The choice between a mobile hotspot (tethering a 4G or 5G connection from your smartphone) and public WiFi (airport, hotel, or café network) has become a routine trade-off for the remote worker on the move, the traveller, or simply anyone who wants to check email away from home. The question is often framed as a binary — "which is safer" — when in fact the two technologies have profoundly different attack surfaces, and the right answer depends as much on use case as on context.
This guide precisely compares what each actor (mobile carrier, WiFi hotspot provider, potential local attacker) can see and do depending on the technology, gives concrete data cost figures for 2026, and presents the most defensive stack (mobile hotspot + VPN) for high-stakes activities.
How each technology works
To compare what each actor can technically see, we first need to understand the topology of each connection.
Mobile hotspot — 4G or 5G tethering via your phone. When you enable tethering (Personal Hotspot on iOS, Mobile Hotspot on Android), your phone becomes a Wi-Fi router. On the cellular radio side, the phone establishes an encrypted connection to a carrier tower (EE, Vodafone UK, O2, Three in the UK; Verizon, AT&T, T-Mobile in the US) via the 4G LTE or 5G NR standards. On the local Wi-Fi side, the phone broadcasts a private SSID with a WPA2 or WPA3 password, and other devices (your laptop, your tablet) connect to it just like any other router. Traffic from those devices flows through the phone, then through the tower, then through the carrier's core network, then out to the internet. Two encrypted links in chain: local Wi-Fi (WPA2/WPA3) + cellular radio (NEA2/5G-EA).
Public WiFi — a centralised operator. You join the SSID at the airport, café, or hotel. Authentication via a shared password at the counter, or an open network with a captive portal. Traffic flows through the venue's Wi-Fi router, then through the venue's internet connection (fibre, business broadband, or sometimes 4G/5G as backup). On the Wi-Fi radio side, encryption depends on the version: WPA3 (rare in 2026 outside major recently-built venues), WPA2-PSK with a shared password (most common), or open with no encryption (simple cafés, some airports). On the internal infrastructure side, the hotspot operator can log and analyse traffic — that's the commercial purpose of Cisco Meraki, Aruba, and Ruckus deployments.
The key structural difference. On a mobile hotspot, an attacker within radio range can do nothing passively — the cellular link is encrypted by design. On open public WiFi or WPA2 with a password known to all, another client on the same network can potentially sniff other clients' traffic in promiscuous mode. That's the technical basis for why a mobile hotspot is by default safer than public WiFi — passive local attack is simply impossible on cellular.
Technical details: 4G LTE uses algorithms EEA1 (Snow 3G), EEA2 (AES-128 in counter mode), EEA3 (ZUC, optimised for China) for radio layer encryption, as described in 3GPP specifications. 5G NR adds 5G-EA with strengthened suites (AES-256 possible) and IMSI encryption at initial registration (SUCI). Wikipedia's 5G Security article covers the full stack in detail.
Compared attack surface — who can do what
The table below summarises actors and their capabilities by technology. Read row by row — each actor has different access in each scenario.
| Actor | 4G/5G hotspot | Open public WiFi | WPA2-PSK public WiFi | WPA3 public WiFi |
|---|---|---|---|---|
| Your mobile carrier | Sees DNS + destination IP | — | — | — |
| Hotspot operator | — | Sees DNS + IP + commercial tracking | Sees DNS + IP + commercial tracking | Sees DNS + IP (client/AP encryption) |
| Other connected client | No access | Can sniff (Wireshark) | Can sniff (shared PSK) | Cannot sniff (OWE/SAE) |
| Passive attacker in radio range | No access (radio encrypted) | Can sniff (radio in cleartext) | No direct access | No direct access |
| Active attacker in radio range (Evil Twin) | Very difficult (fake BTS = IMSI catcher, expensive) | Easy (fake SSID) | Easy (fake SSID + same PSK) | More difficult |
| Commercial tracking (Meraki, MAC analytics) | Limited (carrier only) | Full tracking via OUI/MAC | Full tracking | Partial (OWE encrypts per client) |
| Compromised captive portal | Not applicable | Possible | Possible | Possible |
Reading the table. On a mobile hotspot, the list of actors with access to your traffic shrinks dramatically compared to public WiFi. Only your mobile carrier has meaningful visibility — and that's exactly the same visibility an ISP has at home. Local attack vectors (sniffing, Evil Twin, compromised captive portals, commercial MAC tracking) become inapplicable or very expensive for the attacker. On WPA2-PSK public WiFi with a password written on a chalkboard (the most common scenario in 2026), the attack surface includes every other client on the same network — which potentially includes an opportunistic attacker with minimal equipment.
Important case: WPA3 public WiFi with OWE (rare but emerging in 2026) eliminates the possibility of sniffing between connected clients — each client has a unique ephemeral key with the AP. But the hotspot operator still sees the traffic and can track users. So WPA3 improves the public WiFi picture without making it equivalent to a mobile hotspot from a privacy-versus-the-operator standpoint.
