Hackers Lurking in Hotel Networks

Wednesday, March 17, 2010

Mark Smail


Many frequent business travelers spend almost as many nights sleeping in hotels as they do in their own beds. The need to stay productive when you’re on the road means that travelers must rely on whatever means available to stay connected, even if it’s an unprotected hotel wireless network.  


It’s not uncommon for even tech-savvy road warriors who pack their own EV-DO modems to simply hop on the hotel’s network instead of using up their precious bandwidth allotment for the month. 


Unfortunately for the frequent flyers among us, recent industry research from TrustWave’s Spider Labs showed that hackers went after hotel networks more than any other destination in 2009, accounting for 38% of all known security breeches, more than the financial services industry (19%) and retail industries (14.2%) combined.

To make matters worse, the hotels didn’t discover that the breeches had even occurred for an average of 156 days, leaving plenty of time for the cyber-criminals to use stolen credit card information, or take advantage of the personal data harvested for any number of identity theft scams.


Just this week, Wyndham Hotel & Resorts, operators of hotel chains Days Inn, Ramada, Super8 and Howard Johnson, reported that their central hotel network had been compromised, with hackers stealing customer’s names, credit numbers and expiration dates.


In keeping with the national average, the hotel is just now becoming aware of this hack which took place between November 2009 and January 2010, nearly 150 days after the exploit took place.  They still aren’t sure how many customers or locations were affected, nor have they directly notified any customers that their personal information may have been compromised in the breech.

According to reports from IDG News, this is the third data breach that Wyndham has reported in the past year.  Between July and August 2008, hackers stole tens of thousands of credit card numbers after hacking into a franchisee's system and stealing the data from a central company server.


Wyndham is not alone in recent hotel hacking headlines either. The prominent Westin Bonaventure hotel reported that four of its restaurants had been compromised for an eight-month period during which its customers’ payment card information could have been stolen.


Unfortunately, it doesn’t take an expert hacker to tap into a hotel’s network. It’s often quite literally an open door due to the weak firewalls employed by the hotel and poor passwords used by the guests.


Free software is readily available for download online that enables aspiring cyber-snoops to hack wireless passwords, gain access to unsuspecting victim’s hard drives and record the specific keystrokes entered on sensitive websites such as online banking or personal social network logins.

So what can be done to keep your data safe when travelling consider the following suggestions and apply what is available to you and/or fits your budget? Supply your own wireless internet connection so that you don’t have to rely on the hotel’s open WiFi network for connectivity. This can also come in handy in airport terminals and coffee shops, two other prime hunting grounds for would-be hackers.

Investigate the security of your hotels network prior to choosing a hotel. Enquire as to whether the hotel uses Wi-Fi Protected Access (WPA) encryption, which requires a password to get on the network and encrypts all the data that is being transmitted.

If you’re doing business in your hotel room, make sure you log in through your company’s dedicated VPN and that your laptop has up to date firewalls and anti-virus software installed and running. Your company’s IT staff should be all too happy to check that for you if you’re not technically inclined. Should your company not provide a VPN service there are a few safety alternatives you could follow to protect your company and personal data. Most importantly disconnect from any network before working on any confidential work if this is an option. Use an application that will allow you to have confidential data you require in a private encrypted area on your local drive and access the files from that area only. Only send confidential material in email if the attachments are encrypted or if the email application does its own encryption, your IT department is best to answer this question for you. Finally if you are receiving any data from a vendor our external companies fully scan for any type of viruses.

You can use any number of data encryption software solutions available today that serve to lock down your confidential data, files, photos and videos on your computers. Many of the more advanced encryption solutions, such as EncryptStick, now provide the ability to store and encrypt your online passwords so that you’ll be protected when you do have to enter them using a public network.

Following your trip, one of the best ways to protect yourselves from financial and credit card related scams is to diligently check your monthly statements for any irregularities or charges that seem out of place. Many credit companies are getting better at monitoring and actively checking on transactions that don’t fit with your typical locations and purchasing patterns.

With the increasing instances of cyber-criminals targeting hotel networks, it’s crucial that we all understand the potential threats associated with data and identity theft. I know I’ll think twice the next time I get on a hotel network.


About the Author: Mark Smail is CTO of Onix International Inc., the distributors of EncryptStick (http://www.onixinternational.com). EncryptStick is the most powerful portable data encryption software solution. Mark has over 25 years of related experience in the IT field, specializing in Security, Project Management, Network Architecture, Technical Documentation, Business Acumen, Training and Finance. 

Possibly Related Articles:
General Firewalls Viruses & Malware Security Awareness
Wireless Vulnerabilities
Post Rating I Like this!
Prasanna Venkatesh CB Nice read, thanks!
Jan Popovic Thank you Mark for raising awareness of the problem of commonly weak network security in hotels.
I would like to invite all who would like to work on improving the situation into the "PCI DSS Compliance in Hospitality" group on LinkedIn - http://lnkd.in/tGAkAu

Hotels looking to fix their network vulnerability to hacker attacks may also look at http://www.myhotelit.com/security-compliance where effective hotel-specific solutions are offered.
Jan Popovic For any help with securing your hotel network, don't hesitate to review my blog related to this topic: http://wp.me/1y9kf
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.