Q: I read your article about the risks of using wifi in hotels. I just don’t understand why hotels would offer me something that leaves me so exposed. Hotels would never put me in a room without curtains on the windows or a deadbolt on the door, so why are hotels not doing more to protect me?
A: This is a question I’ve often wondered myself. Since hotels are such excellent venues in which to steal confidential information, why don’t they do more to protect us?
The simple truth is that most hotel wifi networks are completely unsecured.
In fact, the risks associated with using a hotel network are much greater than using a wireless network at your home or office. Recently, a group called TrustWave SpiderLabs released a study that showed hotel networks accounted for nearly 40% of security breaches in 2009.
You want to know what’s even worse than that?
Most hotels didn’t even know these breaches occurred for nearly five months!
Hotel networks face two types of risks:
- The first is the normal insecurity inherent to all wifi networks. I wrote about this topic a few weeks ago, and basically, there are just two ways hacking is done in public wifi hotspots. But it’s pretty simple, and it doesn’t even take a “geek” to figure it out these days.
- The second type, which I find much more surprising, is that fully wired Ethernet communications (as in, when you plug your computer’s Internet cable into the hotel’s network) might be just as insecure.
You mentioned that you had read my earlier article on this topic, so you probably will recall that even I assumed that if I plugged directly into the hotel’s network with a cable that I was safe. However, Ethernet is a system that connects a bunch of computers to form a LAN (local area network). Nearly 90% of all LANs use Ethernet, which is over 30 years old. When it was first created, no one assumed that anyone would do anything malicious. How times have changed!
Nearly 20% of hotels in the United States use a hub configuration LAN, where all network data is sent to every computer connected to the network. Each computer is only supposed to listen to data specifically intended for it, and ignore the rest.
However, anyone connected to the network can simply switch their laptop’s network card to “promiscuous mode” and view all the information sent over the entire network — unless that information is encrypted.
And if you have file sharing turned on (most people do but do not know it), all your files can be accessed.
Networks that use switches and routers are better because they send network traffic to a specific address. However, these networks are vulnerable to something called address resolution protocol (ARP) spoofing. Basically, hackers use a tool (freely available on the Internet) to “spoof” another user on the same network and can then steal data meant for that user.
So why aren’t hotels doing more to protect you?
I don’t mean to criticize them, but it seems they are making a tradeoff between ease of use and security. This is a tradeoff that is inherent in most security issues. Essentially, they feel it is their role to provide a very easy-to-use wifi service and leave the security responsibility to the individual users.
Minimize Your Risk
While it’s important to understand the dangers inherent to all hotel networks, it’s more important to know what you can do about them. Below are some steps you can take to minimize these risks:
- Disable or block file sharing.
- Enable a Windows Firewall or install a third-party personal firewall.
- Use file encryption.
- Use a virtual private network (VPN).
A VPN encrypts all your Internet communication from being intercepted by others, whether in wifi or Ethernet networks. Don’t rely on hotels (or any other WiFi provider) to protect you. You need to protect yourself.
By using a VPN, all of your communication is encrypted between your laptop and the VPN’s remote server.
In fact, The New York Times recently noted that our PRIVATE WiFi™ software is a “VPN for the masses,” as it easily protects you from passive sniffing and cyber attacks. If a hacker tries to listen in on your communications, whether in a hotel room or in any public wireless location, all they will see is gibberish.
The article did not mention emailing as a security risk – if it is?
I mention this because I use a VPN (SurfEasy) but I think it only protects when accessing web-sites.