In this article we're going to look at five different risks that you face when using a hotel's WiFi system that could result in you losing money, data, privacy, and even your identity.
Marriott Data Breach - Just the Tip of The Iceberg
In July of 2019, Marriott incurred a fine of over USD$120 million from the UK Information Commissioner's Office (ICO) for violating British citizens' privacy as a result of one of the largest data breaches in recent history - it is estimated that over half a billion guest records were part of the breach that spanned an estimated four years before detection in 2018. Data that were leaked included guest records that contained personal data including names, passport numbers, and credit card details. The upside of this attack (if there can be one) is that the data that were obtained were not released into the wild on the dark web as far as most security specialists know, which means that the dissemination of the data has been selective. This is opposed to data from breaches like the breached airline passenger data from the Indonesian carrier Malindo, and Thai Lion Air in September of 2019, where a total of 28,776,483 passenger records were released publicly for anyone who cared to download them. The fields available from this particular breach included PassengerDetailsID, PassengerID, ReservationID, Address1, Address2, City, County, Postcode, CountryName, Fax, Telephone, Email, EmergContact_Title, EmergContact_FirstName, EmergContact_SurName, EmergContact_Relationship, EmergContact_AreaCode, EmergContact_Telephone, IsSendSMS, BusinessContactNo.
Another popular Breach Compilation that is readily available to the public makes available around 4 billion email and decrypted password pairs that are a compilation of the product of hacks dating back over a number of years. Imagine what could be done when the different data from different fields are all linked together? Emails, passwords, emergency contacts, addresses, phone numbers … now it's starting to get disturbing.
This kind of data breach, considered catastrophic for Marriott (and the people whose data were leaked), is on the rise. In 2019, over 3 billion records were leaked in data breaches spanning companies like Facebook Adobe, Amazon, Australian National University, Westpac Bank, Capital One, and Canva.
What Do Data Breaches Have to Do With Hotel WiFi?
But wait a minute … This article is about why using hotel WiFi is a bad idea - what do these data breaches have to do with hotel WiFi?
Because of these huge breaches over recent years, chances are that you have personal data leaked out there that's available to anyone who would care to look for it, and it is that very data that is making it much easier for hackers to attack you over WiFi networks - especially in Hotels. Every piece of data that is made available out there can compromise you even further, potentially gaining access to any personal data, images, files, banking details and any other information that can be collected by compromising your devices and analysing your online activity. Hotel Wifi systems can make you an easy target.
Have You Already Been Compromised (Pwned)?
Before going any further, type any email addresses that you use or have used over the past several years into the site 'Have I Been Pwned'.
This site tries to stay up to date with the data made available from as many breaches as they can get their hands on, to help alert you as to what accounts have been breached and on what platforms. Note that this site wouldn't include some of the mega-breaches such as the Marriott breach where data haven’t been made available publicly. If you found one or more of your email accounts having been breached or 'PWNED' (digital security jargon for being 'OWNED'- the 'O' is next to 'P' on the keyboard, giving birth to this term), you really need to read the rest of this article to show you how to mitigate the damage as a result of these breaches.
Why Hotel WiFi Should Be Avoided
Here are 5 reasons why you should try to avoid using a hotel's WiFi system. In fact - not just hotel WiFi … any public WiFi system, although hotels have some inherent features that make them particularly dubious.
1. Strangers Charging to Your Room Tab
Have you ever logged into a hotel's WiFi system that requires your Surname and Room Number as credentials to be able to get online? Depending on what system the hotel is using and how they have set up their security, the internal 'closed portal' that is used for guests’ login may well be sending communications internally unencrypted. That means that anyone with a WiFi card that supports 'monitor mode' and has a copy of freely available software like 'Wireshark' installed on their computer can take a snapshot of all WiFi traffic flying through the air and then filter it down to only the 'GET' requests which will show only the data being sent each time a person communicates with the hotel's portal. Common data that might then be available to anybody who would care to read these requests include Guest Room Number, Guest Name, Check-in, Check-out, and other data that could allow some people to get up to all kinds of mischief - the least of which might be charging something to your room, as they now know your Surname and Room Number.
2. Malicious Online Activity Done in Your Name
Having someone charge things to your room account in your name might be the least of your problems. Now that a bad actor knows your last name and room number, they can easily just login to the hotel's WiFi in your name and from there on in, anything that is done online will be tracked back to you. Should any cyber crimes be committed while they are logged in as you, you could be left holding the bag and have a lot of explaining to do. In some countries like Thailand and China, cyber crime law is very strict and seemingly innocent posts could lead to lengthy prison sentences, especially if you ruffle the wrong person’s feathers.
What happens if the data are encrypted and they can't see your Room Number and Last Name?
That's actually just a minor hurdle. Using any of an array of free tools like Aircrack-ng or Kismet, along with a WiFi card that can be switched to monitor mode, someone sitting in or nearby the hotel can view in real time every single user connected to any WiFi access point. Even if the data are encrypted, they can still see what computer is attached to what access point and how much data are going through the air between that connection.
Every computer is identifiable with its own unique 'MAC' or 'Media Access Control' address. Just by looking at the MAC address, you can even tell the make of device that owns the address. Most hotel WiFi systems log guests' MAC addresses once logged in, on a 'White List' that means that if that device logs on again in the next 'x' days, it will be allowed to get access to the internet - logged in as the guest without the guest needing to re-login. Convenient for the guest, convenient for the hacker.
