The choice between a mobile hotspot (tethering a 4G or 5G connection from your smartphone) and public WiFi (airport, hotel, or café network) is now a daily trade-off. It faces the remote worker on the move, the traveller, or anyone who wants to check email away from home. The question is often framed as a binary - "which is safer". In fact the two technologies have very different attack surfaces, and the right answer rests as much on use case as on context.
This guide compares exactly what each actor (mobile carrier, WiFi hotspot provider, possible local attacker) can see and do for each technology. It gives concrete data cost figures for 2026. And it lays out the most defensive stack (mobile hotspot + VPN) for high-stakes activities.
How each technology works
To compare what each actor can technically see, we first need to map the layout of each connection.
Mobile hotspot - 4G or 5G tethering via your phone. When you turn on tethering (Personal Hotspot on iOS, Mobile Hotspot on Android), your phone becomes a Wi-Fi router. On the cellular radio side, the phone opens an encrypted link to a carrier tower (EE, Vodafone UK, O2, Three in the UK; Verizon, AT&T, T-Mobile in the US) via the 4G LTE or 5G NR standards. On the local Wi-Fi side, the phone broadcasts a private SSID with a WPA2 or WPA3 password. Other devices (your laptop, your tablet) join it just like any other router. Traffic from those devices flows through the phone, then the tower, then the carrier's core network, then out to the internet. Two encrypted links in a chain: local Wi-Fi (WPA2/WPA3) + cellular radio (NEA2/5G-EA).
Public WiFi - a centralised operator. You join the SSID at the airport, café, or hotel. You sign in via a shared password at the counter, or via an open network with a captive portal. Traffic flows through the venue's Wi-Fi router, then through the venue's internet link (fibre, business broadband, or sometimes 4G/5G as backup). On the Wi-Fi radio side, encryption depends on the version: WPA3 (rare in 2026 outside major new venues), WPA2-PSK with a shared password (most common), or open with no encryption (simple cafés, some airports). On the inner side, the hotspot operator can log and study traffic. That's the business purpose of Cisco Meraki, Aruba, and Ruckus gear.
The key structural difference. On a mobile hotspot, an attacker within radio range can do nothing passively. The cellular link is encrypted by design. On open public WiFi or WPA2 with a password known to all, another client on the same network can sniff other clients' traffic in promiscuous mode. That's the basis for why a mobile hotspot is safer by default than public WiFi. A passive local attack is simply not possible on cellular.
Technical details: 4G LTE uses the algorithms EEA1 (Snow 3G), EEA2 (AES-128 in counter mode), and EEA3 (ZUC, tuned for China) for radio layer encryption, as set out in 3GPP specifications. 5G NR adds 5G-EA with stronger suites (AES-256 possible) and IMSI encryption at first registration (SUCI). Wikipedia's 5G Security article covers the full stack in detail.
Compared attack surface - who can do what
The table below sums up the actors and what they can do by technology. Read it row by row. Each actor has different access in each scenario.
| Actor | 4G/5G hotspot | Open public WiFi | WPA2-PSK public WiFi | WPA3 public WiFi |
|---|---|---|---|---|
| Your mobile carrier | Sees DNS + destination IP | - | - | - |
| Hotspot operator | - | Sees DNS + IP + commercial tracking | Sees DNS + IP + commercial tracking | Sees DNS + IP (client/AP encryption) |
| Other connected client | No access | Can sniff (Wireshark) | Can sniff (shared PSK) | Cannot sniff (OWE/SAE) |
| Passive attacker in radio range | No access (radio encrypted) | Can sniff (radio in cleartext) | No direct access | No direct access |
| Active attacker in radio range (Evil Twin) | Very difficult (fake BTS = IMSI catcher, expensive) | Easy (fake SSID) | Easy (fake SSID + same PSK) | More difficult |
| Commercial tracking (Meraki, MAC analytics) | Limited (carrier only) | Full tracking via OUI/MAC | Full tracking | Partial (OWE encrypts per client) |
| Compromised captive portal | Not applicable | Possible | Possible | Possible |
Reading the table. On a mobile hotspot, the list of actors with access to your traffic shrinks sharply versus public WiFi. Only your mobile carrier has real visibility, and that's the same visibility an ISP has at home. Local attack vectors (sniffing, Evil Twin, hacked captive portals, commercial MAC tracking) become unusable or very costly for the attacker. On WPA2-PSK public WiFi with a password written on a chalkboard (the most common case in 2026), the attack surface includes every other client on the same network. That can include an opportunistic attacker with little gear.
Important case: WPA3 public WiFi with OWE (rare but emerging in 2026) rules out sniffing between connected clients. Each client gets a unique short-lived key with the AP. But the hotspot operator still sees the traffic and can track users. So WPA3 improves the public WiFi picture without making it equal to a mobile hotspot on privacy from the operator.
