Study on the Wi-Fi security situation in Mexico | Kaspersky official blog
One of the biggest football (soccer) events of this summer is the World Cup 2026. The tournament is co-hosted by three countries: the U.S., Canada, and Mexico. Unfortunately, events of this scale attract not just fans, but also scammers from all over the globe. Weβve already covered how cybercriminals are prepping for the World Cup online, and today weβre talking about digital security for fans on the ground in Mexico.
The country will host 13 matches and welcome millions of tourists. Theyβll be staying in hotels, heading to games, checking out restaurants, navigating airports, and visiting popular tourist spotsΒ β and everywhere they go, the temptation to connect to public Wi-Fi will be high.
Weβve surveyed more than 84 500 (!) public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey β and we have a lot to share about their security. Spoiler alert: many networks are still using outdated security standards, so you really shouldnβt go on vacation without reliable protection and an eSIM.
What and how we tested
Walking across Mexico looking for public Wi-Fi access points would have been a bit tough, though thatβs exactly what we did for a similar Wi-Fi security survey in Paris. You can check out the results of that in our post, How safe is Wi-Fi in Paris?
This time the mission was far more demanding: mapping the wireless landscape of three major metropolises. Thatβs why we went wardrivingΒ β scanning for and logging wireless networks from a moving vehicle while equipped with a smartphone or laptop. Itβs similar to searching for Wi-Fi on your phone, where the device constantly listens for nearby networks. Except instead of connecting to them, we just collect data about them.
All information was used strictly for passive observation and infrastructure analysis. Beyond receiving publicly broadcast service information, the experts of Kasperskyβs Global Research and Analysis Team (GReAT) didnβt attempt to authenticate, intercept traffic, exploit systems, or otherwise interact with the wireless networks they discovered. Mobile access points deployed in cars and on mobile devices were excluded from the sample.
Our main target was Mexico City β the capital and one of the most densely populated cities in Latin America. We took a drive through popular tourist spots: Mexico City Stadium, Mexico City International Airport, ZΓ³calo, Paseo de la Reforma, Colonia Roma, La Condesa, Polanco, CoyoacΓ‘n.
In Guadalajara and Monterrey, we drove similar routes: stadiums, main avenues, airports, and popular neighborhoods. Below you can see a heatmap of the areas we covered, ranging from red for areas with the highest density of public access points, through yellow and green, to blue for the lowest concentration.
We used passive radio reconnaissance to log 84Β 500 signals and 69Β 500 unique network identifiers across these three cities. The majority of the signals were caught in Mexico City (61.4%), followed by Guadalajara (23.6%) and Monterrey (14.8%).
What we analyzed:
- Wireless network identifiers (SSIDs): the names that show up in your list of available Wi-Fi networks
- Information that can be gleaned from these identifiers
- Default router configurations and how ISPs deploy their networks
- Frequencies used and signal characteristics
- Channel load and radio frequency spectrum usage
- Wireless network security configurations:
- Open and insecure networks
- Networks with WPS enabled
- Secure networks (WPA2/WPA3) with WPS activated
You can find the full version of the study on the Securelist blog.
Telltale public Wi-Fi access point names
Network names (SSIDs) can tell you a lot by unintentionally revealing information about hardware manufacturers, ISPs, deployment methods, and whether an access point belongs to a business or a private user.
About 34% of the public Wi-Fi networks we logged didnβt bother changing their names at all, either sticking with the factory SSIDs from the router manufacturers or using standard naming conventions from their ISPs. For attackers, this can be a pretty solid hint, since this kind of network name lets them know which provider owns a given access point, what hardware is being used, and how itβs likely configured by default.
Another troubling nuance is the large number of Wi-Fi networks (over 30%) that use the access pointβs MAC address (BSSID) as the visible network name. The first few bytes of a BSSID contain an Organizationally Unique Identifier (OUI), which gives away the routerβs manufacturer. This is a useful lead for bad actors: they can find out who made the hardware and test for vulnerabilities specific to that brandβs models.
Is Mexican Wi-Fi well-protected?
An access point secured with WPA2/WPA3 can be considered more or less safe. All other authentication mechanisms yield much weaker results. We grouped the public Wi-Fi networks into four categories:
- Secure (WPA2/WPA3)
- Unsecured (open/WEP)
- Weak (WPA)
- Undetermined
The results are roughly the same across all three cities: about 82% of all analyzed access points are protected by secure standards. The outdated and insecure WPA protocol was practically nonexistent. However, more than 10% of the access points turned out to be completely unsecured. Connecting to these networks carries the risk of traffic interception and hidden surveillance.
But security isnβt evaluated by WPA protocols alone. We also checked for the presence of WPS, the infamous feature for quickly connecting to a network without entering a password, which is highly vulnerable to attacks. It turned out that WPS is enabled on nearly half (47%) of the access points in Mexico City, 43% in Guadalajara, and 41% in Monterrey. On average, 45% of the access points are potentially vulnerable to WPS-related attacksΒ β sacrificing security for the sake of convenience.
Whatβs more, this feature frequently remained active even on seemingly secure WPA2/WPA3 networksΒ β about half of them utilized WPS. This shows that having WPA2/WPA3 is still not enough to consider a Wi-Fi access point safe, as additional features like WPS can still leave the door open to attacks.
What else every tourist needs to know
Digital risks on a trip arenβt limited to public Wi-Fi alone, especially now that many are shifting away from public Wi-Fi to an eSIM. There are still plenty of threats in crowded places: public USB chargers, QR codes with swapped links, NFC and Bluetooth attacks, and, of course, social engineering tactics. Letβs break it all down.
Charging stations. Public USB chargers can also be dangerous: bad actors could potentially gain access to the data on your device or try to install malware. We covered these attacks in detail in our post, Data theft during smartphone charging.
Dangerous QR codes. Criminals can plant phishing QR codes in popular tourist spots. The pretexts can vary wildly; for instance, ads for team-specific fan βeventsβ, or links supposedly offering discounts or restaurant menus. In reality, any QR code posted on the street can be considered insecure by default, and you shouldnβt scan them with your smartphone unless you have a QR code threat analyzerΒ installed.
Fake broadcasts, tickets, and betting pools. Earlier, we described cases where bad actors were distributing malware via fake IPTV apps to capitalize on the WC26 hype. Remember, even if you plan to watch the tournament from home, you still need to stay alert and not trust the first sites that pop up advertising free broadcasts, offering betting pools, or promising unbelievably generous payouts.
NFC and Bluetooth attacks. Leaving Bluetooth enabled in crowded places can also cause problems: someone might try to discover your device, track you, or initiate an unwanted pairing request. NFC services with contactless payments create additional risks tooΒ β especially when paying in sketchy spots.
How to protect yourself and your devices
Despite the prevalence of secure WPA2/WPA3 public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey, our study shows that public Wi-Fi networks remain vulnerable. Itβs also important to remember that attackers can create fake networksΒ β so-called evil twinsΒ β disguised as legitimate public Wi-Fi in airports, hotels, cafΓ©s, and tourist spots.
For the average user, itβs practically impossible to tell how safe a specific access point is when trying to connect. Thatβs why the safest option is to use cellular data to access the internet β completely eliminating the need for Wi-Fi. Besides, thereβs no need to research the nuances of local laws, rates, and other cellular details for every country you plan to visit; you can just buy a global eSIM online in two clicks. We explained how to make the entire process hassle-free in our post, Internet on the go with Kaspersky eSIM Store.
If you still plan on connecting to public Wi-Fi, always use a VPN to secure your device and data when connecting to unfamiliar β especially unsecured β Wi-Fi networks. This creates an encrypted tunnel between your device and the VPN server, making it impossible to intercept your data along the way. Havenβt picked a VPN yet? Try Kaspersky VPN Secure Connection, which is included with both Kaspersky Premium and Kaspersky Plus subscriptions.
Now, if you still plan to attend the World Cup without any cybersecurity solution, at least follow these basic rules of digital hygiene:
- Donβt use public USB chargers
- Donβt send sensitive information over connections that arenβt secure
- Donβt log in to banking, email, or social media accounts over unsecured Wi-Fi
- Turn off Bluetooth and NFC while walking around in crowded places
- Donβt trust QR codes posted on the street
- Connect to public Wi-Fi only when absolutely necessary
What else to read to make sure cheering for your favorite team isnβt only exciting, but also safe:






