Beware of Hotel Internet Connections
- By Joab Jackson
- October 03, 2008
Jet-setters should be careful about how they use the Internet
connections supplied by hotels, as most are not secured properly, according
to a new study from the Cornell University School of Hotel Administration.
"[H]otels in the U.S. are generally ill-prepared to protect their guests
from network security issues," concluded the study,
titled "Hotel Network Security: A Study of Computer Networks in U.S. Hotels."
One hundred forty-seven hotels responded to a written survey sent out by the
researchers, asking about each hotel's network infrastructure. In addition,
the researchers paid a visit to 46 hotels in person in order to surreptitiously
scan their networks. The hotels surveyed ranged from family-oriented hotels
to those serving more of a business clientele.
They had found that 20 percent of hotel networks use simple hub topologies,
in which every packet from every user gets broadcast to every other user. This
is an unsecured network, the researchers warned.
"The key problem with a hub is that it simply repeats any information
that is sent to it...In an ideal situation, only the transmissions that are
associated with your computer would come back to you," the report states.
An interloper could simply set his network card to save all the packets it is
sent, not merely those designated to go to that computer's address.
In addition to the wired networks, about 90 percent of hotels offered wireless
access, which operates in a hub-like setup.
The majority of other hotels managed patron traffic through switches or routers,
which are slightly more secure than hubs, but the still have shortcomings. Switches
and routers direct Internet packets only to the appropriate recipients, rather
than to all parties on the network.
Users on such networks could still be vulnerable to man-in-the-middle attacks,
though. In these scenarios, an attacker's computer broadcasts itself as the
Internet gateway for the hotel and intercepts all traffic going to and from
the Internet. In wireless environments, attackers could set up rogue hot spots
which would mimic a similar spoof.
In the site visits, researcher Josh Ogle deployed a laptop that ran BackTrack,
a modified version of Linux for network-penetration testing, as well as the
Ethereal packet-capturing program. For wireless access, he used a SMC Networks'
SMC2532-B EliteConnect wireless card. Only six of the 39 hotels offering wireless
that researchers visited used encryption.
The researchers recommend that for maximum security hotels should set up Virtual
Local Area Networks (VLANs). "If one were to set up VLANs on all ports
in the hotel -- that is, to make every single room its own VLAN -- the
chances for Address Resolution Protocol spoofing and other hacks are minimized,"
the report concluded.
For those using hotel networks, the researchers recommended ensuring that your
computer has an updated firewall, and that any sensitive transaction you undertake
uses the secure socket layer (SSL) protocol, as evidenced by the "https"
prefix of the Web address. Use a virtual private network (VPN) or SSL-based
e-mail when possible.
In the survey, 20.6 percent of the hotels reported that malicious activity
had taken place on their networks.
Joab Jackson is the chief technology editor of Government Computing News (GCN.com).