Practical cases — when to prefer a hotspot, when to prefer WiFi
Beyond raw security, several practical criteria factor into the decision: speed, battery, data cost, context. Here are the typical profiles.
Profile 1 — Email + standard web browsing on the move. Common scenario: traveller on a train, remote worker in a café, conference attendee. Recommendation: mobile hotspot by default. Consumption is moderate (~50 MB/h browsing, ~10 MB/h email), so even a modest plan (10 GB/month) comfortably covers a day of mobile work. Security is noticeably better than public WiFi. The phone battery drains faster — bring a power bank or find a charging point. On dense urban 5G, throughput is more than sufficient for comfort.
Profile 2 — Extended video calls (Zoom, Teams) on the move. Typical scenario: a full day of meetings from an Airbnb with unreliable WiFi. Recommendation: depends on 5G coverage. In a stable 5G zone, the mobile hotspot remains viable (~500 MB/h in HD, roughly 4 GB for a full day). In 4G with patchy coverage, latency and dropouts make the experience inconsistent — switching to public WiFi may be necessary. If public WiFi is unavoidable, always enable the VPN with kill switch (see public WiFi risks 2026).
Profile 3 — Extended video streaming (Netflix, YouTube). Recommendation: home WiFi or reliable public WiFi. Data costs on a hotspot become prohibitive (3 GB/h at 1080p, 7 GB/h at 4K). A 100 GB/month plan evaporates in a few hours of streaming. Public WiFi remains technically viable, provided you have an active VPN and don't enter sensitive credentials on the captive portal.
Profile 4 — Accessing banking or a sensitive work account. Recommendation: mobile hotspot without hesitation. The reduced attack surface and the impossibility of local sniffing make it the right medium for high-stakes operations. Add a VPN to close the leak to your carrier. The data overhead is negligible (banking uses a few MB at most). This practice is recommended by several corporate CSIRTs for sensitive operations while travelling.
Profile 5 — Large file download (OS update, system ISO, heavy video). Recommendation: WiFi. The mobile hotspot is too expensive in data terms, and urban 5G is still subject to carrier fair-use throttling policies in some plans. Use home WiFi, or wait until you're at a trusted partner's network.
Profile 6 — International traveller with a partner carrier. Recommendation: depends on your roaming plan. Within the EU, "roam like at home" means your domestic plan works identically abroad — prefer the mobile hotspot. Outside the EU, roaming charges can make the mobile hotspot catastrophic (significant per-MB fees in some countries). Buying a local eSIM (Airalo, Holafly) solves this and restores the mobile hotspot advantage. Failing that, public WiFi with a VPN becomes the pragmatic economic option.
Real data cost by activity — 2026 figures
Ballpark figures for planning your monthly hotspot consumption. Data measured internally and cross-referenced with Ofcom and FCC reports and public carrier communications.
Light activities (< 100 MB/h).
- Work email with continuous sync: ~5–10 MB/h
- Messaging (WhatsApp, Signal, iMessage): ~5–15 MB/h
- Text-heavy web browsing (news, research): ~30–80 MB/h
- Banking, government portals (HMRC, SSA): ~10–30 MB/h
- Social media light scrolling (Twitter/X, LinkedIn): ~50–100 MB/h
Medium activities (100–500 MB/h).
- Standard web browsing with images: ~100–200 MB/h
- Audio streaming (Spotify, Apple Music, podcasts): ~50–150 MB/h depending on quality
- Standard video 480p (YouTube, online training): ~250–400 MB/h
- HD video call (Zoom, Teams, Google Meet): ~500 MB/h
- Social media with video autoplay: ~300–600 MB/h
Heavy activities (> 1 GB/h).
- HD video streaming 720p: ~1.5 GB/h
- HD video streaming 1080p: ~3 GB/h
- 4K video streaming: ~7 GB/h
- OS update or system ISO download: variable, often 3–10 GB for a major update
- Cloud gaming (GeForce Now, Xbox Cloud): ~10–15 GB/h
Typical carrier plans in the UK and US, 2026 (indicative order).
- 100–150 GB plans: ~£15–30 / $20–40 per month (sufficient for occasional hotspot use)
- 200–300 GB plans: ~£25–40 / $35–55 per month (regular hotspot use)
- Unlimited 5G plans: ~£35–55 / $50–80 per month (intensive use, nomadic remote work — EE Max, Verizon Unlimited Ultimate, T-Mobile Go5G Plus)
Practical tip. For a remote worker who uses their hotspot 2–3 days a month for email, web, and moderate video calls, 100 GB is plenty. For a full-time digital nomad, switching to an unlimited 5G plan eliminates budget anxiety and allows working exclusively on a mobile hotspot.
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Complete your mobile hotspot with an audited VPNDeloitte 2024 no-log audit · System kill switch · 30-day money-back guarantee→Combining mobile hotspot + VPN — the safest stack
For use cases where security takes priority (sensitive banking, remote work on confidential data, journalism on the move, travel to high-risk jurisdictions), combining a mobile hotspot with a VPN closes virtually every local attack vector and hides your activity from your mobile carrier. It's the most complete defensive stack available to an ordinary user.
