Users advised to try TOR as a fallback option when without a VPN.
Airport lounges, train stations and hotels represent three of the easiest attack vectors for hackers, according to white hat hacker, Chris Gatford.
Speaking at IDC's SecurityVision conference today, Gatford said the vast majority of public hotspot users put their organisation's data at risk by connecting without a VPN to the "Linksys global wireless network" - his term for open networks set up in peoples homes that are left unsecured.
Gatford, director of white hat hacking group HackLabs, said most hackers "do their best research when they are bored in airport lounges on their way to a conference."
"Hotspots generally do not encrypt traffic as it is difficult to provide encryption to temporary clients," he told the conference.
Without encryption, he said, any user input that is 'clear text' (data that is streamed in a form comprehensible by humans, such as instant messaging traffic) is available for attackers to read or inject other data into.
"It is easy to change the DNS settings, for example, and redirect the users to new URLs and destinations under the attackers control."
Gatford demonstrated the use of a commonly available tool called Karma which, at the software level, can listen for connection requests in a Wi-Fi cell and immediately impersonate the access point the user is attempting to connect to.
Several hackers have now used this software within a battery-powered hardware device, which can be placed in public spaces as an instant mobile rogue access point.
The most obvious solution to the problem, Gatford said, is to use a VPN (virtual private network) when connecting to corporate systems from a public space.
"You should use a VPN for everything and assume you are always under attack," he said. "If there is no VPN when you access your network from your laptop in a public place, it is pretty much game over," he said.
But Gatford acknowledges that it is hard for corporate IT departments to mandate the use of a VPN.
"It is very difficult to get a mobile user to conform to IT security standards," he said.
The problem is made worse within companies ask staff to use their own laptops to connect to corporate systems rather than commissioning them with secure, SOE-standard devices.
"Some companies have moved to check user laptops, putting them through a security audit first," he said. "But my experience is even if you do that, the user can go away for a month and miss a critical patch update."
Other speakers at the conference said they would find it "difficult to mandate VPN", even if there are mechanisms available to do it.
Gatford recommends users disable Wi-Fi when it is not in use , use a VPN and - should a VPN not be available, use the TOR anonymous network to encrypt traffic as soon as it leaves the device.
"It will remove some, but not all, of the risk," he said.