AnonymFlow
securite-reseauINFO

Mobile hotspot vs public WiFi: which is really safer in 2026

Compared attack surface between a shared 4G/5G hotspot and airport or hotel public WiFi, who sees what on the mobile carrier side vs hotspot provider side, real data cost, and the safest stack with a VPN.

By Eric Gerard · Editor · AnonymFlow14 min readPhoto: Unsplash

The choice between a mobile hotspot (tethering a 4G or 5G connection from your smartphone) and public WiFi (airport, hotel, or café network) is now a daily trade-off. It faces the remote worker on the move, the traveller, or anyone who wants to check email away from home. The question is often framed as a binary - "which is safer". In fact the two technologies have very different attack surfaces, and the right answer rests as much on use case as on context.

This guide compares exactly what each actor (mobile carrier, WiFi hotspot provider, possible local attacker) can see and do for each technology. It gives concrete data cost figures for 2026. And it lays out the most defensive stack (mobile hotspot + VPN) for high-stakes activities.

How each technology works

To compare what each actor can technically see, we first need to map the layout of each connection.

Mobile hotspot - 4G or 5G tethering via your phone. When you turn on tethering (Personal Hotspot on iOS, Mobile Hotspot on Android), your phone becomes a Wi-Fi router. On the cellular radio side, the phone opens an encrypted link to a carrier tower (EE, Vodafone UK, O2, Three in the UK; Verizon, AT&T, T-Mobile in the US) via the 4G LTE or 5G NR standards. On the local Wi-Fi side, the phone broadcasts a private SSID with a WPA2 or WPA3 password. Other devices (your laptop, your tablet) join it just like any other router. Traffic from those devices flows through the phone, then the tower, then the carrier's core network, then out to the internet. Two encrypted links in a chain: local Wi-Fi (WPA2/WPA3) + cellular radio (NEA2/5G-EA).

Public WiFi - a centralised operator. You join the SSID at the airport, café, or hotel. You sign in via a shared password at the counter, or via an open network with a captive portal. Traffic flows through the venue's Wi-Fi router, then through the venue's internet link (fibre, business broadband, or sometimes 4G/5G as backup). On the Wi-Fi radio side, encryption depends on the version: WPA3 (rare in 2026 outside major new venues), WPA2-PSK with a shared password (most common), or open with no encryption (simple cafés, some airports). On the inner side, the hotspot operator can log and study traffic. That's the business purpose of Cisco Meraki, Aruba, and Ruckus gear.

The key structural difference. On a mobile hotspot, an attacker within radio range can do nothing passively. The cellular link is encrypted by design. On open public WiFi or WPA2 with a password known to all, another client on the same network can sniff other clients' traffic in promiscuous mode. That's the basis for why a mobile hotspot is safer by default than public WiFi. A passive local attack is simply not possible on cellular.

Technical details: 4G LTE uses the algorithms EEA1 (Snow 3G), EEA2 (AES-128 in counter mode), and EEA3 (ZUC, tuned for China) for radio layer encryption, as set out in 3GPP specifications. 5G NR adds 5G-EA with stronger suites (AES-256 possible) and IMSI encryption at first registration (SUCI). Wikipedia's 5G Security article covers the full stack in detail.

Compared attack surface - who can do what

The table below sums up the actors and what they can do by technology. Read it row by row. Each actor has different access in each scenario.

Actor4G/5G hotspotOpen public WiFiWPA2-PSK public WiFiWPA3 public WiFi
Your mobile carrierSees DNS + destination IP---
Hotspot operator-Sees DNS + IP + commercial trackingSees DNS + IP + commercial trackingSees DNS + IP (client/AP encryption)
Other connected clientNo accessCan sniff (Wireshark)Can sniff (shared PSK)Cannot sniff (OWE/SAE)
Passive attacker in radio rangeNo access (radio encrypted)Can sniff (radio in cleartext)No direct accessNo direct access
Active attacker in radio range (Evil Twin)Very difficult (fake BTS = IMSI catcher, expensive)Easy (fake SSID)Easy (fake SSID + same PSK)More difficult
Commercial tracking (Meraki, MAC analytics)Limited (carrier only)Full tracking via OUI/MACFull trackingPartial (OWE encrypts per client)
Compromised captive portalNot applicablePossiblePossiblePossible

Reading the table. On a mobile hotspot, the list of actors with access to your traffic shrinks sharply versus public WiFi. Only your mobile carrier has real visibility, and that's the same visibility an ISP has at home. Local attack vectors (sniffing, Evil Twin, hacked captive portals, commercial MAC tracking) become unusable or very costly for the attacker. On WPA2-PSK public WiFi with a password written on a chalkboard (the most common case in 2026), the attack surface includes every other client on the same network. That can include an opportunistic attacker with little gear.

