Revisiting the Risks and Dangers of Using Open Hotel Wi-fi

As fate would have it, over Labor Day Weekend, I found myself staying in a hotel for a conference. For one reason or another, I’ve spent a higher number of visits in hotels than normal recently. And as a cybersecurity professional, dealing with these network connections is always a source of anxiety. Hotel Wi-Fi networks are renowned for their poor security. But seeing so many different networks in such a short period of time has inspired me to think about the different things that might make that seem less obvious, or sooth some of the concerns when you may think you’re protected.

Wi-Fi Encryption

In what would at least preliminarily be considered potentially good news, it takes very little effort for a Wi-Fi network to enable encryption, and for most modern routers, that would be either WPA2 or WPA3 encryption (WPA standing for Wireless Protected Access), which is reasonably resistant to external attacks.

The bad news is that hotel networks, as with most open networks, are designed with a focus on ease-to-connect or ease-of-use, which generally means that the network is not encrypted. It’s easy enough to check, however. If you check the properties of the network that you are connected to, it will list the wireless encryption protocol (typically WEP, WEP1, WEP2, or WEP3) in the properties list.

While where this information is stored varies from platform to platform, MacOS users can access the encryption protocols used on known networks by navigating to Wi-Fi Settings → Advanced… (bottom right button). 

If there is no encryption in place, then there’s very good reason to be concerned.  That means that anything you send or receive across the network is openly broadcast however that data is established. If it’s in cleartext, then it gets sent in cleartext. That isn’t to say that everything is automatically exposed to prying eyes. Some protocols such as https encrypt the traffic regardless of the medium they operate on. Other applications also internally encrypt their traffic themselves to varying degrees. Some are fully end-to-end-encrypted, while others will at least offer enough consideration to encrypt or otherwise obscure logon credentials in order to ensure they are never broadcast in opentext.

Logons and Credentials

This was the real inspiration for this blog entry. Every single property that I stayed in had a wildly different login experience, and some of them didn’t make it inherently obvious what level of security was involved. One location required a room number and a last name from the reservation. Another location had a standard login for the entire hotel. One of the properties had a dedicated Wi-Fi network for each particular room. Yet another leveraged a 5G hotspot for all of the wireless activity. What seems to be the most common configuration, however, is what is called a “captive portal". It leverages what is normally configured as an open network, but all network traffic is effectively blocked until a user connects to a particular landing page which will often involve paying your usage fee before it will grant access to the wider Internet.

While captive portal is a popular method for hotels to restrict Wi-Fi access, it is not a particularly effective method for securing network infrastructure. The entire intent of captive portal is to put up a paywall, or some sort of gate, to Wi-Fi access, but once an end user crosses that threshold they are likely unprotected inside of that network.

Despite requiring unique usernames and using a password requirement, none of these solutions necessarily provide dedicated resources or protection. Some of these are likely better than others, particularly the 5G hotspot and the dedicated room network, but even those can be configured in a way that is not secure. Otherwise, if you are not logging into a limited network with a Service Set Identifier (SSID) with a passcode then it’s probably not a protected network. And even if you are, it’s still a shared network that can be monitored by others, or even monitored by specialized devices such as a Pineapple or a Stingray.

What about Zero Trust and VPNs?

Zero trust is an excellent security measure for attack surface management. If you are on your work laptop and your company leverages Zero Trust methodologies, then you may be largely protected as part of the perimeter-less architecture. Otherwise, Zero Trust probably isn’t going to be much help to you. Zero Trust is designed to protect a network against potentially dangerous connections, but it doesn’t do much about the traffic itself. If you are outside the boundary, meaning that your system isn’t challenging every connection, then it’s essentially not protected at all in that context.

Furthermore, if you are connecting to any of the smart devices in the room, such as a television, or plugging your Chromecast in, or maybe a video game system, they also all have famously poor security, and are vulnerable points on the network (which you would be directly interacting with). Smart devices and other IoT endpoints are typically not designed with security in mind. If an attacker can leverage one of these devices then they have an entrypoint to monitor traffic and move laterally within the network.

Virtual Private Networks (VPNs), likewise, are not without their issues although they are one of the most helpful solutions to the problem. Traditional VPNs can secure your traffic, but they sometimes must be disabled in order to join a hotel network, primarily when dealing with a captive portal. The network won’t be able to interact with the VPN to establish communications, so it requires a user to log off the VPN in order to perform a connection handshake and then reconnect to the VPN. Unfortunately, that is the most vulnerable time during a session for encryption to be compromised, and if an attacker compromises you during the handshake then they have the ability to monitor that session to capture your VPN connection data as well. Not to mention, operating over a VPN typically slows network traffic down significantly, sometimes to the point of unusability.

So, What Should I Do?

Ultimately, the easiest thing for an end user is to consider ANY hotel or open Wi-Fi connection as hostile. There are too many vulnerabilities beyond your control to ever really justify feeling completely safe. The next most important step is to use a VPN, even though it isn’t a perfect solution. In most cases, you also must realize that it’s usually not an option for Smart and IoT devices. If you have the equipment, patience, and technical acumen, then you could set up a local network inside the hotel and VPN the entire network’s traffic to a more secure connection, but that’s not a realistic solution for the average hotel occupant. Also, whenever possible, utilize applications that encrypt all of their session data, preferably end-to-end. This is important enough of a feature that it will show up on an internet search about the app if used. 

For hotels offering public Wi-Fi as a service to their guests, they should make it a priority to encrypt all data and include secure web filtering to block access to malicious sites. 

But ultimately, simply don’t use a hotel network if you are not filtering malicious sites at the device level already, if you’re not able to verify its encryption protocol, or you feel that it may not be secure for any reason. You are likely better off using a personal HotSpot. Be aware that if you do choose to use public Wi-Fi, you cannot verify that your traffic is not monitored. Know the risks before connecting. Looking to filter malicious traffic on hotel networks? Get a free trial of DNSFilter.

‍