HOTEL SECURITY THREATS AND THE DIGITAL DANGER
In today’s world, hotels can be digitally dangerous, particularly for the executive business travelers or government representatives. Digital attacks can disrupt business operations and could even prove to be precursors for more wide-ranging attacks on the general public. Modern business travelers, with their treasure troves of files and personal information, could potentially be prime targets and are more likely to let their guard down after an exhausting journey.
Undoubtedly, the greatest potential danger at a hotel is the hotel network. Hackers have been known to infiltrate hotel networks to spy on traffic flowing through them or to plant malware on a user’s device. One advanced scheme pushed malware via a software update designed to be installed on Windows PCs.
Rogue Wi-Fi access points (APs) represent another potential risk. By mimicking the network name or service set identifier (SSID) used by the hotel, hackers can set up fake APs and trick victims into connecting to them. Such schemes open the door to man-in-the-middle attacks and they allow attackers to snoop on unencrypted traffic and see the URLs of any SSL-protected websites people might visit.
So, what is the best method of protecting digital information? An encrypted Virtual Private Network (VPN) connection. A VPN is the only effective way to protect your data from snooping at the network level. Business travelers should make sure that their IT departments set up VPN connectivity for access to their corporate networks. The business traveler merely needs to ensure that he or she connects to the VPN, and not the hotel network, before surfing the web. It’s also good security practice to plug into a wired network port whenever possible, to reduce the risk associated with rogue wireless networks.
It may also be a good idea to hold off on software updates while travelling, because hostile networks can push through spoofed software updates. If you need to update software while on the road, do so only after connecting to a secure network via a VPN connection and only download updates from official vendor websites.
THE HOTEL MINEFIELD
Networks aside, hotel rooms can also be a real minefield. For example, USB charging stations can be modified to inject malware payloads into the devices travelers plug into them. Radio Frequency Identification (RFID) skimmers can siphon data from digital room keys and other RFID access cards.
One way to avoid potentially modified USB charging ports is to bring your own chargers. If you do not want to lug along another adapter, you could consider laptop adapters with built-in USB charging ports.
It’s easier to defend against hidden RFID scanners due to the limited range of the readers. Do not place potentially sensitive items near expected places within the room (i.e., a wallet on the bed stand). When it comes to credit cards, it is good practice to utilize anti-RFID sleeves when they’re not in use. It is also a good idea to leave any building access fobs and cards you don’t need at home when traveling.
The risk of physical intrusion at hotels is very real and there are documented incidents of hotel doors being hacked for access. Most of the hotels around the world continue to implement and use door-access cards based on magnetic stripes. However, those access cards can be easily duplicated or duplicated using basic RFID scanners.
If a hotel room intrusion does occur, an obvious result would be that laptops and other electronics containing sensitive business information could easily be stolen. However, a less obvious, but nearly as easy, result would be the removal and cloning of the laptop hard drive. In many cases, this can be accomplished with off-the-shelf hardware and without leaving a trace that anything has happened. If you intend to step out of your hotel room at any time without bringing your digital devices, lock them up in a safe or protect your data with robust data encryption.
Full disk encryption is common today and is enabled by default on many newer devices. However, it is still good practice to increase your laptop security by setting a shorter sleep timeout period and making sure that the “require a password after sleep” setting is selected. This way, after each timeout period, your password will have to be entered to re-access the laptop.
Another alternative would be to refrain from bringing laptops and other devices containing sensitive data on your trip and rely on a remote desktop tool for access to desktop applications via iOS or Android devices.
In today’s digital world, it is imperative that business travelers remain constantly mindful of their security – both personal security and digital security.