Important case: WPA3 public WiFi with OWE (rare but emerging in 2026) rules out sniffing between connected clients. Each client gets a unique short-lived key with the AP. But the hotspot operator still sees the traffic and can track users. So WPA3 improves the public WiFi picture without making it equal to a mobile hotspot on privacy from the operator.

Practical cases - when to prefer a hotspot, when to prefer WiFi

Beyond raw security, several practical points feed the choice: speed, battery, data cost, context. Here are the typical profiles.

Profile 1 - Email + standard web browsing on the move. Common scenario: traveller on a train, remote worker in a café, conference attendee. Recommendation: mobile hotspot by default. Data use is moderate (~50 MB/h browsing, ~10 MB/h email), so even a small plan (10 GB/month) easily covers a day of mobile work. Security is clearly better than public WiFi. The phone battery drains faster, so bring a power bank or find a charging point. On dense urban 5G, speed is more than enough for comfort.

Profile 2 - Extended video calls (Zoom, Teams) on the move. Typical scenario: a full day of meetings from an Airbnb with shaky WiFi. Recommendation: depends on 5G coverage. In a stable 5G zone, the mobile hotspot still works (~500 MB/h in HD, roughly 4 GB for a full day). In 4G with patchy coverage, latency and dropouts make the call uneven, so a switch to public WiFi may be needed. If public WiFi is unavoidable, always turn on the VPN with kill switch (see public WiFi risks 2026).

Profile 3 - Extended video streaming (Netflix, YouTube). Recommendation: home WiFi or reliable public WiFi. Data costs on a hotspot get too high (3 GB/h at 1080p, 7 GB/h at 4K). A 100 GB/month plan vanishes in a few hours of streaming. Public WiFi still works here, as long as you have an active VPN and don't enter sensitive logins on the captive portal.

Profile 4 - Accessing banking or a sensitive work account. Recommendation: mobile hotspot without hesitation. The smaller attack surface and the lack of local sniffing make it the right channel for high-stakes work. Add a VPN to close the leak to your carrier. The data overhead is tiny (banking uses a few MB at most). Several corporate CSIRTs advise this practice for sensitive work while travelling.

Profile 5 - Large file download (OS update, system ISO, heavy video). Recommendation: WiFi. The mobile hotspot costs too much in data, and urban 5G can still hit carrier fair-use throttling on some plans. Use home WiFi, or wait until you're at a trusted partner's network.

Profile 6 - International traveller with a partner carrier. Recommendation: depends on your roaming plan. Within the EU, "roam like at home" means your home plan works the same way abroad, so pick the mobile hotspot. Outside the EU, roaming charges can make the mobile hotspot a disaster (steep per-MB fees in some countries). A local eSIM (Airalo, Holafly) fixes this and brings back the mobile hotspot advantage. Failing that, public WiFi with a VPN becomes the sensible budget option.

Real data cost by activity - 2026 figures

Glowing fibre-optic network cables
Glowing fibre-optic network cables

Ballpark figures for planning your monthly hotspot data use. Data measured internally and cross-checked with Ofcom and FCC reports and public carrier statements.

Light activities (< 100 MB/h).

  • Work email with continuous sync: ~5–10 MB/h
  • Messaging (WhatsApp, Signal, iMessage): ~5–15 MB/h
  • Text-heavy web browsing (news, research): ~30–80 MB/h
  • Banking, government portals (HMRC, SSA): ~10–30 MB/h
  • Social media light scrolling (Twitter/X, LinkedIn): ~50–100 MB/h

Medium activities (100–500 MB/h).

  • Standard web browsing with images: ~100–200 MB/h
  • Audio streaming (Spotify, Apple Music, podcasts): ~50–150 MB/h depending on quality
  • Standard video 480p (YouTube, online training): ~250–400 MB/h
  • HD video call (Zoom, Teams, Google Meet): ~500 MB/h
  • Social media with video autoplay: ~300–600 MB/h

Heavy activities (> 1 GB/h).

  • HD video streaming 720p: ~1.5 GB/h
  • HD video streaming 1080p: ~3 GB/h
  • 4K video streaming: ~7 GB/h
  • OS update or system ISO download: variable, often 3–10 GB for a major update
  • Cloud gaming (GeForce Now, Xbox Cloud): ~10–15 GB/h

Typical carrier plans in the UK and US, 2026 (indicative order).

  • 100–150 GB plans: ~£15–30 / $20–40 per month (sufficient for occasional hotspot use)
  • 200–300 GB plans: ~£25–40 / $35–55 per month (regular hotspot use)
  • Unlimited 5G plans: ~£35–55 / $50–80 per month (intensive use, nomadic remote work - EE Max, Verizon Unlimited Ultimate, T-Mobile Go5G Plus)

Practical tip. For a remote worker who uses their hotspot 2–3 days a month for email, web, and moderate video calls, 100 GB is plenty. For a full-time digital nomad, an unlimited 5G plan removes budget worry and lets you work only on a mobile hotspot.

Editorial pick
4.6 / 5

Complete your mobile hotspot with an audited VPN

Deloitte 2024 no-log audit · System kill switch · 30-day money-back guarantee

Deloitte audit 202430-day guarantee14M+ users
See the offer

Combining mobile hotspot + VPN - the safest stack

For use cases where security comes first (sensitive banking, remote work on confidential data, journalism on the move, travel to high-risk countries), pairing a mobile hotspot with a VPN closes almost every local attack vector and hides your activity from your mobile carrier. It's the most complete defensive stack open to an ordinary user.

Recommended setup. Step 1: turn on tethering on your phone (Personal Hotspot on iOS, Mobile Hotspot on Android), with WPA2 or WPA3 and a strong password. Step 2: connect your laptop or tablet to the phone's private SSID. Step 3: turn on the VPN client on the end device (laptop, tablet), with the kill switch set to system mode. Step 4: check for leaks via our DNS leak test tool. Step 5: confirm the visible IP with our IP address tool.

Why this setup wins. The mobile hotspot closes local attacks (sniffing, Evil Twin, captive portal). The VPN closes the leak to the mobile carrier (who would otherwise see DNS and destination IPs). Encrypted cellular layer + encrypted local Wi-Fi layer + encrypted VPN tunnel = a triple defensive layer. An attacker who wants to break this stack must compromise your device, the VPN server, or the carrier's core network. Those are three separate and costly targets.

When it's overkill. For ordinary web browsing with nothing at stake, it's too much. For checking personal emails while waiting for a train, it's too much. A mobile hotspot alone (without a VPN) already stops local attacks. The VPN adds privacy against the carrier, not raw security. A sound approach is to turn the VPN on when the activity calls for it (banking, work email, remote work) and leave it off otherwise.

When it's not enough. For a journalist with a source in a high-risk country, a whistleblower, or any very high-value activity targeted by a state actor, a hotspot + VPN stack is still not enough. You need to add Tor (ideally from Tails on a USB stick), work from a dedicated device, use an anonymous or prepaid SIM not tied to your identity, and keep things strictly apart. See Tor vs VPN - differences and combination for details.

Battery limitation. Tethering drains the phone's battery fast (active cellular radio + Wi-Fi broadcast at the same time). For long use, bring a power bank or plug in. On 5G, power draw is higher than on 4G. A switch to 4G in network settings can extend battery life if the speed is enough.

International roaming limitation. Outside the EU, data costs can blow up. Get ready with a local eSIM (Airalo, Holafly, Nomad), or sign up for your carrier's roaming add-on. Failing that, public WiFi with a VPN becomes the sensible fix. It's less defensive, but it works on a budget.

Summary: decision by use case

Three practical rules cover the decision for the majority of cases.

Rule 1 - Default to the mobile hotspot. Except in a few cases (heavy downloads, extended HD streaming, area without 4G/5G coverage), the mix of better security + more privacy + instant setup makes the mobile hotspot the better pick over public WiFi for most mobile use.

Rule 2 - If public WiFi is unavoidable, keep the VPN active. No public WiFi without a VPN with kill switch on. This is non-negotiable for any activity beyond reading public information. The VPN closes the main leaks (SNI, DNS, IP) and stops local attacks. See VPN kill switch explained for details on this critical piece.

Rule 3 - Hotspot + VPN combination for high-stakes activities. Sensitive banking, remote work on confidential data, journalism, travel to a high-risk country: combine both layers. The data overhead is tiny, the defensive gain is large.

Further reading

The choice between mobile hotspot and public WiFi isn't about fashion. It's a trade-off between security, cost, and availability. For most mobile use cases, the mobile hotspot wins on security against local attacks and on privacy against commercial WiFi operators, at the cost of data use. Paired with an audited VPN with a kill switch, it's the most defensive stack open to an ordinary user in 2026. On public WiFi that can't be avoided (no mobile hotspot on a plane, no cellular coverage in a basement, roaming costs outside the EU), a VPN stays the core measure. To check often that your VPN is doing its job, our complete VPN audit in 9 tests is the reference procedure.

See also. Related: What Is Juice Jacking.

Mobility, hotspots, and network security - related guides


Article published on 29 May 2026. Methodology: synthesis of 3GPP specifications on 4G LTE and 5G NR (TS 33.401 LTE security, TS 33.501 5G security), Ofcom and FCC mobile market reports 2023–2025, academic publications on IMSI catchers (SecureComm papers 2018–2021), and data consumption measurements conducted internally over three months (March–May 2026) on a Pixel 8 + MacBook + NordVPN setup. Carrier data cross-referenced with public communications from EE, Vodafone UK, O2, Three (UK) and Verizon, AT&T, T-Mobile (US).