All that an ill-intentioned person in or around the hotel would have to do is change their MAC address on their device to your MAC address using a free program like 'macchanger' (called MAC spoofing), then send a flood of automated messages to the access point that will get you kicked off the WiFi router momentarily, and suddenly the router thinks that that person's device is your computer and they will be surfing the net as YOU.
3. You Could Lose Your Identity and All that Goes With it
Next time you login to a hotel's WiFi (if you are brave enough to do so after reading this), have a look at the 'Network Devices' tab on your computer. Chances are, depending on what kind of system that the hotel is using, that you will be able to see the names of all the different computers in the hotel that are logged into the same access point, or that are sharing the same LAN. If you have a person's password, you can potentially login to any of those devices.
How on earth would someone get your password though? ... See hack No. 1.
As long as someone can get your name, they can start to search for email addresses and passwords that you might have via any number of breached data collections that are available to the public. It's only a matter of time that you find someone who is lazy when it comes to changing their passwords or setting secure passwords for themselves, and many people use the same password to login to their laptop that they might use for their email and other online service accounts and social media accounts.
Note that even if you're using the LAN cable that's provided in the hotel room, if that LAN is running on the same LAN as computers logged into the WiFi, anyone who is also hooked into the router - even if they're not authenticated to access the internet, could potentially perform an 'Arp Spoof' or 'Man in the Middle’ (MITM) attack, where they tell the router that their computer is yours, and then tell your computer that their computer is the router, effectively ensuring that all data flowing in and out of your computer will pass through their computer - and you'd never know it. They can save this and go back home and analyze it all at a later date. It gets even worse if they can actually get access into your computer (through a breached / cracked password), as not only could they steal any information that your computer has on it, but also set a key-logger to send every single keystroke you make to a server somewhere in the world where they can have it sent to them and use it to access your life. This would not be an optimal situation.
4. Corporate Data / Secrets Exposed
What kind of damage could be done if the secrets on your devices were to leak into the wrong hands?
In many cases, you will have sensitive corporate information on your machine that has been entrusted to you, and in many cases, you may have signed an NDA ensuring that you will not divulge any of that information to anyone. Where do you stand legally if that information is leaked due to the fact that you used weak passwords, failed to change passwords, used the same passwords for multiple accounts and devices, or exposed other information that was subsequently breached that allowed the sensitive information that you are holding to be exposed to outside parties?
The legal repercussions of this could come back on you with a serious bite resulting in fines and even prison time. At the very least, your competitors could get your corporate secrets and cause you to lose that next contract that you're bidding for. If sensitive information is found as a result of a breach into your computer or online accounts, finding a buyer for that information isn't usually a problem.
5. You Can Become the Next RAT
In cybersecurity terms, a RAT is a 'Remote Access Trojan', and it was a RAT that was the reason for the Marriott data breach along with many other mega (and not so mega) breaches out there. RATs can be installed on your computer as the result of clicking on a link that's sent to you via email - or even on a link from a spoofed login page from say - a hotel WiFi login page.
There are even very inexpensive devices called 'Rubber Duckies' that look like innocent USB sticks that when inserted into your computer's USB port will inject a 'payload' that can take control of your computer and load anything on to it, all without you realizing that it had been done. All someone needs to do with a Rubber Ducky is have the device sit in the USB port for only a few seconds and then remove it - by which time it will have done its job and your computer will now have been compromised.
RATs installed through nefarious links or Rubber Ducky-like devices can be used to install keyloggers, search for passwords and send them to an external server for later use, infect other computers within a LAN environment once that computer logs in to the office computer network, and pretty much get free reign over your computer to do what the attacker wants. Your computer's processor might even be used as one in a pool of compromised processors to help attackers make real money by mining crypto-currencies like Bitcoin.
Again, if you're not vigilant, should any crime be committed as a result of such a compromise, the buck might well legally stop at you.
How Safe Are Mobile Hotspots?
You might be thinking that the only safe alternative is to use a mobile hotspot using your own mobile data. While possibly a better option, mobile hotspots aren't without risk. Amongst other things, your device may be monitored and tracked using some common software, mapping your mobile device's hotspot movement each time it sends out a signal wherever you are. If the password had been exposed to anyone who had been compromised, your password could potentially also be out there in a publicly available database tied to your hotspot and MAC address.
Another risk is if someone has set up an IMSI catcher which can be purchased online for less than USD$1,000 and can be used to fool your phone that it is a cell tower for your telephone. Just like the Man in the Middle attack on WiFi earlier, the owner of the IMSI catcher could then intercept all traffic in and out of your phone - and being a faux cell tower, they can even instruct your phone to not encrypt any of the data flowing in and out of your device. That's not good.
Is There Any Happy Ending?
As attacks and data breaches become more and more common and people realise that the data that have been leaking out there can wreak havoc both professionally and personally, it is hoped that everyday users of the internet will start to become more security conscious and start practicing 'safe cybering' - always using strong passwords, encrypting data, using Password Managers, being very selective and vigilant as to what networks they log into, and most importantly - thinking twice before connecting to hotel and other public WiFi spots.