Q: The hotel that I sometimes stay in offers either WiFi or cable connection in my room. I know that WiFi can be hacked into, so I always connect via cable. My communications are safe that way, right?
A: The answer is “no.” Your communication is just as vulnerable when using a hotel cable connection as it would be if you were using WiFi.
This actually was one of the most shocking things that I learned about Internet communications before starting Private Communications Corporation. Like many of you, I was dimly aware about the vulnerability of WiFi . But I assumed that if I plugged directly into the hotel’s network with a cable that I was safe.
This turns out to be false.
To understand why, we have to look back about 35 years. The technology used for most in-house networks, called Local Area Networks (LANs), originated back in the mid-1970s at Xerox’s famous PARC research lab. LANs were designed to be able to share information within an organization, such as a business. It was assumed, then, that everyone on the LAN could basically be trusted, so no security was necessary.
And that fundamental oversight has been carried forward ever since.
That is not a major problem when the LAN is used internally, such as a business. But the same technology is used for hard-wired Internet access in hotels, and that is a serious problem.
Promiscuous Monitoring, ARP Spoofing
There are several ways to hack hotel LANs, but two the two main ones carry the colorful names of “promiscuous monitoring” and “ARP spoofing.”
Promiscuous monitoring can be used on hotel networks which use a “hub” configuration, which passes everyone’s communication thorough the same cable. (Only about 20% of hotels use this technique, but you have no way of knowing whether they do or not.) So all a hacker has to do is turn on an option in his “network interface card” to listen “promiscuously,” and the communications from every hotel guest can be captured and stored on his laptop.
Almost every laptop, whether PC or Mac, has the ability to do this. It only takes a bit of software that, naturally, is readily available on the Internet.
“ARP spoofing” is more insidious yet also more esoteric as it is very difficult for the hotel to protect against. (That is one reason why most hotels actually have two LANs – one for their internal business, the other for guests.)
With ARP spoofing a hacker convinces the network his laptop is actually that central node with the Internet connection, so all the guest’s communications are re-directed to through him. This is called a man-in-the-middle attack. He can store your communication – or even modify it if he wishes – before sending it on to the Internet. Chances are, no one will ever know what happened. At least until the next credit-card billing cycle.
The only way to protect yourself in hotels, whether using WiFi or a cable connection, is to use a VPN such as Private WiFi™.
Editor’s note: Have a question you’d like to submit for an upcoming “Ask the Expert” column? Email your name and question to firstname.lastname@example.org.