Everybody loves free Wi-Fi. It’s one of the number one reasons for choosing a hotel, and there are even websites dedicated to it. But it’s not safe.
“Hotel Wi-Fi is designed for easy and frictionless access,” says Stephen Moody, Solutions Director, EMEA at ThreatMetrix. “Devices are connecting to insecure, non-encrypted Wi-Fi networks.” The bottom line is this: use hotel Wi-Fi and you may be open to scams, hacks, viruses and malicious software attacks.
The very nature of Wi-Fi, with traffic from all mobile devices broadcast loudly over the airwaves, makes any public Wi-Fi network insecure. “With a cheap Wi-Fi adapter and some free software anyone can listen in on all conversations your phone or laptop is having with the outside world,” says Glenn Wilkinson, senior security analyst at SensePost.
“In general terms hotels have not implemented a network with business class segmentation,” says Paul Leybourne, Head of Sales at Vodat International. “Many hotels also do not restrict the sites that guests can view, which leaves them wide open for external people to access.”
Public and hotel Wi-Fi doesn’t use WPA. “Any device that is connected to hotel Wi-Fi is effectively sending all data in clear-text, allowing a remote attacker to identify and extract information,” says Adam Tyler, Chief Innovation Officer ofCSID.
“The sophisticated security systems usually in place on corporate networks are not present on these kind of connections,” says Moody, who maintains that it’s easier for cybercriminals to execute Man-in-the-Middle (MitM) and Man-in-the-Browser (MitB) attacks due to the lowered security standard.
A recent report from Cylance found a critical vulnerability in the ANTlabs InnGateproduct used by hotels. “This software vulnerability affects 277 hotels across 29 countries,” says Andy Crocker, CEO of cyber security company Protect2020. “The vulnerability gives attackers the ability to monitor and tamper with data traffic from Wi-Fi connections and gain access to hotels’ property management systems.”
Hotels are ‘dirty’ because of who’s staying in them – you. “Hotel networks are very lucrative targets for cybercriminals,” says David Emm, Principal Security Research at Kaspersky Lab, which last year published details of the Darkhotelespionage campaign that targets C-Level executives while they stay in luxury hotels.
“The criminal gang compromises hotel Wi-Fi networks and then waits for a victim to logon to the network, before tricking them into downloading and installing a backdoor, which in turn infects the device with spying software,” says Emm.
This is the ‘Evil Twin’ hack. “Hackers set up a fake network to mirror the real, freely available one, users unwittingly connect to the fake network, and then a hacker can steal account names and passwords, redirect victims to malware sites, and intercept files,” says Steve Fallin, Senior Product Manager atNetMotion Wireless.
Tools like the Snoopy drone and Mana can automate these attacks and target a large number of people simultaneously. “They have the ability to profile your device and figure out where you live and work,” says Wilkinson, who invented the Snoopy drone to prove how easy it is to emulate a Wi-Fi network and trick smartphones into connecting to it – and then steal data.
“Unless your data is encrypted and sharing is turned off hackers are free to rifle through all of the data on your device or whatever is passing through your connection,” says Fallin. The lesson is simple; assume all alien Wi-Fi networks are insecure.
Absolutely – the higher class of guests, the better chance that hackers are about. “Hotel Wi-Fi comes with a particular risk as it is a likely concentration of valuable targets like business travellers,” says David Chismon, senior researcher at MWR Infosecurity. “Upmarket hotels are still more likely to have high-value targets such as executives while Wi-Fi in business class lounges is also a highly tempting hunting ground for attackers.”
Your digital footprint. “Cybercriminals aren’t interested in a laptop or email addresses in isolation, but in stealing a victim’s online ID and gaining access to all the resources they are able to connect to,” says Emm. The target isn’t the laptop itself, but company servers, emails and other remote resources.
You shouldn’t assume SSL websites (those using ‘https://’) mean that you’re protected. “You might think you’re protected if you only use SSL websites, but beyond passive listening an attacker in another hotel room can redirect your traffic via his machine, and easily defeat SSL,” says Wilkinson.
Nor are portals safe. “Networks that have portals requiring a username and password can also still be intercepted or manipulated by an attacker,” says Chismon.
The threats are many, but the solution is simple – use a Virtual Private Network(VPN). “This will encrypt traffic leaving your devices all the way to your VPN server,” says Wilkinson. “Most IT departments should have one for employees to use, or these services can be rented for a small fee.”
“A VPN encrypts traffic data, making it far more difficult to sniff,” says Crocker, who advises that all business travellers turn off file sharing, check firewalls are up to date and patched, use different passwords, force HTTPS wherever possible, and turn Wi-Fi off when it’s not being used.
Public and citywide Wi-Fi is just as risky; consider these networks unencrypted and open. If you’re a commuter using public Wi-Fi, you’re putting corporate data at risk.
The safest way for businesses and frequent international travellers to get online while abroad is via the mobile network. “Where possible, travellers are recommended to use mobile 3G or 4G connections, either tethering to their phone or having a MiFi-style device,” says Chismon. Some providers now offer free data roaming in numerous countries – the most prominent being Three’sFeel At Home schemes – though those after a ‘little black box’ global Wi-Fi hotspot for multiple devices also have options.
The Goodspeed box has room for nine SIM cards, offers a daily flat rate of €5.90 (around £4.30, or $6.60) or €9.90 (around £7.20, or $11.10) for 500MB or 1GB of data when roaming, and has password-protected coverage in 60 countries. Other global operators are now starting to offer unlimited EU/global data plans for business customers, while those visiting remote places can rent a mobile hotspot from TEP or XCom Global.
“In many locations the upload and download speeds are as good, if not better than Wi-Fi,” says Leybourne, who thinks that data plans are improving all the time. “Mobile data is more secure than Wi-Fi due to the encryption automatically applied to CDMA/LTE and HSDPA/3G-based connections by mobile operators,” says Tyler. “There is no longer an excuse not to use them.”
“An alternative would be to look into products like iPass or Skype Wi-Fi in combined usage with VPN technology to secure the connections used,” says Moody.
Page optimized by WP Minify WordPress PluginUA-34972506-1