Hotels are digitally dangerous places these days. And that's not idle speculation. Security researchers have been sounding the alarm on sophisticated attacks directed at hotel users for years.
Most of the earliest reports pointed to surgical strikes on high-profile executives or representatives of government agencies, but they could prove to be precursors for more wide-ranging attacks on the general public. Modern business travelers, with their treasure troves of files and personal information, will be prime targets, and they're also more likely to let their guard down after an exhausting journey.
Here's a look at some of the most likely avenues of attack on hotel goers, along with some suggestions that can mitigate, if not altogether block, such attempts.
Beware the hotel network
Without question, the greatest potential danger resides in the hotel network. Hackers have been known to infiltrate hotel networks to spy on traffic flowing through them or to plant malware at the captive portals users are automatically redirected to for authentication. One advanced scheme pushed malware via a software update that was designed to install on Windows PCs.
Rogue Wi-Fi access points (APs) represent another potential risk. By mirroring the network name, or service set identifier (SSID), used by the hotel, hackers can set up fake APs and trick victims into connecting to them. Such schemes open the door to man-in-the-middle attacks, and they let attackers snoop on unencrypted traffic and see the URLs of any SSL-protected websites people might visit. The threat of rogue APs certainly isn't limited to hotels, but business travelers are often high value targets that are easier to identify than staking victims out at crowded cafés.
An encrypted VPN connection is the only effective way to protect your data from snooping at the network level. Business travelers should make sure their IT departments set up VPN connectivity for access to their corporate networks, though they will still need to remember to connect to the VPN before surfing the web.
Cloud-based VPN services such as VyprVPN provide encrypted connections in addition to technologies that can be used to circumvent internet censorship in global regions. VyprVPN also offers clients for popular computing platforms such as Windows, OS X, Android and iOS, and it eliminates much of the configuration work that is required to get corporate VPNs up and running.
It's also good security practice to plug into a wired network port whenever possible, to reduce the risk associated with rogue wireless networks.
If you have more than one Wi-Fi device, a travel wireless router such as the D-Link AC750 portable router [ find it on Amazon - *what's this?* ] can connect to a wired network via its built-in LAN port and provide 802.11ac wireless connectivity. However, you should make sure to encrypt that network and secure it with a strong password. The D-Link portable router can be used to connect directly to another Wi-Fi network, as well, though using it in such a way will not offer protection against rogue APs. In any case, you should continue to use a VPN and only connect your wireless devices directly to a secured network.
It may also be a good idea to hold off on software updates while travelling, because hostile networks can push through spoofed software updates. If you need to update software while on the road, do so only after connecting to a secure network via a VPN connection and only download updates from official vendor websites.
Strategically navigate the hotel minefield
Networks aside, hotel rooms can also be veritable minefields. For example, USB charging stations can be modified to inject malware payloads into the devices travelers plug into them, and RFID skimmers can siphon data from digital room keys and other RFID access cards. Hidden cameras could also be strategically positioned in front of a desk to look over the shoulder of anyone working there — or into a shower stall.
A perpetuator who gained entry to the room earlier could have installed such devices, and the high turnover rate of many hotel rooms means it is unlikely that hotel staff would find these subtle modifications, even if they looked for them.
One way to avoid potentially modified USB charging ports is to bring your own chargers. If you don't want to lug along another adapter, you could consider laptop adapters with built-in USB charging ports, such as the Zolt Laptop Charger Plus [ find it on Amazon - *what's this?* ] or the PlugBug, [ find it on Amazon - *what's this?* ], which is designed for use with Apple's MacBook power adapter. You could also get a data-blocker USB cable or adapter (like this one from PortaPow) to ensure only power comes through.
It's easier to defend against hidden RFID scanners due to the limited range of such readers. Simply avoid placing potentially sensitive items near expected places within the room—a wallet on the bed stand, for example. Or you could place them in anti-RFID sleeves when they're not in use. It might also be a good idea to leave any building access fobs and cards you don't need at home.
Hidden cameras may be harder to avoid, because hotel desks are often bolted in place. You may want to place your laptop at a slightly off-center angle and use a privacy shield while working at a desk in your hotel room. Keep an eye out for conspicuously placed camera lenses. It's also wise to cover your fingers when you types passwords and enable two-factor authentication for any services you plan to use in your room, where possible.
Foiling physical intrusions
The risk of physical intrusion at hotels is very real, and real-world hacks of hotel doors are well documented. Most of the hotels around the world continue to implement and use door-access cards based on magnetic stripes that can be easily duplicated, or basic RFID cards that are susceptible to cloning. Such cards are cheaper than more secure alternatives.
Of course, laptops and other electronics containing sensitive business information could be stolen outright, but the hard drives of many laptops can also be removed and cloned with off-the-shelf hardware, without leaving a trace. If you intend to step out of your hotel room at any time without bringing your digital devices, lock them up in a safe or protect your data with robust data encryption.
Full disk encryption is common today and is enabled by default on many newer devices. However, it still makes sense to increase your laptop security by setting a shorter sleep timeout period and marking sure the "require a password after sleep" setting is selected. (Read, "10 things to do before your lose your laptop," for more proactive security suggestions.)
To protect data on portable storage devices, you can enable software encryption, such as BitLocker To Go, or use a hardware encryption dongle, such as the Enigma 2.0. The latter dongle plugs into a USB port, between a portable hard disk and your laptop, and it transparently encrypts and decrypts data at wired speeds.
Of course, you could also choose not to bring along sensitive data on trips, and then rely on a remote desktop tool such as Parallels Access for access to desktop applications via iOS or Android devices. Alternatively, you could also log in to your remote desktop using a web browser and store no data on your portable device at all.
These tips aren't meant to be exhaustive, but they should help defend against most common hotel hacks.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.