Hotel Insecurity

We haven’t looked at the sorry state of hotel security for a while, but we have done articles on hotel locks, and hotel business center computers before.  The Naked Security blog recently published a story about the Russian hacker collective known as Fancy Bear, and their involvement in the use of the leaked NSA exploit Eternal Blue to launch Advance Persistent Threat (APT) attacks against hotels.  So far, this attack has been seen only in European hotels, but I am certain that we will see this spread to the Unites States (and the rest of the world) in due time.

This attack is usually launched with an email containing an infected Word document attachment, and is designed to stay hidden.  The probable targets are high-value guests travelling for governmental or business reasons.  Connecting to the hotel guest wireless or Ethernet connection will make you a potential victim of this exploit.

The way to stay safe is to do something that I find myself doing more frequently – BYOW or bring your own Wi-Fi.  When given the choice between an unsecured but free public Internet connection, and my metered but secure Wifi from my smartphone, I go smartphone all the time.

Another good solution is to use a VPN any time you connect to any network that is not your home network or your business network.  And considering the way APTs are showing up at home and the office, maybe you should use your VPN all the time.

I might as well give another plug to Rubica, the personal cybersecurity service I wrote about on August 16th.  The VPN proxy service at the core of their offering, coupled with the machine learning and human cybersecurity operatives, will keep you out of harm’s way.

So basically, you can’t trust hotel door locks, the business center computer has more infections than the hotel whirlpool, and the guest network has probably been compromised.  Have fun on your next trip!!  And yes, I do travel for business and pleasure.  I never leave anything in the room that I can’t live without, and I do not use the provided guest Internet service any more.


More Information:


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment