Everybody loves free Wi-Fi. It's an important factor for the connected traveler when they're choosing a hotel, and there are even websites dedicated to finding hotels with fast Wi-Fi and testing speeds. But there's a problem: it's inherently unsafe.
"Hotel Wi-Fi is designed for easy and frictionless access," says Stephen Moody, Solutions Director, EMEA at ThreatMetrix. "Devices are connecting to insecure, non-encrypted Wi-Fi networks." The bottom line is this: use hotel Wi-Fi and you may be open to scams, hacks, viruses and malicious software attacks.
What's wrong with Wi-Fi?
The very nature of Wi-Fi, with traffic from all mobile devices broadcast loudly over the airwaves, makes any public Wi-Fi network insecure. "With a cheap Wi-Fi adapter and some free software anyone can listen in on all conversations your phone or laptop is having with the outside world," says Glenn Wilkinson, senior security analyst at SensePost.
"In general terms hotels have not implemented a network with business class segmentation," says Paul Leybourne, Head of Sales at Vodat International. "Many hotels also do not restrict the sites that guests can view, which leaves them wide open for external people to access."
Public and hotel Wi-Fi doesn't use WPA. "Any device that is connected to hotel Wi-Fi is effectively sending all data in clear-text, allowing a remote attacker to identify and extract information," says Adam Tyler, Chief Innovation Officer of CSID.
Why is hotel Wi-Fi considered especially risky?
"The sophisticated security systems usually in place on corporate networks are not present on these kind of connections," says Moody, who maintains that it's easier for cybercriminals to execute Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks due to the lowered security standard.
A 2015 report from Cylance found a critical vulnerability in the ANTlabs InnGate product used by hotels, which affected 277 hotels across 29 countries. The vulnerability enabled attackers to monitor and tamper with data traffic from Wi-Fi connections and gain access to hotels' management systems.
Who's intercepting hotel Wi-Fi?
Hotels are 'dirty' because of who's staying in them – you. "Hotel networks are very lucrative targets for cybercriminals," says David Emm, Principal Security Research at Kaspersky Lab, which last year published details of the Darkhotel espionage campaign that targets C-Level executives while they stay in luxury hotels.
"The criminal gang compromises hotel Wi-Fi networks and then waits for a victim to logon to the network, before tricking them into downloading and installing a backdoor, which in turn infects the device with spying software," says Emm.
This is the 'Evil Twin' hack. "Hackers set up a fake network to mirror the real, freely available one, users unwittingly connect to the fake network, and then a hacker can steal account names and passwords, redirect victims to malware sites, and intercept files," says Steve Fallin, Senior Product Manager at NetMotion Wireless.
Last year, the Darkhotel group of hackers surfaced with a new attack, aimed at exploiting hotel Wi-Fi to target business travelers staying at high-end hotels. While they have long used Trojans combined with targeted phishing attacks, their latest efforts have evolved to use the Inexsmar malware. They use multi-stage Trojans, and the group has also targeted political figures using these techniques.
Tools like the Snoopy drone and Mana can automate these attacks and target a large number of people simultaneously. "They have the ability to profile your device and figure out where you live and work," says Wilkinson, who invented the Snoopy drone to prove how easy it is to emulate a Wi-Fi network and trick smartphones into connecting to it – and then steal data.
"Unless your data is encrypted and sharing is turned off hackers are free to rifle through all of the data on your device or whatever is passing through your connection," says Fallin. The lesson is simple; assume all alien Wi-Fi networks are insecure.
Are some hotels riskier than others?
Absolutely – the higher the class of guests, the greater the chance that hackers are about. "Hotel Wi-Fi comes with a particular risk, as it's a likely concentration of valuable targets like business travellers," says David Chismon, senior researcher at MWR Infosecurity. "Upmarket hotels are still more likely to have high-value targets such as executives, while Wi-Fi in business class lounges is also a highly tempting hunting ground for attackers."
What are the cybercriminals after?
Your digital footprint. "Cybercriminals aren't interested in a laptop or email addresses in isolation, but in stealing a victim's online ID and gaining access to all the resources they are able to connect to," says Emm. The target isn't the laptop itself, but company servers, emails and other remote resources.
Are we safe with SSL websites?
You shouldn't assume that using SSL websites (those using 'https://') mean you're protected. "You might think you're protected if you only use SSL websites, but beyond passive listening an attacker in another hotel room can redirect your traffic via his machine, and easily defeat SSL," says Wilkinson.
Nor are portals safe. "Networks that have portals requiring a username and password can also still be intercepted or manipulated by an attacker," says Chismon.
How can I stay safe on hotel Wi-Fi?
The threats are many, but the solution is simple – use a Virtual Private Network (VPN). "This will encrypt traffic leaving your devices all the way to your VPN server," says Wilkinson. "Most IT departments should have one for employees to use, or these services can be rented for a small fee."
"A VPN encrypts traffic data, making it far more difficult to sniff," says Crocker, who advises that all business travellers turn off file sharing, check firewalls are up to date and patched, use different passwords, force HTTPS wherever possible, and turn Wi-Fi off when it's not being used.
Is there a safer alternative to hotel Wi-Fi?
Public and citywide Wi-Fi is just as risky; consider these networks unencrypted and open. If you're a commuter using public Wi-Fi, you're putting corporate data at risk.
The safest way for businesses and frequent international travelers to get online while abroad is via the mobile network. Where possible, travelers are recommended to use mobile 4G connections, either tethering to their phone or by using a dongle. Many providers now offer free data roaming in numerous countries, although those after a 'little black box' global Wi-Fi hotspot for multiple devices also have options.
The Goodspeed 4G Hotspot is available for $149, offers a daily flat rate of $8.50 for 250MB of data when roaming, and has password-protected coverage in 85 countries. Other global operators are now starting to offer unlimited EU/global data plans for business customers, while those visiting remote places can rent a mobile hotspot from TEP or Vision Global WiFi.
Is mobile data as good as hotel Wi-Fi?
"In many locations the upload and download speeds are as good, if not better than Wi-Fi," says Leybourne. "Mobile data is more secure than Wi-Fi due to the encryption automatically applied to CDMA/LTE and HSDPA/3G-based connections by mobile operators," adds Tyler. "There is no longer an excuse not to use them."
"An alternative would be to look into products like iPass or Skype Wi-Fi in combined usage with VPN technology to secure the connections used," says Moody.
What should hotels do to secure their Wi-Fi?
This would seem the most sensible option, especially since there are legal implications for hotels offering Wi-Fi networks that get hacked.
"With the demand for free Wi-Fi on the rise, hotels need to ensure they are integrating the latest solutions that can provide packages that are tailored to guests' download demands and cost requirements," thinks Lee Marsden, President of ZyXEL Europe.
"Connectivity and security vendors are increasingly looking to provide Unified Threat Management (UTM) solutions to both public spaces and hotels alike." UTM means network security for guests, and helps meet the growing demand for higher-speed web connections. This doesn't just apply to hotels – coffee shops, train stations and towns need to consider UTM, too.
Over time, things should also improve. With the discovery in 2017 of the KRACK vulnerability, which exploits the four-way handshake for a client to join a wireless network, the Wi-Fi Alliance announced its new security protocol, known as WPA3 at CES 2018. Expected to be available in 2018, the enhancements will include encrypted security sessions even at public wireless hotspots.
When in doubt, a belt-and-braces approach is best – business travellers should routinely use a VPN or their mobile network, because free hotel Wi-Fi could prove hugely costly.