Please sign in to post.

Insecure hotel wifi networks

An article in this week's Travel News warns against using insecure ( not password-protected) hotel wifi connections, unless one utilizes a VPN.

https://www.theguardian.com/technology/commentisfree/2019/jul/07/free-hotel-wifi-is-hacker-dream

However, the article also mentions the vulnerability of the hotel's own system, used to take reservations and credit card payments, citing data breaches into Marriott and other systems. I don't see any way a VPN can guard against that possibility, so why do they even mention it?

Posted by
4690 posts

This poorly written article with a misleading headline says pretty much nothing about why "insecure hotel WiFi networks" might be dangerous. The only danger mentioned was that a hacker wired (without using WiFi!!) into the hotel's network and then hacked into the hotel's corporate system from one of the rooms (and then was able to access credit card info from the hotel's system). What does that have to do with the WiFi used by guests?? This would have happened even if the hotel didn't offer WiFi at all.

These scary, substance-free articles do nothing but continue to spread fear and misinformation about highly exaggerated dangers of using public WiFi.

As I have said repeatedly on threads on this topic, most websites today use SSL (https) encryption for all web transactions - even the Rick Steves forum does. That means, even over an insecure WiFi network, all traffic between you and another website is encrypted. Someone snooping on your web traffic over one of these public WiFi networks will see nothing but gibberish. This wasn't true 15 years ago; if you were using WiFi on an open network with your laptop, a hacker could have snooped easily to view most of what you are viewing (except passwords and credit card numbers). Not anymore.

The one thing an open WiFi network might expose would be the websites you actually visit. If you visit your bank's website, someone snooping might tell that you VISITED it - but not know your name or any identifying information. A VPN would mask that kind of information at least - from someone on the hotel's network or a local hacker. It wouldn't stop someone who has hacked into the VPN provider's network from snooping on you, though.

But, people caution: how do you know someone can't hack into the encrypted SSL connections? Sure, that's possible - but so is hacking into your VPN. ANYTHING is "hackable" nowadays, no matter how secure you think you are, even at home. Google for "zero day exploit" if you want to learn about how/why everything is hackable.

There are much bigger dangers to worry about online these days than open WiFi networks. Malware, phishing schemes, ransomware are all much bigger risks.

Posted by
605 posts

Americans like to be scared, and this article plays right into it.

Posted by
4031 posts

Thanks, Andrew. I wondered about this when several of the hotels at which we stayed in France last month did not have passwords to get on their wifi.

Posted by
11681 posts

Thanks, Andrew. I too thought it was poorly written and conflated two separate issues.

Posted by
3954 posts

I read a link to the article on another forum and posted my view on there as well. Andrew has already explained it quite well and I find it concerning that such articles are written by people who are completely inexperienced to be trusted with writing such articles, this is a real example of 'Fake News'.

Pretty much everything sent from your computer these days is encrypted. The levels of encryption vary but data such as banking login details etc are very, very secure. I've investigated cases that involved trying to unencrypt files and some of the crimes were serious enough to warrant such files being sent to MI5 technicians to break and even they were unsuccessful so the idea of some amateur hacker 'listening in' to a hotel's wi-fi in the hope of extracting guests banking security details is nonsensical. Even the FBI couldn't break Apple's iPhone security so why are we still reading news articles about such 'threats'? It's the same with the contactless card skimming threat of which there is no reported evidence of anyone being subjected to such a crime.

And finally, the fact that the author recommends the use of a VPN to protect against such threats demonstrates just how ignorant they are of the subject matter, perhaps it was written by the kid on work experience.

Posted by
4474 posts

The writer is apparently a professor at the Open University.

Posted by
1385 posts

As I have said repeatedly on threads on this topic, most websites
today use SSL (https) encryption for all web transactions - even the
Rick Steves forum does. That means, even over an insecure WiFi
network, all traffic between you and another website is encrypted.

Like to add few things because it is not so easy today.

Before that written can become valid it is important to connect to a real official wifi of the venue (hotel, restaurant etc.). Today everyone with a mobile phone can fake a wifi network and let other people use it, sending an ID which looks like the free wfii of the hotel. In this case even SSL has no chance because it is easy to fake a double-sided SSL connection with a Janus like solution - means the logged in user is never really directly connected to the Internet and the "man" in the middle providing the fake wifi can read everything for later use.

Also getting control of wifi networks from hotels is possible by hacking their routers on remote but that is a different kind of attack - little bit like described in the article.

It is also very important that a user does not make a mistake on typing an URL. Some sites which URLs sound / look very close to the original ones are waiting for typer victims. Showing exactly the same website and also SSL connection but based on a wrong URL. So, always take care to have the right URL and website.

Just to give an impression how much attacks are permanently running globally Deutsche Telekom has established a network of faked honeypots (PCs, smartphones etc.) which are attacked round-the-clock from around the world. They track these attacks and show them live on a cyber security meter (Sicherheitstacho.eu).

Posted by
4690 posts

In this case even SSL has no chance because it is easy to fake a double-sided SSL connection with a Janus like solution - means the logged in user is never really directly connected to the Internet and the "man" in the middle providing the fake wifi can read everything for later use.

Yes, easy to fake an SSL connection, but difficult to create a fake certificate that is "trusted" by your browser. You should get scary error messages in your browser that make it obvious that something is wrong. I get them occasionally when accessing a real website where the certificate has expired. It's difficult to ignore the warnings.

Posted by
3322 posts

Actually, SSL is no more. It is replaced with TLS. They both do basically the same thing, just at different points in the connection. SSL 3.0 was cracked a few years ago but TLS 1.2 remains secure.

Nothing for anyone to worry about unless they are still using an older version of Windows (7 or earlier) or an outdated browser. Everything newer has been patched to use only TLS and ignore SSL.

And while anything is hackable, is it really worth it for someone to hack into a small B&B or other tiny hotel WiFi to try to capture the information of the dozen or fewer people who may stay there and use the internet? All these "man in the middle" attacks and so on are very difficult, take a lot of hardware, and need to provide a return on investments for the crook. As long as I get a good and secure connection to the web site I am visiting (the padlock symbol is present on HTTPS pages) I am not going to worry.

Posted by
4690 posts

Yes, this is technically true, in the same way that no one really uses a "modem" anymore for their home internet. But we still call them "modems" because that's a term people are familiar with for that functionality. People in the industry still use the term "SSL" even though technically SSL itself has been depreciated.

Posted by
3954 posts

The writer is apparently a professor at the Open University.

Having previously worked as an IT Technician at a university I can assure you that this holds no weight!