Alarming media reports again this week warn that your iPhone’s default settings expose you and your data to hackers. Whether or not this threat affects you, it’s an easy setting to change and you should do that now. This is nothing new. NSA and law enforcement agencies have warned the same for years, but settings have not changed. “The risk is not merely theoretical,” NSA says. “Malicious techniques are publicly known and in use.”
We’re talking Wi-Fi and the little understood threat from “public” Wi-Fi networks. Despite what you might have read, there is little risk in connecting to reputable public Wi-Fi networks in hotels or airport lounges, even when traveling abroad.
As long as your internet traffic is encrypted, and you don’t log into new websites that pop up on your device when you connect, you will be okay. For additional security I recommend using a VPN — a reputable paid one of course — even though some agencies advise against personal VPNs, given the risk of data capture if you pick badly.
But that doesn’t mean your phone won’t be attacked — far from it.
The much more serious risk is rogue “public” Wi-Fi networks set up to trick users into thinking they’re reputable when they’re not. A Wi-Fi name playing on the name of a hotel or restaurant could belong to an attacker, looking to plant themselves between your device and the real access point. NSA warns that by doing this, “cyber actors [can]
employ malicious access points redirecting to malicious websites, injecting malicious proxies, and eavesdropping on network traffic.”
Kaspersky describes such attacks as “the biggest threat to free Wi-Fi security,” explaining that a hacker can “position himself between you and the connection point. So instead of talking directly with the hotspot, you’re sending your information to the hacker, who then relays it on.” Clearly they can see the traffic before they do so — if it’s not encrypted, and potentially they can push data to your device, or pop up phishing websites or fake login sites to trick you into giving away credentials. Anything more sophisticated than this would likely be a targeted attack. If you think that’s a risk for you, modify your behavior. Use a VPN and stick to cellular instead of public WiFi.
As regards these new iPhone warnings, the change you need to make is very simple. Tap on Settings > Wi-Fi, and there you will see two options. “Ask to Join Networks” and “Auto-Join Hotspot.” Set the first to “Off” or “Ask,” never to “Notify.” The hotspot auto-join setting should be set to “Ask to Join” or “Never,” and not to “Automatic.”
This is nothing new. NSA’s warning dates back to 2021 albeit it’s still live and relevant, and I first warned about this setting even before, back in 2020. But nothing seems to have changed in the interim and here we all are again.
There’s another change you can make as well, for additional security. In the Wi-Fi settings menu, click “Edit” which you’ll see top-right. and navigate to “Managed Networks.” Then click the “i” next to each network and unclick “autojoin,” unless you’re very sure of the network and that you want to connect in the background.
Those are networks are mostly provided by your cellular carrier. But above “Managed Networks” is a list of all WiFi networks known to your iPhone, including where you used a password to connect. You can deselect autojoin the same way on some or all.
Meanwhile, keep those two threats in mind. Ensure your web browsing is encrypted — only use websites that display a padlock by the browser’s URL. And don’t enter credentials into popups or familiar websites that appear unexpectedly.
