888-530-9596

Should You Really Be Using The Hotel Wi-Fi?

hotel-wifi-hack

I wish I could give you a resounding ‘Yes’ to answer this simple question, but in today’s cyber environment and knowing all of the risks involved I’d have to say you’d be better off not. I want to share a story that recently happened at a popular hotel where a lot of conference travelers frequent. This is just one example of many examples with various public Wi-Fi connections.

As you are getting ready for your next conference trip or vacation, please keep this story in mind. If you would like to speak to me or someone on my team to find a solution that would work for traveling, we are here to help!

This story mimics many that have happened and reflect how criminals exploit Wi-Fi to get valuable data.

Three men dressed in business-casual attire. Backpacks in tow, they are eager to get into the nice downtown hotel, ready to cash in for the night.

As they move through the revolving door, they have money on their minds (they are not at a casino). These guys just entered a gold mine of data.

You might be thinking, why aren’t these guys targeting financial institutions—like credit unions or banks—where the actual money is? What many criminals have found is attacking the place where money is spent—places like hotels—are much more lucrative and much less obvious targets.

Why specifically a hotel?

Think about the last time you stayed in a hotel for a conference, continuing education seminar, or vacation. Did you check your email? Were you connected to the hotel’s Wi-Fi? Hotels are hacked often because of the valuable data that passes in and out of them—not just credit card numbers, but other sensitive information. Hackers that go the lengths of booking a room at a hotel are not in search of your credit card info—they are looking for other more lucrative corporate data.

Now back to these 3 men. One goes to the front desk to check in. Another strolls the length of reception scoping out the place. He might look harmless, but he has a mission to identify the point-of-sale system (which is outdated) and just identified that the access points are also on the older side—they know how to get into those, too. The third guy opens a mobile app called Fing, which is looking for hidden networks in the hotel.

While they wait for the staff to finish preparing their room, the three hackers have coffee in the lobby. At first glance, it seems as if they’re focused on the Weather Channel aired on the lobby TV, but they are really keen on getting into the hotel’s website with an exploit. Within 15 minutes they have domain admin rights to the sight and have compiled a list of admin names at the hotel.

The hotel’s website is just one open door. These guys are looking for any opening. They could slip a USB drive into a register at the end of the bar (the bar currently isn’t manned) and log credit card numbers until somebody noticed the device (on average, drives aren’t detected for a day or two).

But what they really want in on is the property management system, where the hotel takes reservations, issues room keys and stores credit card data.

Better yet, the real bullseye—the sorts that recently happened at a high end New York City hotel—was when they accessed the PMS and gained access into the chain’s entire system. This gave one group of hackers over a year’s worth of transactions at several dozen hotels.

Getting credit card numbers is definitely not the lucrative business that it used to be. Their return on effort (ROE) would be capped at about 20 bucks per card—if that card still worked (banks have grown sophisticated fraud detection systems that have made credit card scams easy to detect).

The three men decide to have an early dinner while guests are still outside of their rooms, anticipating a full evening scheduled to delve into guest data.

As evening comes and the three men are settled in their room, they are picking up guests logging into all sorts of accounts. They’ve successfully gained access to bank accounts, work email, accounting platforms to further exploit. The treasure trove of logins and exchanges humming around the hotel network has left a pile of lucrative information for these criminals to sort through over the next days or months.  Some of the data will (and had) been used to further exploit companies across the US.

Do you expect the hotel to protect your data?

How much of the responsibility for guarding electronic information transmitted over a hotel network has been discussed and debated for some time. The bottom line is hotels have no clear ownership of your information (and many already provide disclaimers—maybe embedded in all of the fine print—that says as much).

Cybersecurity experts suggest at very least, you ALWAYS use a VPN when working in a public space, including hotel rooms and coffee shops.

There are other concerns with hotel networks than simply protecting transmitted data.

In a variety of cases involving compromised hotel networks—including massive attacks at Marriott International last year, cybersecurity forensics teams found remote access Trojans (RAT) on the networks. This software allows hackers complete control over a target computer—along with installing malware on those computers and recording important login credentials.

Can’t the hotel beef up their Wi-Fi?

Of course there are solutions as hotel proprietors to beef up Wi-Fi security on their networks. But the task of protecting electronic locks or guest Wi-Fi at individual properties fall on the operators of those properties—who may be dealing with thin profit margins as it is, spending money on specific things that their clientele visibly value—such as new carpet or fancier toiletries. 

What can you learn from these three hackers?

Avoid public Wi-Fi. I know this might come off as hysteria, but the cases of compromised public Wi-Fi have seriously increased over the last few years (and criminals have found this open door to be one of the easiest ways to get their sticky fingers on your data). Avoid using open Wi-Fi connections for any sensitive data exchange, including email or banking.

Always use a VPN. I don’t care whether you don’t anticipate to do any work in your room. I know far too many people that end up spending at least a short period of time on email at night after a full day of conferencing and simply connect to the hotel Wi-Fi. This is no longer a safe option! Make sure you take at least one step to secure your session through a VPN.

Consider an alternative to Wi-Fi. Smart phones nowadays have the capability to work as a hot spot. Consider taking advantage of your cellular connection to work on your computer rather than rely on Wi-Fi when working in public. If you do spend a lot of time on the road, consider beefing up your cellular data plan or getting your organization to invest in a wireless MiFi device to use while out of the office rather than connecting to that Starbucks or Marriott free wireless connection.

Ask us for some advice. We have a full time security team (CISSP certified) to help you navigate through security issues. Wi-Fi is one of the big targets for hackers today and I don’t want you getting caught up in anything unsavory. Let us know if you have questions or concerns about how you work while on the road.