When CISOs Miss the Point: A Response to Hacklore.org's WiFi Advice

Introduction

In November 2025, a group of current and former Chief Information Security Officers released an open letter through hacklore.org, claiming to correct persistent myths about digital risk. Their first target? The advice to avoid public WiFi.

Their argument boils down to: "Large-scale compromises via public WiFi are exceedingly rare today. Modern products use encryption technologies to protect your traffic even on open networks."

This would be compelling if it addressed the actual risks of public WiFi. It doesn't.

The hacklore.org letter ignores two fundamental categories of WiFi risk:

1. Chapter One: The Attack Surface - Network-level threats from malicious operators, rogue access points, and compromised infrastructure
2. Chapter Two: The Surveillance Economy - Industrial-scale data harvesting by "legitimate" WiFi providers

After examining both, we'll explore why these CISOs failed on this : they're thinking like cyber security engineers instead of information security officers.

The correct advice remains unchanged: If you can use your personal hotspot, you should.

CHAPTER ONE: The Attack Surface

The Network You Cannot Verify

When you join a (Untrusted) public WiFi network, you're granting network-layer access to an infrastructure you cannot verify, operated by parties you cannot assess, with attack surfaces you cannot inspect.

The hacklore.org CISOs claim "large-scale compromises via public WiFi are exceedingly rare."

How would they know? Being pedantic, there's no unified infrastructure to measure, correlate, or report WiFi network attacks.

We only know about WiFi attacks when attackers get caught - Russian intelligence operations making headlines, airport hackers getting too greedy. The successful attacks? The quiet ones? No measurement infrastructure. No correlation system. No data.

The Measurement Problem

To claim attacks are "rare," you'd need:

• Victims who know they were attacked - Most WiFi attacks are silent. MAC address tracking doesn't throw an error. DNS hijacking looks like normal browsing. Captive portal credential harvesting is indistinguishable from legitimate authentication, should you fall victim to solicitation or have a capable attacker on a badly configured Network
• Attribution to WiFi - If your credentials get stolen via a rogue captive portal and used three weeks later, you'll blame phishing or a data breach, not that coffee shop WiFi.
• Data collection infrastructure - Who's tracking WiFi-based attacks? Not WiFi providers (they're often doing the tracking). Not victims (most don't know it happened). Not law enforcement (unless there's financial fraud). Not security vendors (no visibility into public networks).
• Correlation and reporting - Unlike data breaches (mandatory disclosure) or malware infections (antivirus telemetry), there's no central database tracking WiFi attacks across locations.

The hacklore.org CISOs are claiming "attacks are rare" based on an absence of evidence that couldn't exist in the first place.

That's not data-driven security guidance. That's assuming safety from silence.

What Can Happen When You Join

The hacklore.org letter focuses on TLS encryption. But TLS doesn't protect you from network-layer attacks that happen before your first HTTPS request.

Attacker-Owned or Compromised Networks

A fake access point is, in principle, a solicitation attack - just like phishing. Once you've decided to join that network, the hard part is mostly over. The attacker controls the captive portal and what happens next.

Captive Portal Exploits:

• Request installation of "required" root certificates (giving MITM capabilities)
• Prompt for VPN profiles or configuration files (malicious profiles are serious threats to mobile devices)
• Enumerate systems for exploitation (port scanning, responder, brute force)
• Social engineer credentials ("Sign in with your corporate account to access WiFi")
• Fingerprint your device and browser in detail
• Push payloads, harvest credentials, manipulate DNS

Network-Layer Attacks:

• ARP spoofing and DNS hijacking
• DHCP option injection
• Malicious DNS responses (pointing legitimate domains to attacker infrastructure)
• Traffic manipulation before TLS even starts
• Downgrade attacks against older protocols
• Service discovery exploitation (mDNS, SSDP, LLMNR)

Client-to-Client Attacks (on networks without isolation):

• Port scanning your device
• Exploiting network services (SMB, SSH, open ports)
• Broadcast/multicast injection
• Local privilege escalation attempts
• Mobile device vulnerabilities (especially older Android devices)

Well-Intentioned but Misconfigured Networks

Even legitimate networks create risk when misconfigured:

• No Client Isolation: Your device is visible to every other connected client — coffee shop patrons scanning for vulnerable devices, conference WiFi with hundreds of unknown attendees, hotel networks with guests from around the world
• Weak or Missing Authentication: Open networks or shared PSK (Pre-Shared Key) means anyone can join and intercept handshakes
• Outdated Infrastructure: Router/AP vulnerabilities, weak encryption protocols (WPA2 with KRACK vulnerabilities), insecure management interfaces
• Admin Interface - Weak or Default credentials: control the network !

The Schrödinger Problem

When you're looking at available WiFi networks, you face an impossible verification problem:

• Can I be sure the network is good? Generally, no.
• Can I be sure the network is bad? Generally, no.
• Can I be sure my personal hotspot grants me more security? Yes.

You cannot detect if there's an attacker on the network. Not because they're definitely there. Not because they're definitely not there. Because there's no infrastructure to correlate, measure, and report on WiFi attacks.

An attacker running a rogue access point looks identical to a legitimate network. An attacker performing ARP spoofing on a coffee shop WiFi is indistinguishable from normal traffic to the victim. A malicious captive portal requesting credentials appears the same as a legitimate one.

We only hear about WiFi attacks when someone gets caught. The Russian intelligence officer running operations from hotel WiFi. The airport hacker who gets too hak5ey. The ones who make spectacular mistakes that land them in the news.

The attacks that succeed quietly? The ones where no one gets caught? There's no data. No reporting. No measurement infrastructure to even know they happened.

When the absence of evidence for or against something is unobtainable, you work with the art of the possible.

The Diversity Problem: Privilege Masquerading as Security Advice

The hacklore.org CISOs assume everyone runs "modern devices" with "automatic updates." This is security advice for the privileged, dressed up as universal guidance.

Their advice presumes:

• You can afford to replace devices when they stop receiving security updates
• You have the technical literacy to enable automatic updates
• Your employer provides current hardware with recent OS versions
• You're not on a fixed income using a phone from 2019
• You're not a student with a hand-me-down laptop
• You're not in a developing economy where "modern devices" aren't the default

The real world has:

Device Diversity:

• Legacy Android devices (no longer receiving security updates)
• Older laptops running outdated Windows versions
• IoT devices with embedded, unpatched systems
• Corporate devices with delayed update cycles (IT approval processes, compatibility testing)
• BYOD environments with inconsistent security postures
• Budget smartphones that shipped with outdated software

Victim Diversity:

• Technical users who might notice suspicious behavior
• Non-technical users who will click "Allow" on certificate prompts
• Business travelers connecting devices with corporate data
• Students on university networks with whatever device they could afford
• Elderly users on library WiFi with devices they don't know how to update

Security advice that assumes everyone has current devices and immediate update capability is security advice for CISOs and their friends. It's not guidance for the public - it's guidance for people who can afford to follow it.

An attack that fails against a patched MacBook Pro might succeed against an Android tablet from 2019. An attacker running a rogue WiFi network at an airport doesn't need 100% success rate.

And when the hacklore.org CISOs say "keep your devices updated," they're ignoring everyone who can't, not that we've never heard that advice before by the devices themselves and others.

The Join-Phase Problem

All WiFi attacks share a common characteristic: they exploit the join phase, before you can verify security.

You cannot inspect a WiFi network's security posture before associating with it. You cannot audit the captive portal before it loads. You cannot verify client isolation is enabled before exposing your device to the LAN.

By the time you realize something is wrong, you've already been exposed.

TLS doesn't solve this. MFA doesn't solve this. Password managers don't solve this.

Not joining the network solves this.

CHAPTER TWO: The Surveillance Economy

When "Free WiFi" Means "Free Data Collection"

The hacklore.org letter completely ignores the second category of WiFi risk: authorized surveillance by the WiFi providers themselves.

This isn't about hackers. This is about businesses offering "free" WiFi as a data collection platform — and it's completely legal.

Where is their analysis of this industrial-scale data harvesting?

Where's the examination of Cloud4Wi, Skyfii, Purple WiFi, and the entire WiFi analytics industry that monetizes your location data? Where's the discussion of FTC enforcement actions against companies like Nomi Technologies, who tracked 9 million devices via WiFi without consent? Where's the analysis of privacy policies from Starbucks, airports, and hotels that explicitly state they share your data with ad tech platforms?

They have no analysis. Because addressing it would undermine their "WiFi is safe" narrative.

The Data Collection Pipeline

When you connect to WiFi at Starbucks, airports, or hotels, you're not just getting internet access. You're entering a data collection pipeline operated by "legitimate" businesses.

