Wi-Fi networks in hotels typically favor guest convenience over strong security practices, says the FBI.
As the coronavirus pandemic and lockdown have forced a shift to remote work, many people are working not just from home but from public locations. The pitfall here is that a public location may not have the tight security measures required to protect sensitive data and other assets. That vulnerability holds true for libraries, coffee shops, and even hotels. In a new warning about hotel Wi-Fi, the FBI provides several tips on how to protect yourself when using such a public network.
SEE: Security threats on the horizon: What IT pro's need to know (free PDF) (TechRepublic)
As the remote work trend continues, many US hotels, usually in major cities, have started offering daytime room reservations for guests who want a quiet environment in which to work. This may be a convenient option if you're unable to work from home. But the often lax security found in hotel Wi-Fi networks can expose both personal and work data to different types of security threats.
The wireless passwords maintained by many hotels aren't exactly a secret. Small hotels often display the password on a sign at their service desk. Further, such passwords are changed infrequently.
In many cases, access can be easy to obtain by using a combination of a room number and a password, for example. The guests themselves are usually unable to control, verify, or monitor network security, so they have no way of knowing what, if any, protections are in place.
Further, a hotel may have old or outdated network equipment and software with unpatched vulnerabilities that criminals can easily exploit. Even if the equipment is up to date, guests don't know if the hotel has updated the router's firmware or changed its default password.
SEE: Identity theft protection policy (TechRepublic Premium)
This type of shared and unsecure public network provides an inviting target for cybercriminals, who can monitor a victim's internet browsing activity or redirect them to phony login pages. Attackers can even deploy an "evil twin attack" in which they set up their own malicious network using a name similar to that of the hotel's network. Guests then mistakenly connect to this malicious network, which gives the criminal direct access to their devices and data.
If guests are working remotely from the hotel, attackers who compromise their devices can then sneak into the network of their employer. From there, the cybercriminal can compromise proprietary or confidential data, upload malware, and deploy ransomware. Criminals can also use sensitive information to trick other employees into transferring company funds.
To help you detect if your computer or mobile device has been compromised, the FBI lists the following warning signs:
- Mobile device slows down suddenly.
- Websites automatically redirect away from the website you are attempting to visit.
- The cursor begins to move on its own.
- A mobile device begins to launch apps on its own.
- There's an increase in pop-up advertising.
- There's a sudden increase in data usage.
- There's a faster-than-usual decrease in battery life.
- There are unexplained outgoing calls, texts, or emails.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
If you discover that your device has been compromised, the FBI suggests the following steps:
- Do not forward any suspected e-mails or files.
- Disconnect the device from all networks immediately, and turn off Wi-Fi and Bluetooth.
- Consult with your corporate IT department, ensuring they are notified of any significant changes.
- If there is no IT department, consult with qualified third-party cybersecurity experts.
- Report cyberattacks or scams to the Internet Crime Complaint Center.
Since there is no hotel industry standard for secure Wi-Fi access, guests who telework must adopt their own security measures to protect their devices, data, and business network. As such, the FBI offers several suggestions on how to defend yourself.
- If possible, use a reputable virtual private network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
- If available, use your phone's wireless hotspot instead of hotel Wi-Fi.
- Before traveling, ensure that your computer's operating system and software are up to date on all patches, that important data is backed up, and that your OS has a current, well-vetted security or antivirus application installed and running.
- Confirm with the hotel the name of its Wi-Fi network prior to connecting.
- Do not connect to networks other than the hotel's official Wi-Fi network.
- Connect using the public Wi-Fi setting and do not enable auto-reconnect while on a hotel network.
- Always confirm an HTTPS connection when browsing the internet, identified by the lock icon near the address bar.
- Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
- Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
- Follow your employer's security policies and procedures for wireless networking.
- If you must log into sensitive accounts, use multi-factor authentication.
- Enable login notifications to receive alerts on suspicious account activity.
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)