Editorial pick
4.6 / 5

Secure your connection with NordVPN

Threat Protection blocks trackers & malware · kill switch · 30-day money-back

Deloitte audit 202430-day guarantee14M+ users
See the offer
Everything you need to know.

Frequently asked questions

Mobile hotspot or public WiFi - which is safer?

Mobile hotspot in the vast majority of cases. On 4G or 5G, radio traffic between your phone and the cell tower is encrypted end-to-end (NEA1/NEA2 on 4G, 5G-EA on 5G). So an attacker within range cannot listen in without access to the carrier's core network. On open public WiFi or WPA2-PSK with a shared password, any connected client can sniff other clients' traffic with a tool like Wireshark. The attack surface on a mobile hotspot is thus limited to your carrier (who sees your DNS history like an ISP) and a few cases (IMSI catchers, hacked towers). That matters for high-value targets, but it is marginal for everyday civilian use. On public WiFi, local attacks are common and well logged (DEF CON Wall of Sheep, Evil Twin campaigns), on top of tracking by the hotspot operator. The takeaway: for anything even a bit sensitive (banking, work email), pick a 4G/5G hotspot over public WiFi, even at the cost of a little data.

Can my mobile carrier see my browsing history?

Yes, just like a fixed-line ISP does. UK and US carriers (EE, Vodafone UK, O2, Three; Verizon, AT&T, T-Mobile) run their own DNS resolvers that look up domain names for their subscribers. Every DNS query can be logged, and terms of service usually allow them to keep it for varying periods (technical measures, security, legal duties). In the UK, the Investigatory Powers Act 2016 makes ISPs keep data for 12 months. In the US, the FCC's 2017 ruling removed ISP privacy rules and let carriers sell browsing data. On HTTPS traffic, the carrier sees domains via SNI and destination IPs, but not the encrypted content. A VPN closes this leak. The carrier then sees only an encrypted tunnel to a single server. It's the same mechanism as using a VPN on a home broadband line.

How much data does a hotspot use per activity?

It varies by activity. Approximate reference for 2026 on typical carrier plans. Standard web browsing: ~50–150 MB per hour (depending on images, auto-play videos). Email: ~10 MB per hour (continuous sync, no heavy attachments). Music streaming (Spotify, Apple Music): ~50–100 MB per hour at standard quality, ~150 MB at high quality. Standard video streaming (480p): ~500 MB per hour; HD 720p: ~1.5 GB/h; 1080p: ~3 GB/h; 4K: ~7 GB/h. Video conferencing (Zoom, Teams, Google Meet): ~500 MB per hour in HD. Large file download: 1 GB takes roughly 5–10 minutes on urban 5G. Online gaming: moderate, ~50 MB per hour but latency-sensitive. Practical takeaway: a 100 GB/month plan is more than enough for occasional hotspot use; an unlimited plan (EE Max, Verizon Unlimited Ultimate, T-Mobile Go5G Plus) removes the question entirely. Extended HD video streaming remains the only use case that justifies switching to WiFi for cost or bandwidth reasons.

Is 5G safer than 4G for a hotspot?

Marginally. 5G brought several security gains over 4G. First, it encrypts the IMSI at first registration (SUCI/SUPI), which makes IMSI catchers harder. An attacker can no longer grab your SIM identifier as easily. Second, it adds stronger crypto suites (5G-EA with AES-256, AES-128 or Snow 3G, by configuration). Third, it allows Network Slicing, with traffic kept apart per use case. In practice, though, 4G LTE in 2026 is already radio-encrypted end-to-end and has no passive flaw to exploit. For a hotspot, the real 4G-versus-5G gap is speed (5G easily 200–500 Mbps in dense urban areas vs 20–100 Mbps on 4G) and latency (5G ~15 ms vs ~30–50 ms on 4G), not security. If your phone supports 5G and you have coverage, pick it for comfort, not for very different security.

Is a VPN still useful on a mobile hotspot?

Yes, for two reasons. First, your mobile carrier sees your DNS history and destination IPs just like a fixed ISP. A VPN closes this leak and stops the carrier from selling or keeping your metadata for long (legal in the US and UK under various rules). Second, when roaming abroad or on a lesser-known partner network, your traffic may be inspected or slowed (DPI, throttling of certain services). A VPN gets past this. Third, if you use your hotspot as a gateway for a laptop or another device, the VPN on that device adds an encryption layer apart from the mobile link. The main contrast with public WiFi: on a mobile hotspot, the VPN mainly guards against the carrier and ad profiling, not against an active local attack (which cannot happen passively). It's a privacy use more than a security one. See [our NordVPN review 2026](/en/blog/our-vpn-review-2026) for detailed measurements.