It's never a good idea to connect to the public WiFi network at a hotel (or anywhere else for that matter), but here's yet another reason why travelers should be careful -- a new report found that the WiFi router used by most hotels is vulnerable to hackers.
Typically, hotel patrons who use a public WiFi connection are at risk of getting snooped on, because criminals could set up a fake network, call it "Hotel Guest WiFi," and wait for suckers to connect. Once they do, the criminal could read everything that person does online, unless it's encrypted.
But with this new threat, guests who use the real hotel WiFi network can also fall victim to very serious attacks. This can include snooping on your online activity, stealing passwords and logins, reading emails, etc. Even worse, hackers could infect your laptop or mobile device with malware just by connecting to the network. And a really good hacker could go even further by using this security flaw to burrow more deeply into the hotel's business systems, potentially stealing guests' credit card information.
The problem in this case is with a specific piece of networking equipment (ANTlabs' InGate device) that's widely used in the hotel industry to set up a guest WiFi network. In fact, it's found in 277 hotels worldwide, including many of the top 10 hotel chains. Unfortunately for travelers, it turns out this device is vulnerable to hackers. The manufacturer has since fixed the problem, but hotels will have to install the security patch or else they -- and their guests -- will remain vulnerable.
So what can you do?
First of all, it's important for travelers to stop using public WiFi altogether -- unless they are using a virtual private network (VPN) tool, like OpenDNS. A VPN encrypts your online traffic, so that even if an attacker is able to spy on you, all they'll see is a bunch of gobbledygook.
However, if you don't have a VPN, which most don't as they're not that easy to use, then revert to a cellular signal whenever you're out of your home or office -- and tether that to any other devices you're trying to connect to the web. Admittedly, it's not an ideal solution and you will run up your data usage -- but this is the best way to protect your data without using a VPN.
Next, never pay at a hotel with a debit card. Use credit cards only, since they come with greater protections. Even prior to this security warning, hotels have been leaky ships when it comes to customer credit card data. According to Verizon's 2014 Data Breach Investigations Report, the accommodation industry (which includes hotels, casinos and restaurants) had the highest rate of point-of-sale breaches of any industry -- 75 percent of all security incidents in 2013 were due to this. The next closest was retail at just 31 percent.
Change your online banking password. We're not sure how long this vulnerability has been around, but it's possible some cyber-criminals already knew about it. If you've traveled in the past 12 months, it's a good idea to change your banking password -- and be sure to make it 10+ characters long, using both upper and lower case letters, as well as numbers and special symbols.
However, even without this latest threat, traveling and staying in hotels does increase a person's chances of getting hacked. Here are a few more steps people should take to protect themselves:
- Don't do online banking while on the road. Any computer or tablet that's used to surf the web, check emails and especially log into public WiFi at hotels, airports and coffee shops is likely to have some type of malware on it. That means it can't be trusted to perform sensitive tasks like logging into a bank account. For travelers who must do online banking, a better option is to use a mobile banking app -- but, again, only use the cellular signal, not WiFi hotspots. Ideally, consumers should have a dedicated laptop at home that they only use to log into their bank account, and nothing else. Sounds paranoid perhaps, but in today's growing cyber-crime climate, it's essential.
- Protect your devices against theft. Every device taken on the road should have two things: a lock-out password that you're required to enter to access the device itself, and a remote wiping or disabling capability so if the device is stolen the personal data it contains won't be accessible.
- Use a password manager. Most people have 12 or more online accounts they access on a regular basis. It's essential to use strong unique passwords for every one of them, and to change those passwords regularly, and the best way to ensure this actually happens is to use a password manager tool. This provides safe online storage of all your passwords so that you don't have to remember them -- you simply login to the password manager and it takes care of the rest.
- Set up two-factor authentication. Whenever you have the option of adding two-factor authentication (or 2FA) to an online account, do it. 2FA makes it a lot harder to hack a person's account, as the attacker will have to get the password and the temporary code sent to that person's mobile phone. For travelers who are checking their online accounts from all types of vulnerable access points, this is one important way to raise your security level.
- Foreign travel risks. For those who travel to Asia (particularly China), as well as Eastern Europe and Russia, it's strongly advised that you bring temporary devices with you as the chances of a malware infection are greater. In spy lingo, these are known as "burner" phones, but you don't have to be carrying state secrets to want to be safe. Temporary phones, tablets or laptops are recommended, that way you don't bring an infected device back into your work or home.