Hotel Wi-Fi is unsafe for your work, according to FBI

[steven36]

• The Federal Bureau of Investigation issued a Public Service Announcement concerning the risks of using hotel Wi-Fi networks while teleworking.
• Most users don't seem to realize the severity of the risks they're subjecting themselves to while using hotel Wi-Fi networks.
• Visit our Security Section for the latest developments regarding cyber-security.
• You can also check out our VPN Hub to learn more about the benefits of using a VPN.

 

 

 

The FBI recently issued a PSA to inform teleworkers of the risks of using hotel Wi-Fi networks.

 

Reportedly, the Federal Bureau of Investigation noticed an increasing number of hotel remote workers.

 

 

While remote working from hotel rooms isn’t inherently bad, connecting to a hotel Wi-Fi network might subject you to certain security risks.

 

Some of the most serious ones include personal data thefts, or compromising work resources.

 

Hotel room teleworking is trending

 

Apparently, more and more US hotels started advertising room reservations during the daytime for those who seek a distraction-free environment.

 

This comes as a blessing for teleworkers who can’t seem to focus on their work environment while at home. On the other hand, the risks may outweigh the benefits in this situation, especially in lieu of appropriate security measures.

 

Unfortunately, when it comes to Wi-Fi networks, hotel management staff caters to the convenience of their customers, at the expense of their security.

 

As a result, not only is the Wi-Fi password available for everyone to see in the hotel lobby, but it also gets replaced quite rarely.

 

The risks of using hotel Wi-Fi networks

 

There are a few quite serious risks you may expose yourself to while using Wi-Fi networks in hotels:

• Traffic monitoring  – Your network activity could be exposed to a malicious third-party
• Evil Twin attacks – Cloning the hotel network, misleading clients to connect to the fake one instead
• Man-In-The-Middle attacks – Intercepting and stealing sensitive information from one’s device
• Compromising work  – Facilitating cybercriminals to steal work credentials or other similar resources
• Digital identity theft
• Ransomware

 

How do I reduce the risks of using hotel Wi-Fi?

 

1. Use a trustworthy VPN

You can purchase a premium VPN subscription plan  to encrypt network traffic.

 

A VPN can easily protect your privacy by encrypting traffic between your device and the VPN gateway.

 

This renders network monitoring tools and Man-In-The-Middle attacks useless.

 

However, you should still keep an eye out for Evil Twin attacks. More often than not, an Evil Twin network won’t be password-protected and will have a weaker signal.

 

2. Don’t use the hotel’s Wi-Fi

 

If you have a hefty data plan on your mobile device, just use that instead of the hotel’s Wi-Fi.

 

You can either create a hotspot on your phone/tablet or use USB to tether it and share your Internet connection.

 

Also, you may want to avoid using the auto-connect feature on your PC, to avoid it automatically connecting to the hotel’s Wi-Fi network or an unprotected Evil Twin one.

 

3. Keep it simple

 

If you’re there for work, make sure you stay focused and avoid logging in on too many websites.

 

That goes double for any website where you may input sensitive data, such as your SSN, credit card details, as well as other credentials.

 

Last, but not least, always check the security certificates of the websites you’re visiting. If you don’t see HTTPS, then it’s a no-go.

 

If you follow these steps, you shouldn’t have to worry about the dangers of working using a hotel’s Wi-Fi.

 

Source

 

[mp68terr]

Does it mean that an httpS connection, even through an (hotel's) insecure wifi, is not secure?

The hotel people in charge of the wifi can intercept the main domain name to what the guest is connecting to, but neither more than that nor the content of the connection. Or am I missing something?

[halvgris]

3 hours ago, mp68terr said:

Does it mean that an httpS connection, even through an (hotel's) insecure wifi, is not secure?

The hotel people in charge of the wifi can intercept the main domain name to what the guest is connecting to, but neither more than that nor the content of the connection. Or am I missing something?

depending on the admin of current hotel network they can get a raw copy.

 

i know a school admin that installed scripts that saved email communication in a textfile. this was a teenage school mind you alot of se_ was offered between ex's and others.

[mp68terr]

2 hours ago, halvgris said:

depending on the admin of current hotel network they can get a raw copy.

Yes, but, isn't the raw copy encrypted?

[AZwaffelForAWaff]

19 hours ago, mp68terr said:

Does it mean that an httpS connection, even through an (hotel's) insecure wifi, is not secure?

The hotel people in charge of the wifi can intercept the main domain name to what the guest is connecting to, but neither more than that nor the content of the connection. Or am I missing something?

 

You are missing a lot. Interaction with local network over public WiFi alone reveals too much information about you. HTTP and HTTPS protocols aren't the only ones that exist. Multicast (mDNS, Chromecast, Bonjour, etc.), ARM, IGMP, and other discovery protocols can compromise your devices. Using a VPN is far from the only security feature you should use. Many phones disregard VPN connections when logging into Captive Portals or using when using carrier WiFi calling that is done over poorly encrypted IPSec tunnel. Carrier WiFi calling domain name alone gives away your cellular carrier information, MNC, MCC, and digging into actual packets can reveal your IMSI. Most people don't even know that carrier prefer to use WiFi calling instead of cellular tower and WiFi calling is easier to compromise than cellular calling. IMSI catchers are more expensive than hardware needed to intercept WiFi calling.

 

You need to examine how your devices work on your own secure WiFi network to get the idea of what the same devices will do on a different public WiFi network. For example, some of my phones ignore VPN connections when verifying existence of a stable connection by connecting to connectivitycheck.gstatic.com domain. I would advice to use a portable router with a firewall or AdGuard Home when connecting to any public WiFi network.  You can use a Raspberry Pi for that or purchase a travel router from - https://www.gl-inet.com/ . Protect and defend yourself because nobody else will. It is governments' job to conduct surveillance and monitor, but it is up to companies to protect company networks and up to specific individuals to protect their private networks.

[mp68terr]

Thanks for the extra info @AZwaffelForAWaff. For sure have to keep this in mind.

But regarding the scope of the article: the risks of using hotel Wi-Fi networks while teleworking:  workers connecting to their office through the hotel's wifi. Isn't the https connection secure enough? Are the others protocols involved?

[AZwaffelForAWaff]

It heavily depends on the network and how (or whether) it isolates clients from each other. The most common protocols that are used on local networks are:

https://en.wikipedia.org/wiki/Address_Resolution_Protocol

https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

https://en.wikipedia.org/wiki/Domain_Name_System

https://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol

https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol

https://en.wikipedia.org/wiki/Multicast_DNS

https://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

 

I have never worked for a company that would allow remote work over the internet without a VPN access provided by the company for purposes of security and employee monitoring, as well as, other data defense measures. If a company simply allows employees (with non-administrative and user-only privileges on their PC/laptop) to login to workplace networks remotely without any security measures other than TLS, then it is just a matter of time before someone abuses that very lack of security.