An October 6 post from TechRepublic underscored what we so often preach. Using hotel wireless networks is risky. The FBI apparently agrees and has issued a warning that is entitled “A Covid-19 Driven Increase in Telework From Hotels Could Pose a Cyber Security Risk for Guests.”
The fact that some people are taking advantage of low daytime hotel rates to escape their homes and “go to work” in a hotel room obviously prompted the warning, but its message is far-reaching – and has been true for a long time. The message holds true not just for hotels, but for libraries, coffee shops, restaurants, airports and any place that has public Wi-Fi.
Some hotels display the Wi-Fi password on a sign at their check-in desk. Their passwords tend to be changed infrequently.
Access is often easy to obtain by using a combination of a room number and a password. Guests themselves are usually unable to control, verify, or monitor network security. They have no way of knowing what protections are or are not in place.
Hotels often have old or outdated network equipment and software with unpatched vulnerabilities that criminals can exploit. Even if everything is updated and patched, guests can’t know if the hotel has updated the router’s firmware or changed its default password.
Public networks are addicting for cybercriminals – they can often deploy tools to monitor a victim’s internet browsing activity or redirect them to phony login pages. They can deploy an “evil twin attack” setting up their own malicious network with a name similar to that of the hotel’s network. Guests mistakenly connect to the malicious network, giving the criminal direct access to their devices and data.
If the guest connects to their employer’s network (often the point of renting the room), the bad guys now infiltrate the employer’s network. Now they have a field day, exfiltrating confidential data, uploading malware, and deploying ransomware.
How do you know if your computer or mobile device has been compromised? The FBI lists the following warning signs:
- Mobile device slows down suddenly.
- Websites automatically redirect away from the website you are attempting to visit.
- The cursor begins to move on its own.
- A mobile device begins to launch apps on its own.
- There’s an increase in pop-up advertising.
- There’s a sudden increase in data usage.
- There’s a faster-than-usual decrease in battery life.
- There are unexplained outgoing calls, texts, or emails.
If you discover that your device has been compromised, the FBI suggests the following steps:
- Do not forward any suspected e-mails or files.
- Disconnect the device from all networks immediately and turn off Wi-Fi and Bluetooth.
- Consult with your corporate IT department, ensuring they are notified of any significant changes.
- If there is no IT department, consult with qualified third-party cybersecurity experts.
- Report cyberattacks or scams to the Internet Crime Complaint Center.
How can you defend yourself if using public Wi-Fi in a hotel (or elsewhere)? The FBI suggests the following:
- If possible, use a reputable virtual private network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
- If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
- Before traveling, ensure that your computer’s operating system and software are up to date on all patches, that important data is backed up, and that your OS has a current, well-vetted security or antivirus application installed and running.
- Confirm with the hotel the name of its Wi-Fi network prior to connecting.
- Do not connect to networks other than the hotel’s official Wi-Fi network.
- Connect using the public Wi-Fi setting and do not enable auto-reconnect while on a hotel network.
- Always confirm an HTTPS connection when browsing the internet, identified by the lock icon near the address bar.
- Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
- Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
- Follow your employer’s security policies and procedures for wireless networking.
- If you must log into sensitive accounts, use multi-factor authentication.
- Enable login notifications to receive alerts on suspicious account activity.
I would note that VPNs are not an absolute defense (many have vulnerabilities and they must be patched when updates are issued), but better to use one than not. Also, while the FBI’s warning focuses on hotels, bear in mind that the advice applies to all public Wi-Fi.
Be careful out there . . .
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology