Hotel Insecurity

We haven’t looked at the sorry state of hotel security for a while, but we have done articles on hotel locks, and hotel business center computers before.  The Naked Security blog recently published a story about the Russian hacker collective known as Fancy Bear, and their involvement in the use of the leaked NSA exploit Eternal Blue to launch Advance Persistent Threat (APT) attacks against hotels.  So far, this attack has been seen only in European hotels, but I am certain that we will see this spread to the Unites States (and the rest of the world) in due time.

This attack is usually launched with an email containing an infected Word document attachment, and is designed to stay hidden.  The probable targets are high-value guests travelling for governmental or business reasons.  Connecting to the hotel guest wireless or Ethernet connection will make you a potential victim of this exploit.

The way to stay safe is to do something that I find myself doing more frequently – BYOW or bring your own Wi-Fi.  When given the choice between an unsecured but free public Internet connection, and my metered but secure Wifi from my smartphone, I go smartphone all the time.

Another good solution is to use a VPN any time you connect to any network that is not your home network or your business network.  And considering the way APTs are showing up at home and the office, maybe you should use your VPN all the time.

I might as well give another plug to Rubica, the personal cybersecurity service I wrote about on August 16th.  The VPN proxy service at the core of their offering, coupled with the machine learning and human cybersecurity operatives, will keep you out of harm’s way.

So basically, you can’t trust hotel door locks, the business center computer has more infections than the hotel whirlpool, and the guest network has probably been compromised.  Have fun on your next trip!!  And yes, I do travel for business and pleasure.  I never leave anything in the room that I can’t live without, and I do not use the provided guest Internet service any more.


More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.