Everybody loves free Wi-Fi. It's an important factor for the connected traveler when they're choosing a hotel, and there are even websites dedicated to finding hotels with fast Wi-Fi and testing speeds. But there's a problem: it's inherently unsafe.
"Hotel Wi-Fi is designed for easy and frictionless access," says Stephen Moody, Solutions Director, EMEA at ThreatMetrix. "Devices are connecting to insecure, non-encrypted Wi-Fi networks." The bottom line is this: use hotel Wi-Fi and you may be open to scams, hacks, viruses and malicious software attacks.
What's wrong with Wi-Fi?
The very nature of Wi-Fi, with traffic from all mobile devices broadcast loudly over the airwaves, makes any public Wi-Fi network insecure. "With a cheap Wi-Fi adapter and some free software anyone can listen in on all conversations your phone or laptop is having with the outside world," says Glenn Wilkinson, senior security analyst at SensePost.
"In general terms hotels have not implemented a network with business class segmentation," says Paul Leybourne, Head of Sales at Vodat International. "Many hotels also do not restrict the sites that guests can view, which leaves them wide open for external people to access."
Public and hotel Wi-Fi doesn't use WPA. "Any device that is connected to hotel Wi-Fi is effectively sending all data in clear-text, allowing a remote attacker to identify and extract information," says Adam Tyler, Chief Innovation Officer of CSID.
Why is hotel Wi-Fi considered especially risky?
"The sophisticated security systems usually in place on corporate networks are not present on these kind of connections," says Moody, who maintains that it's easier for cybercriminals to execute Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks due to the lowered security standard.
A 2015 report from Cylance found a critical vulnerability in the ANTlabs InnGate product used by hotels, which affected 277 hotels across 29 countries. The vulnerability enabled attackers to monitor and tamper with data traffic from Wi-Fi connections and gain access to hotels' management systems.
Who's intercepting hotel Wi-Fi?
Hotels are 'dirty' because of who's staying in them – you. "Hotel networks are very lucrative targets for cybercriminals," says David Emm, Principal Security Research at Kaspersky Lab, which last year published details of the Darkhotel espionage campaign that targets C-Level executives while they stay in luxury hotels.
"The criminal gang compromises hotel Wi-Fi networks and then waits for a victim to logon to the network, before tricking them into downloading and installing a backdoor, which in turn infects the device with spying software," says Emm.
This is the 'Evil Twin' hack. "Hackers set up a fake network to mirror the real, freely available one, users unwittingly connect to the fake network, and then a hacker can steal account names and passwords, redirect victims to malware sites, and intercept files," says Steve Fallin, Senior Product Manager at NetMotion Wireless.
Last year, the Darkhotel group of hackers surfaced with a new attack, aimed at exploiting hotel Wi-Fi to target business travelers staying at high-end hotels. While they have long used Trojans combined with targeted phishing attacks, their latest efforts have evolved to use the Inexsmar malware. They use multi-stage Trojans, and the group has also targeted political figures using these techniques.
Tools like the Snoopy drone and Mana can automate these attacks and target a large number of people simultaneously. "They have the ability to profile your device and figure out where you live and work," says Wilkinson, who invented the Snoopy drone to prove how easy it is to emulate a Wi-Fi network and trick smartphones into connecting to it – and then steal data.
"Unless your data is encrypted and sharing is turned off hackers are free to rifle through all of the data on your device or whatever is passing through your connection," says Fallin. The lesson is simple; assume all alien Wi-Fi networks are insecure.
Are some hotels riskier than others?
Absolutely – the higher the class of guests, the greater the chance that hackers are about. "Hotel Wi-Fi comes with a particular risk, as it's a likely concentration of valuable targets like business travellers," says David Chismon, senior researcher at MWR Infosecurity. "Upmarket hotels are still more likely to have high-value targets such as executives, while Wi-Fi in business class lounges is also a highly tempting hunting ground for attackers."
Securing your digital lifestyle doesn’t have to be a tedious or expensive process. You can achieve that in the next 60 seconds by downloading a trial of CyberGhost VPN here, risk free.