I’m nowhere near the road warrior I used to be, but I managed to accumulate over one million miles on a single airline (thanks, Delta!), and who knows how many random miles on others, and with that comes a lot of nights spent in hotels. Hundreds I suppose.
In all those hotels stays, I probably never gave more than a passing thought to my data security. But having grown up in a very crime ridden city, I’ve always been hyper-aware of physical theft, and I always do the little things they tell you to help deter people entering your room when you’re not there: put the “do not disturb” sign on the door, leave a light on, maybe turn on the TV or radio. The strategy is always the same: you can’t really stop the thief, you just want to increase the perceived risk enough that he goes to someone else’s room instead.
But data security? Not so much.
When I started my business travel, we were still using dial-up modems, which for all their faults were at least pretty secure! You had a direct line back to your corporate network, and that was that. But now it’s the wild west out there.
This fascinating and too-short article takes a look at all the opportunities for hackers at hotels, which are high on the list of hacker targets:
Hotels might be a less obvious target, but they’re hacked almost as often because of the valuable data that passes through them, like credit cards and trade secrets.
And if necessity is the mother of invention, criminality is a close second. Some of the clever things hackers have done to break into hotel systems:
- Targeting electronic door locks to enter rooms.
- Plugging a laptop into the Ethernet cable connected to the smart TV.
- Breaking into the internet-connected fish tank in a Las Vegas casino lobby! And from there finding a database of high rollers.
- Finding and plugging into the Ethernet port on the ceiling in the hotel closet.
The internet of things adds much to the problem, it seems. I wonder if anyone’s tried to hack the pressure-sensitive minibars in Las Vegas that charge you the moment you pick up an overpriced Toblerone?
Breaking into hotel systems is about more than stealing credit card numbers. There’s an interesting spy-vs-spy aspect of it as well:
“From an intelligence standpoint, there are some real advantages to understanding where high-profile people are going to be ahead of time,” says Gates Marshall, director of cyber services at CompliancePoint Inc., whose consulting clients include airports. “There’s a market for travel itineraries. It’s not a commercial market, it’s more of a geopolitical one.”
A market for travel itineraries? Never thought of that before.
But there’s not much you can do about protecting a hotel’s systems. What about your own data security?
Mark Orlando, chief technology officer for cybersecurity at Raytheon IIS, advises corporate clients to avoid using personal devices altogether while on the road. That could mean requesting a loaner laptop or buying a burner phone.
I suppose if you’re a high-profile traveler or corporate/government VIP, that makes sense. But imagine the hassle of being a frequent traveler and having to use a burner phone every time! Good advice, technically, but I can’t imagine it’s widely used except among the hyper-security conscious.
Another common hacker trick is setting up a fake wireless network in the hotel. When was the last time you asked at check-in what the name of the hotel network is? I don’t. Half the time it seems you can’t even tell easily. It’s not obviously named. Which makes it ever easier for a hacker to setup a network that is obviously named. Indeed, in the linked article a team of white-hat hackers testing for security holes set up a wi-fi network in a hotel, named it after the hotel, and in a few minutes had six devices joined up. Sheesh.
But you can see how it happens. Traveling you can be tired and less attentive, to say nothing of coming in after a night of dinner and drinks. Then you pop open the wireless app, see “Hotel-Name Wifi” and just click on it. Ooops, you just got hacked.
It’s not a bad idea for corporations to issue mobile hotspot routers to their frequent flyers. It puts you on a private network and makes it much less susceptible to hacking. Well, at least if your password isn’t “MyJetpack” or something stupid like that.
In any event, this is all very sobering and shows yet again how careful you need to be in our interconnected age.