your own router at home.

Additionally, you should disable the automatic connection function. Smartphones constantly send out search requests (“probe requests”) to find known networks. This not only reveals where you’ve previously connected (e.g., “WiFi_Company_Mueller”, “Hotel_Paris”), but also makes the device vulnerable to the Evil Twin attacks described above. Therefore, regularly delete old Wi-Fi profiles or disable the “Auto-connect” function for public networks.

This not only reveals your previous network locations (e.g., “WiFi_Company_Mueller”, “Hotel_Paris”), but also makes the device vulnerable to the Evil Twin attacks described above. Therefore, regularly delete old Wi-Fi profiles or disable the “Auto-connect” function for public networks.

An often overlooked point is tracking. To prevent department stores or airport operators from creating movement profiles of you, modern smartphones use randomized MAC addresses. This means that the phone identifies itself to each Wi-Fi network with a new, randomly generated hardware address, instead of displaying its real, unchanging identifier. This feature should always remain enabled on Android and iOS.

A frequently discussed question among security-conscious users is whether to disable Wi-Fi on their smartphones at home to minimize potential attack surfaces.

Why a permanent connection at home is secure

Unlike public hotspots, in your home network you have full control over the environment (“Trusted Environment”). If your router is running the latest software and protected by a strong, unique password and WPA2/WPA3 encryption, the risk of an external attack is extremely low. A hacker would have to be physically near your home and then specifically attempt to break your encryption – an effort that is highly unlikely for the average user.

The term “network segmentation” sounds complicated, but the principle behind it is simple. Imagine your home network as a house.

The scenario without segmentation (The “open house”)

In a typical home network, all devices are in the same “room.” Your laptop, smartphone, smart refrigerator, and security camera are all located in the living room.

• The problem: If an intruder (hacker or virus) climbs in through an unsecured window (e.g., a cheap smart bulb or an infected app on your phone), they are standing right in the middle of the room. They can immediately go to the desk where your PC with your banking information is located, or to the cabinet with your private photos (NAS drive). There are no obstacles.

The scenario with segmentation (The “Guesthouse principle”)

With network segmentation, your router builds a solid wall. He divides the network into two (or more) separate areas:

• The main network (The vault): This is where only your trusted, critical devices (PC, laptop, data storage/NAS) are located.
• The guest network (The conservatory): This is where devices that need internet access but don’t need to access your sensitive data are located (smart lights, robot vacuums, the PlayStation, and, of course, your smartphone).

How does this work technically?

• The router acts as a gatekeeper.
• Towards the Internet: The router allows both rooms (main network and guest network) to access the internet. So you can easily browse, stream, and chat on the guest Wi-Fi.
• Towards the In: The router rigorously blocks any attempt by a device from the “conservatory” (guest Wi-Fi) to open the door to the “vault” (main network).

Wi-Fi security requires a nuanced approach. In public spaces, the principle of “Zero Trust” applies: distrust any open network and consistently use VPN services and tracking protection.

At home, however, the benefits of a stable Wi-Fi connection far outweigh the theoretical risk. As long as the router is properly configured, you can and should leave Wi-Fi enabled on your smartphone to ensure updates and backups. Those who want to maximize security can use segmentation via a guest network instead of sacrificing convenience.