Staying in a hotel, whether for business or pleasure, should be a pleasant, safe experience. Hotel owners do their utmost to make you feel relaxed and taken care of, from the smart TV on the wall to the minibar to spa facilities and on site cafés. They spend so much time and effort in making their guests happy (so that hopefully, they’ll stay again and again) that they don’t always realize that another group of guests – hackers – are also in their own happy space. A survey found that the hospitality sector has the third-largest number of reported cybersecurity breaches, after the retail, and the finance and insurance industries1.
It’s easy to let your guard down in a hotel, and that is what hackers are counting on. Between potential vulnerabilities within the hotel’s management system (or third-party booking site) and lack of cybersecurity awareness on the part of the guest, opportunistic hackers can often hit the jackpot in terms of credit card details or corporate information. They can also use any vulnerabilities to install malware to track keystrokes (and steal passwords) or else to spread further into a company’s network through the employee’s unprotected device. So it’s important to be aware of the possibility of such threats even before you check-in and take steps to protect yourself – and your company.
Free Wi-Fi – or is it?
Most hotels offer a free Wi-Fi service, which is public and therefore unsecured. You cannot guarantee all the security features are activated, or that any updates against vulnerabilities in the routers have been installed. In other words, you are gambling on the cybersecurity wheel of roulette.
A common trick used is the ‘Man-in-the-Middle’ attack. Here, the hackers set up a fake Wi-Fi network that looks plausible enough to convince people that it is the hotel’s own. Then, when visitors use it to log on to the internet to access their bank, or to make a purchase, the hacker can then collect passwords and payment card details and use them either to steal money from you or else sell on the dark web.
How to Protect Yourself Against Wi-Fi Hacking in Hotels
- When booking, use a separate payment card and bank account to where your main funds are held.
- Use a VPN network – never connect to a wireless hotel network without one. A VPN will encrypt any data you send or receive, such as passwords and banking/credit card information. If you don’t have a VPN, do not visit any personally sensitive websites, make any purchases, or watch videos that might get you into trouble.
- Always check for HTTPS in the URL bar of websites you want to use. In theory, this makes your visit secure as it encrypts your data. However, some hackers have been using cheap SSL certificates to make their phishing sites look authentic.
- Make sure you get the exact name of the hotel Wi-Fi network and also ignore any suspicious emails asking you to update your login details by clicking on an enclosed link.
- Make sure automatic file-sharing is switched off – also close down your Bluetooth when you’re not using it.
- Have trusted security apps installed on your device, such as a virus checker and software that warns you when you’re about to visit an unsafe site. Make sure you keep these and all other software updated.
Watch Out for Smart Gadgets
The more upmarket the hotel, the more interconnected gadgets it is likely to have. Many hotels now have smart TVs, but some have gone a lot further down the road of the Internet of Things (IoT). For example, remote-controlled curtains, coffeemakers, thermostats, and air conditioning mean that the guest will now be able to control these devices from their smartphone. Logging in and out of the hotel can be done automatically, and even keycards can be replaced by a smartphone electronic key. All of this is great for the busy traveler; however, it is also great for hackers as IoT devices tend to have several flaws in their security.
One group of IT consultants, intent on ethically hacking a hotel to test its security, managed to get into the hotel’s property management system (PMS) through the smart TV in their room. From this, they could access many years’ worth of customer data, including payment card details2.
Wherever there is a connection to the internet in a hotel room, there is the potential for a cybersecurity breach. Recently, the robotized hotel chain Henn na Hotel (“Strange Hotel”) in Japan was warned that the bedside Tapia robots that had been placed in every room could easily be hacked to allow a third party access to the robot’s camera and microphone3. The zero-day vulnerability was first flagged up to the hotel by security researcher Lance R. Vick but to begin with, his warning was ignored. It wasn’t until October, when Vick went public with the flaw that the hotel apologized to its customers and said that they had made changes to remedy the problem.
If a hotel has significant gaps in its cybersecurity, particularly pertaining to its PMS, it is hard for any guest to make sure that their details aren’t stolen. In September 2018, the hotel group Marriot was the victim of a gigantic data breach4. It discovered that its Starwood guest reservation database had been hacked into back in 2014, where guest information, including names, addresses, phone numbers, email addresses, passport numbers, and in some cases, payment card details were stolen. Approximately 327 million visitors were affected. As soon as the breach as discovered, Marriot moved to contain it and inform those affected. With such a big name being hit, other hotels are now starting to take their cybersecurity seriously. However, it would still be prudent to enquire about their security credentials before booking a room.
According to security experts, some parts of the world represent a higher risk of security than others5. In particular, China, Russia, the Baltic States, South America, North Korea, and Iran have well developed and often state-funded hacking groups. Sometimes these groups will have inside agents working for the hotels who are able to access your room at any point and compromise any devices you leave around. Of course, not every traveler is likely to be their focus – but if you work for a company that has links with defense, technology, or biotech, for example, or you work for your country’s government, then you are likely to be in their sights. The advice given in these circumstances is to leave your devices at home. However, if you have to take them, make sure you have top-notch security and privacy apps installed, especially a good VPN. Also, make sure that you keep all of your devices with you all of the time.
With greater awareness about cybersecurity in the hotel industry since the Marriott breach, things are starting to improve. Hotel chains know that if they suffer a similar attack, then their brand will suffer, bookings will drop, and so will their bottom line. On top of that, GDPR legislation in the EU could mean lawsuits if client information is stolen. However, there is still a long way to go, and the threat landscape is changing all the time. By all means, enjoy your trip – just don’t forget to take cybersecurity precautions and be vigilant at all times.
Saya University is on a global mission to ensure every employee in the world has access to the tools that will heighten cybersecurity knowledge. When a company is serious about protecting its organization against cyber-attacks, it will invest in cybersecurity learning for all its employees. With over 7 billion people on planet earth, we have a lot of work to do. Our multi-language e-Learning platform offers the world’s most cutting edge knowledge in cybersecurity, data privacy and compliance all in one place. Curating and producing relevant content, our learning platform will begin in Los Angeles and Tokyo, expanding into Asia Pacific (APAC), Latin America (LATAM) and Africa. Join the movement. Our 3rd Cybersecurity Awareness & Diversity Summit will take place in Japan in 2020. (The Tokyo Summit)
- Warwick Ashford, ‘Retail Sector Top Cyber Attack Target,’ Computer Weekly, 04/05/2018, accessed at https://www.computerweekly.com/news/252438382/Retail-sector-top-cyber-attack-target
- Patrick Clark, ‘The Hotel Hackers Are Hiding in the Remote Control Curtains,’ Bloomberg Businessweek, 06/26/2019, accessed at https://www.bloomberg.com/news/features/2019-06-26/the-hotel-hackers-are-hiding-in-the-remote-control-curtains
- Tara Seals, ‘Bedside Hotel Robot Hacked to Stream In-Room Video,’ Threatpost, 10/23/2019, accessed at https://threatpost.com/bedside-hotel-robot-hacked-video/149491/
- Kate O’Flaherty, ‘Marriot Breach – What Happened, How Serious is it And Who is Impacted,’ Forbes, 11/30/2018, accessed at https://www.forbes.com/sites/kateoflahertyuk/2018/11/30/marriott-breach-what-happened-how-serious-is-it-and-who-is-impacted/#3c5bbc2a7d25
- Stephen Cooper, ‘Hotel Hackers – What’s The Risk, How Can You Stay Safe?’ Comparitech, 02/22/2019, accessed at https://www.comparitech.com/blog/vpn-privacy/hotel-hackers/