Practical cases - when to prefer a hotspot, when to prefer WiFi
Beyond raw security, several practical points feed the choice: speed, battery, data cost, context. Here are the typical profiles.
Profile 1 - Email + standard web browsing on the move. Common scenario: traveller on a train, remote worker in a café, conference attendee. Recommendation: mobile hotspot by default. Data use is moderate (~50 MB/h browsing, ~10 MB/h email), so even a small plan (10 GB/month) easily covers a day of mobile work. Security is clearly better than public WiFi. The phone battery drains faster, so bring a power bank or find a charging point. On dense urban 5G, speed is more than enough for comfort.
Profile 2 - Extended video calls (Zoom, Teams) on the move. Typical scenario: a full day of meetings from an Airbnb with shaky WiFi. Recommendation: depends on 5G coverage. In a stable 5G zone, the mobile hotspot still works (~500 MB/h in HD, roughly 4 GB for a full day). In 4G with patchy coverage, latency and dropouts make the call uneven, so a switch to public WiFi may be needed. If public WiFi is unavoidable, always turn on the VPN with kill switch (see public WiFi risks 2026).
Profile 3 - Extended video streaming (Netflix, YouTube). Recommendation: home WiFi or reliable public WiFi. Data costs on a hotspot get too high (3 GB/h at 1080p, 7 GB/h at 4K). A 100 GB/month plan vanishes in a few hours of streaming. Public WiFi still works here, as long as you have an active VPN and don't enter sensitive logins on the captive portal.
Profile 4 - Accessing banking or a sensitive work account. Recommendation: mobile hotspot without hesitation. The smaller attack surface and the lack of local sniffing make it the right channel for high-stakes work. Add a VPN to close the leak to your carrier. The data overhead is tiny (banking uses a few MB at most). Several corporate CSIRTs advise this practice for sensitive work while travelling.
Profile 5 - Large file download (OS update, system ISO, heavy video). Recommendation: WiFi. The mobile hotspot costs too much in data, and urban 5G can still hit carrier fair-use throttling on some plans. Use home WiFi, or wait until you're at a trusted partner's network.
Profile 6 - International traveller with a partner carrier. Recommendation: depends on your roaming plan. Within the EU, "roam like at home" means your home plan works the same way abroad, so pick the mobile hotspot. Outside the EU, roaming charges can make the mobile hotspot a disaster (steep per-MB fees in some countries). A local eSIM (Airalo, Holafly) fixes this and brings back the mobile hotspot advantage. Failing that, public WiFi with a VPN becomes the sensible budget option.
Real data cost by activity - 2026 figures
Ballpark figures for planning your monthly hotspot data use. Data measured internally and cross-checked with Ofcom and FCC reports and public carrier statements.
Light activities (< 100 MB/h).
- Work email with continuous sync: ~5–10 MB/h
- Messaging (WhatsApp, Signal, iMessage): ~5–15 MB/h
- Text-heavy web browsing (news, research): ~30–80 MB/h
- Banking, government portals (HMRC, SSA): ~10–30 MB/h
- Social media light scrolling (Twitter/X, LinkedIn): ~50–100 MB/h
Medium activities (100–500 MB/h).
- Standard web browsing with images: ~100–200 MB/h
- Audio streaming (Spotify, Apple Music, podcasts): ~50–150 MB/h depending on quality
- Standard video 480p (YouTube, online training): ~250–400 MB/h
- HD video call (Zoom, Teams, Google Meet): ~500 MB/h
- Social media with video autoplay: ~300–600 MB/h
Heavy activities (> 1 GB/h).
- HD video streaming 720p: ~1.5 GB/h
- HD video streaming 1080p: ~3 GB/h
- 4K video streaming: ~7 GB/h
- OS update or system ISO download: variable, often 3–10 GB for a major update
- Cloud gaming (GeForce Now, Xbox Cloud): ~10–15 GB/h
Typical carrier plans in the UK and US, 2026 (indicative order).
- 100–150 GB plans: ~£15–30 / $20–40 per month (sufficient for occasional hotspot use)
- 200–300 GB plans: ~£25–40 / $35–55 per month (regular hotspot use)
- Unlimited 5G plans: ~£35–55 / $50–80 per month (intensive use, nomadic remote work - EE Max, Verizon Unlimited Ultimate, T-Mobile Go5G Plus)
Practical tip. For a remote worker who uses their hotspot 2–3 days a month for email, web, and moderate video calls, 100 GB is plenty. For a full-time digital nomad, an unlimited 5G plan removes budget worry and lets you work only on a mobile hotspot.
Complete your mobile hotspot with an audited VPN
Deloitte 2024 no-log audit · System kill switch · 30-day money-back guarantee
Combining mobile hotspot + VPN - the safest stack
For use cases where security comes first (sensitive banking, remote work on confidential data, journalism on the move, travel to high-risk countries), pairing a mobile hotspot with a VPN closes almost every local attack vector and hides your activity from your mobile carrier. It's the most complete defensive stack open to an ordinary user.
