The Rented Walls Have Ears

Hotels and conference centers are easy picking for hackers, so it's "guest beware"

If you’re like me, the first thing you do after dropping your bags in a new hotel room is to find the wi-fi network and connect your phone or laptop. You’re in a hotel, after all, with lots of amenities, in a safe neighborhood, with an alert staff and clean facilities.

But is that the hotel’s wi-fi you just connected to?

A recent article in BusinessWeek examines the state of hotel cybersecurity. The reporters got help detecting problems from some “white hat” hackers. The results were discouraging and intriguing at the same time.

Marriott’s loss of as many as 383 million guest records, 5 million unencrypted passport numbers, and more than 9 million encrypted payment cards is perhaps the most notorious hack in the hospitality industry. Oddly, none of the information has shown up on the Dark Web so far, leading experts to conclude that a government was behind the hack, and is possibly using the information gained for current or future leverage over politicians, intelligence assets, and business leaders. After all, if you know where Politician A stayed a few times, and that non-spouse Person B also stayed in the same hotel every time — or visited town without booking a separate room at the hotel — you might have something to talk about. You might also be able to anticipate a future itinerary to mess with them further.

But stolen records are just the tip of the iceberg. The action is more ground-level for travelers, more of a daily skirmish. The BusinessWeek article details several surprising flaws in hotel cybersecurity, including:

  • SmartTVs and smart refrigerators (the ones that tell the front desk that you’ve eaten the Toblerone) provide great access points into property management systems (PMS), allowing hackers to access names, credit card numbers, and more.
  • Abandoned Internet ports — for hard connections, outdated room features, or just maintenance — exist in a lot of hotel rooms, yet remain connected to the overall network, giving hackers easy ways in.
  • Spoofing hotel wi-fi networks is a basic hack using a smartphone or a device called a “wi-fi pineapple,” which automates the process for hackers. In the article, a “white hat” hacker created a wi-fi network using his phone, named it to match the hotel’s network, and had six connections in no time.
  • Cybersecurity for most hotels is a pastiche of corporate responsibility (for databases) and local ownership (for guests and the building). Because margins are so slim, many owners don’t spend much time or money on cybersecurity.

Because margins are tight, a lot of hotels use old Windows computers to run their software. Oracle provides a lot of hotels with PMS software called Opera. Here’s how the BusinessWeek reporters describe the installation steps for a common version of Opera for legacy Windows OS machines:

First, turn off data execution prevention, a feature that protects system memory from malicious code. Next, deactivate user account control, making it easier for hackers to gain administrator privileges. Finally, disable Windows Firewall. Now you’re ready to book reservations and take credit card payments.

Many of these same hotels put their PMS online, so customers can book their rooms via the web. This makes hacking easy from anywhere. In a quick search for such systems, the reporting team found more than 1,300 such hotels.

Guests don’t help out much, often visiting dodgy sites while they’re away from home. Guests also fall for simple scams like connecting to the wrong wi-fi network, and do things that experts don’t advise, like leaving their machines open on a desk for hours without password protection.

Staff can also make it easy for hackers by leaving a USB port open on a computer and not realizing a dongle has been attached, or allowing a guest to “charge their phone” by plugging their cable into their computer’s USB slot. In both instances, code can be installed or administrative access information taken. It all depends.

Phones as keys, more voice-activated devices in rooms, and more smart appliances for guests are adding to the security challenges at hotels.

Experts recommend using a VPN whenever you’re traveling. One expert even recommends using a borrowed laptop and a burner phone when you’re away from the office or home.

That last one seems a little extreme. But as we head off for summer travels, it’s worth remembering that in some cases — perhaps more than we know — even the rented walls have ears.

Subscribe now