According to Forbes, the U.S. Transportation Security Administration (TSA) and Google have issued a stark warning for travelers to avoid using free public WiFi networks, calling them “easily exploited.” This alert comes as the holiday travel season gets underway and follows news from the Australian Federal Police about a man jailed for creating “evil twin” WiFi networks on a domestic flight to steal personal data and intimate material. Cybersecurity firm Zimperium warns that travel hubs like airports and hotels are “rich hunting grounds” for such attacks, and experts like BeyondTrust’s James Maude stress that the real danger is users falling for fake login pages on these malicious networks, not just connecting to an open WiFi point.
Why this isn’t just fearmongering
Look, we’ve all heard the “don’t use public WiFi” lecture before. And it’s true, a lot of your daily app traffic is encrypted now. So why is the TSA, of all agencies, banging this drum? Here’s the thing: they’re not really talking about someone snooping on your encrypted Instagram feed. They’re talking about the “evil twin.” Basically, it’s stupidly easy for a hacker to set up a network named “Free Airport WiFi” or “Starbucks WiFi” right next to the real one. Your phone sees it, you connect, and bam—you’re in their trap. All your data flows through their server. The recent case from Australia proves this isn’t theoretical; it happened at 35,000 feet. So the threat has evolved from simple snooping to full-on identity capture.
The real risk is you
And that’s where the experts get specific. James Maude from BeyondTrust hits the nail on the head: the core issue isn’t the WiFi signal itself. It’s what happens next. When you connect to a fake network, you’ll often get a pop-up login page that looks legit. It might ask for your hotel room number, your airline frequent flyer details, or even just an email to “get access.” That’s the golden ticket for attackers. As Maude says, attackers know “it is easier to log in than hack in.” They don’t need to break encryption; they just need you to hand over your credentials willingly. This is just another form of phishing, but the network is the bait. The FTC’s own guidance echoes this, advising extreme caution on public networks.
What should you actually do?
So, do you need to live in a digital bunker? Not exactly. But you do need to shift your mindset. First, be deeply suspicious of any network that asks for personal info to connect. A truly free public WiFi shouldn’t need your email. Second, use your phone’s mobile hotspot if you can. It’s your own private, encrypted bubble. Third, if you must use public WiFi, use a reputable VPN—it creates a secure tunnel for your data. And finally, enable multi-factor authentication (MFA) on everything important. As Zimperium warns, travelers are rushed and multitasking, which makes them perfect targets. Slow down and think before you click “connect” and certainly before you type a password.
The bigger picture
This TSA warning is a sign of the times. Our digital identities are now the primary target, and the attack surface is everywhere—even in the airport lounge. Google’s own 2025 threat report highlights the rise of text-based scams, showing how attackers blend methods. The “evil twin” is just one tool in the kit. As the Australian case shows, the consequences can be severe and deeply personal. The advice for this holiday season and beyond is simple, if slightly annoying: treat free WiFi like a stranger offering you candy. It might be fine, but the risk isn’t worth the reward. Protect your identity first, and the network connection becomes a lot less important.