Stage 1: MAC Address Harvesting (Unavoidable)

The moment you associate with a WiFi network, your MAC address is logged. This happens before you can assess the network's trustworthiness. You cannot mitigate this risk — it's inherent to how WiFi works.

The FTC ruled that MAC addresses are personally identifiable information because they can be linked to individuals by name when you log into WiFi hotspots. This isn't theoretical — in 2015, the FTC sanctioned Nomi Technologies for tracking 9 million devices via WiFi without proper opt-outs.

Stage 2: Captive Portal PII Collection

To get internet access, you surrender personal information to the portal:

• Email address
• Name
• Phone number
• ZIP /Post code
• Sometimes social media authentication

This data is sold. Starbucks' privacy policy explicitly states they share data with third parties. Cloud4Wi's privacy policy describes sharing with "ad agencies, demand side platforms, data management platforms, and supply-side platforms."

Stage 3: Metadata and Behavioral Tracking

Analytics platforms like Cloud4Wi, Skyfii, and Purple WiFi measure:

• Dwell time (how long you stay)
• Visit frequency (how often you return)
• Movement patterns (which locations you visit)
• Device fingerprinting
• Connection timing and behavior

This creates a tracking graph linking your identity (from the captive portal) to your physical behavior across locations.

When you connect to WiFi at Starbucks, airports, or hotels, you're entering a data collection pipeline. Captive portals collect your email, name, phone number, and ZIP code. Analytics platforms measure your dwell time, visit frequency, and movement patterns. This data is then shared with "ad agencies, demand side platforms, data management platforms, and supply-side platforms" to build advertising audiences.

Stage 4: Third-Party Data Sharing

That quote about ad agencies? That's from Starbucks' privacy policy. Cloud4Wi's privacy policy explicitly states they share data with ad tech platforms.

In 2013, when Senator Schumer exposed Euclid Analytics tracking shoppers at Nordstrom, customers had no opt-out option except turning off WiFi or leaving their phone at home.

The only way to opt out? Don't join the network.

TLS Protects Content, Not Identity

The hacklore.org letter claims "modern encryption technologies protect your traffic." True. Completely irrelevant.

Your Kinks Are Safe, Your Habits Aren't

TLS protects what you say, not who you are.

Congratulations, your encrypted browsing means nobody knows you're reading niche subreddits. But they know:

• You were at Starbucks on 5th and Main at 2:47pm on Tuesday
• You stayed for 43 minutes
• This is your 4th visit this month
• You also visit the Starbucks on Market Street every Thursday morning
• Your device identifier links to the email you gave the captive portal
• Your movement pattern matches "commuter, works downtown, coffee regular"

TLS encrypted your content. It did nothing about your identity, location, or behavioral profile.

The network operator doesn't need to decrypt your HTTPS traffic to know:

• Where you go
• When you go there
• How long you stay
• What patterns you follow
• Which devices are yours
• How to link you across locations

This data is worth billions. Cloud4Wi, Skyfii, Purple WiFi — entire industries exist to harvest this metadata. They don't need to break TLS. They just need you to press "Connect."

So yes, your kinks are encrypted. Your habits are for sale.

No Institutional Protections

When your credit card gets skimmed, the Payment Services Regulations 2017 limit your liability to £35 (usually £0). Your bank refunds you. The system absorbs the loss.

When your MAC address's and emails ends up in a data broker's tracking graph, there is no refund mechanism. GDPR gives you the right to complain. It doesn't give you the right to be untracked. Once you're in the database, you stay there.

You can't get "unskimmed" from a data broker's database.

There's no Privacy Regulation, You can't dispute being in a tracking graph. That's why the comparison to card skimmers fails - one risk has a safety net with institutional protections and reversal mechanisms. The other leaves you completely exposed with no undo button.

This Isn't a "Compromise." It's the Business Model.

None of this requires a breach. No credential theft. No malware. Just systematic data collection at industrial scale.

And the hacklore.org CISOs don't mention it once.

CHAPTER THREE: The Shallow Thinking Distance

Cyber Security vs. Information Security

Here's the fundamental failure of the hacklore.org letter: these CISOs are thinking like cyber security engineers instead of information security officers.

The Cyber Security Mindset

Cyber security focuses on:

• Preventing credential theft
• Blocking malware
• Detecting intrusions
• Stopping "hackers"

Their threat model: people in hoodies breaking into systems.