Recommended setup. Step 1: enable tethering on your phone (Personal Hotspot on iOS, Mobile Hotspot on Android), with WPA2 or WPA3 and a strong password. Step 2: connect your laptop or tablet to the phone's private SSID. Step 3: activate the VPN client on the end device (laptop, tablet), with the kill switch set to system mode. Step 4: verify the absence of leaks via our DNS leak test tool. Step 5: confirm the visible IP with our IP address tool.
Why this configuration wins. The mobile hotspot closes local attacks (sniffing, Evil Twin, captive portal). The VPN closes the leak to the mobile carrier (who would otherwise see DNS and destination IPs). Encrypted cellular layer + encrypted local Wi-Fi layer + encrypted VPN tunnel = triple defensive layer. An attacker wanting to break this stack would need to either compromise your device, compromise the VPN server, or compromise the carrier's core network — three separate and costly targets.
When it's overkill. For ordinary web browsing with nothing at stake, it's too much. For checking personal emails while waiting for a train, it's too much. A mobile hotspot alone (without a VPN) already neutralises local attacks — the VPN adds privacy against the carrier, not raw security. Enabling the VPN when the activity justifies it (banking, work email, remote work) and leaving it off otherwise is a reasonable approach.
When it's not enough. For a journalist with a source in a high-risk country, a whistleblower, or any activity of very high value targeted by a state actor — a hotspot + VPN stack is still insufficient. You need to add Tor (ideally from Tails on a USB stick), operate from a dedicated device, use an anonymous or prepaid SIM not linked to your identity, and compartmentalise strictly. See Tor vs VPN — differences and combination for details.
Battery limitation. Tethering drains the phone's battery at an accelerated rate (active cellular radio + Wi-Fi broadcasting simultaneously). For extended use, bring a power bank or plug in. On 5G, power consumption is higher than on 4G — switching to 4G in network settings can extend battery life if the throughput is sufficient.
International roaming limitation. Outside the EU, data costs can explode. Prepare with a local eSIM (Airalo, Holafly, Nomad), or subscribe to your carrier's specific roaming add-on. Failing that, public WiFi with a VPN becomes the pragmatic solution — less defensive, but economically viable.
Summary: decision by use case
Three practical rules cover the decision for the majority of cases.
Rule 1 — Default to the mobile hotspot. Except in specific cases (heavy downloads, extended HD streaming, area without 4G/5G coverage), the combination of superior security + greater privacy + instant deployment makes the mobile hotspot preferable to public WiFi for the majority of mobile use.
Rule 2 — If public WiFi is unavoidable, keep the VPN active. No public WiFi without a VPN with kill switch enabled. This is non-negotiable for any activity beyond passively consuming public information. The VPN closes the main leaks (SNI, DNS, IP) and neutralises local attacks. See VPN kill switch explained for details on this critical piece.
Rule 3 — Hotspot + VPN combination for high-stakes activities. Sensitive banking, remote work on confidential data, journalism, travel to a high-risk jurisdiction: combine both layers. Marginal data overhead, substantial defensive gain.
Further reading
The choice between mobile hotspot and public WiFi isn't a matter of fashion — it's an arbitrage between security, cost, and availability. For the majority of mobile use cases, the mobile hotspot wins on security against local attacks and on privacy against commercial WiFi operators — at the cost of data consumption. Combined with an audited VPN with a kill switch, it's the most defensive stack available to an ordinary user in 2026. On public WiFi that can't be avoided (no mobile hotspot on a plane, no cellular coverage in a basement, roaming costs outside the EU), a VPN remains the structural measure. To regularly verify that your VPN is doing its job, our complete VPN audit in 9 tests is the reference procedure.
Mobility, hotspots, and network security — related guides
- Public WiFi risks in 2026 →Pillar article of the network security cluster
- VPN kill switch explained →The critical piece on public networks
- Complete VPN audit in 9 tests →Quarterly verification procedure
- NordVPN review after 8 months →Long-term test with daily Deloitte audit
- Test DNS and WebRTC leaks →Quick 30-second verification
Article published on 29 May 2026. Methodology: synthesis of 3GPP specifications on 4G LTE and 5G NR (TS 33.401 LTE security, TS 33.501 5G security), Ofcom and FCC mobile market reports 2023–2025, academic publications on IMSI catchers (SecureComm papers 2018–2021), and data consumption measurements conducted internally over three months (March–May 2026) on a Pixel 8 + MacBook + NordVPN setup. Carrier data cross-referenced with public communications from EE, Vodafone UK, O2, Three (UK) and Verizon, AT&T, T-Mobile (US).
★ Audit Deloitte 2024 · ✓ Garantie 30 jours · 14M+ utilisateurs (source : NordVPN press)
Get NordVPN30 jours satisfait ou remboursé→