Recommended setup. Step 1: turn on tethering on your phone (Personal Hotspot on iOS, Mobile Hotspot on Android), with WPA2 or WPA3 and a strong password. Step 2: connect your laptop or tablet to the phone's private SSID. Step 3: turn on the VPN client on the end device (laptop, tablet), with the kill switch set to system mode. Step 4: check for leaks via our DNS leak test tool. Step 5: confirm the visible IP with our IP address tool.
Why this setup wins. The mobile hotspot closes local attacks (sniffing, Evil Twin, captive portal). The VPN closes the leak to the mobile carrier (who would otherwise see DNS and destination IPs). Encrypted cellular layer + encrypted local Wi-Fi layer + encrypted VPN tunnel = a triple defensive layer. An attacker who wants to break this stack must compromise your device, the VPN server, or the carrier's core network. Those are three separate and costly targets.
When it's overkill. For ordinary web browsing with nothing at stake, it's too much. For checking personal emails while waiting for a train, it's too much. A mobile hotspot alone (without a VPN) already stops local attacks. The VPN adds privacy against the carrier, not raw security. A sound approach is to turn the VPN on when the activity calls for it (banking, work email, remote work) and leave it off otherwise.
When it's not enough. For a journalist with a source in a high-risk country, a whistleblower, or any very high-value activity targeted by a state actor, a hotspot + VPN stack is still not enough. You need to add Tor (ideally from Tails on a USB stick), work from a dedicated device, use an anonymous or prepaid SIM not tied to your identity, and keep things strictly apart. See Tor vs VPN - differences and combination for details.
Battery limitation. Tethering drains the phone's battery fast (active cellular radio + Wi-Fi broadcast at the same time). For long use, bring a power bank or plug in. On 5G, power draw is higher than on 4G. A switch to 4G in network settings can extend battery life if the speed is enough.
International roaming limitation. Outside the EU, data costs can blow up. Get ready with a local eSIM (Airalo, Holafly, Nomad), or sign up for your carrier's roaming add-on. Failing that, public WiFi with a VPN becomes the sensible fix. It's less defensive, but it works on a budget.
Summary: decision by use case
Three practical rules cover the decision for the majority of cases.
Rule 1 - Default to the mobile hotspot. Except in a few cases (heavy downloads, extended HD streaming, area without 4G/5G coverage), the mix of better security + more privacy + instant setup makes the mobile hotspot the better pick over public WiFi for most mobile use.
Rule 2 - If public WiFi is unavoidable, keep the VPN active. No public WiFi without a VPN with kill switch on. This is non-negotiable for any activity beyond reading public information. The VPN closes the main leaks (SNI, DNS, IP) and stops local attacks. See VPN kill switch explained for details on this critical piece.
Rule 3 - Hotspot + VPN combination for high-stakes activities. Sensitive banking, remote work on confidential data, journalism, travel to a high-risk country: combine both layers. The data overhead is tiny, the defensive gain is large.
Further reading
The choice between mobile hotspot and public WiFi isn't about fashion. It's a trade-off between security, cost, and availability. For most mobile use cases, the mobile hotspot wins on security against local attacks and on privacy against commercial WiFi operators, at the cost of data use. Paired with an audited VPN with a kill switch, it's the most defensive stack open to an ordinary user in 2026. On public WiFi that can't be avoided (no mobile hotspot on a plane, no cellular coverage in a basement, roaming costs outside the EU), a VPN stays the core measure. To check often that your VPN is doing its job, our complete VPN audit in 9 tests is the reference procedure.
See also. Related: What Is Juice Jacking.
Mobility, hotspots, and network security - related guides
- Public WiFi risks in 2026 →Pillar article of the network security cluster
- VPN kill switch explained →The critical piece on public networks
- Complete VPN audit in 9 tests →Quarterly verification procedure
- NordVPN review 2026 →Long-term test with daily Deloitte audit
- Test DNS and WebRTC leaks →Quick 30-second verification
Article published on 29 May 2026. Methodology: synthesis of 3GPP specifications on 4G LTE and 5G NR (TS 33.401 LTE security, TS 33.501 5G security), Ofcom and FCC mobile market reports 2023–2025, academic publications on IMSI catchers (SecureComm papers 2018–2021), and data consumption measurements conducted internally over three months (March–May 2026) on a Pixel 8 + MacBook + NordVPN setup. Carrier data cross-referenced with public communications from EE, Vodafone UK, O2, Three (UK) and Verizon, AT&T, T-Mobile (US).
Secure your connection with NordVPN
Threat Protection blocks trackers & malware · kill switch · 30-day money-back