When TLS encrypts your HTTPS traffic, the cyber security job is done. Attack prevented. Credentials protected. Mission accomplished.

The Information Security Mandate

Information security focuses on:

• Protecting data from unauthorized collection
• Preventing unauthorized processing
• Stopping unauthorized disclosure
• Defending against surveillance, not just attacks

Their threat model: unauthorized access to information, regardless of who's accessing it.

When you're a Chief Information Security Officer, your mandate is to protect information — not just from criminals, but from anyone engaging in unauthorized collection, processing, and disclosure.

The metadata tracking industry does all three at scale.

Are We Giving Data The Security It Deserves?

These are people whose job title includes "Information Security Officer" - they're supposed to protect data and information. Yet they've completely ignored:

• The metadata industry (Cloud4Wi, Skyfii, Purple WiFi, Euclid Analytics, Nomi Technologies)
• Invisible processing (tracking graphs, behavioral profiling, movement pattern analysis)
• Third-party data sharing with ad tech platforms, DMPs, DSPs, and SSPs

Are we giving data the security it deserves when we ignore everything that happens outside TLS content?

Public WiFi risk in 2025 is not just about getting "hacked." It's about being tracked. And here's the deeper failure: these are Chief Information Security Officers who seem to have forgotten what security controls are for - to protect data.

Are we giving data the security it deserves? No. Because the hacklore.org CISOs have decided that if your HTTPS content is encrypted, their job is done. Your metadata? Your location? Your behavioral patterns? Your MAC address being sold to data brokers? Not a problem, they want to bother you with.

What Happened to Threat Modeling?

The letter's authors seem to believe that if TLS encrypts your HTTPS traffic, their job is done. 

Legitimate businesses tracking your location, harvesting your PII via captive portals, and selling your behavioral patterns? Not our department, and the attacks and nuances in joining a network and all that happens between that and making your first internet request is ... meh.

This is security leadership that stops thinking the moment the threat actor wears a business suit instead of a hoodie.

When you're a Chief Information Security Officer, your mandate is to protect information - not just from criminals, but from unauthorized collection, processing, and disclosure. The metadata tracking industry does all three at scale, yet the hacklore.org CISOs dismiss public WiFi concerns because TLS exists.

What are we doing here? What happened to threat modeling that includes data brokers, surveillance capitalism, and privacy invasion?

INFORMATION. SECURITY.

These signatories have collapsed the entire security problem down to "credential theft" and "malware," then declared victory because TLS makes those harder. Meanwhile, every coffee shop WiFi network is feeding the surveillance economy, and they're telling the public it's fine.

That's not security leadership. That's security theater with credentials.

The hacklore.org letter represents a troubling trend in security communications that I hope creates zero political or policy influence, it's generic advice from credentialed professionals who haven't engaged with the specific threats they're dismissing.

They're right that TLS works. They're wrong that it solves the WiFi problem.

They're right that MFA and password managers are important. They're wrong that this addresses WiFi surveillance.

They're right that exotic attacks are rare. They're wrong that WiFi tracking is exotic.

The letter's fundamental flaw is treating "we haven't seen widespread credential theft on WiFi" as evidence that "WiFi is safe." It confuses the absence of one type of harm with the absence of all harms.

Meanwhile, data brokers are building tracking graphs from your Starbucks visits. Captive portals are collecting your PII. Analytics platforms are measuring your dwell time and movement patterns. None of this requires a "compromise." It's the intended functionality.

The question isn't Just whether you'll get hacked on public WiFi. The question is also whether you want to be tracked.

The Advice Stands

If you can use your personal hotspot, you should.

Not because you're "important enough to be hacked" - you're not important enough for a targeted attack, but your spam folder is still full of phishing attempts, isn't it? Attackers follow the WDADLIB model: Why Does A Dog Lick Its Bollocks? Because it can.

Not because you need to understand network attestation, infrastructure posture, end-user device posture, and end-user susceptibility - though those matter. You use your hotspot because it's the simplest, most effective reductive measure available.

Your mobile hotspot eliminates:

• Network operator surveillance
• Malicious network operators
• Rogue access points
• Client-to-client attacks
• Captive portal data collection
• Most metadata leakage to untrusted parties

Your mobile hotspot is right there in your pocket. Use it.

For detailed technical analysis of WiFi threat models, see lolwifi.network

For the original hacklore.org letter, visit their website hacklore.org