Think your hotel’s WiFi network is secure? Think again!

By Steve Haskew, technical director, Airangel

When it comes to hotel WiFi security, you probably have two types of guests. Some (the minority) may ask front of house staff how safe it is, while others, (the majority) are likely to log in and start browsing the Internet for work or pleasure without a second thought for their online safety.

However, front of house staff may start to see a shift in balance from their hotel guests, as a recent case of attempted hacking has shone the light on just how vulnerable hotel WiFi security can be. A Russian cyber-spying group was accused of targeting hotel guests in seven European countries and one in the Middle East. The hackers were accused of trying to steal passwords from business travellers using hotel WiFi networks and then planned to infect their organisations’ networks.

Another threat that poses a risk to public WiFi networks has also recently been identified by white hat hackers (ethical hacking). A serious vulnerability in WPA2, a protocol that secures all modern protected WiFi networks was detected which would allow an on premise attacker to exploit the protocol using key reinstallation attacks (KRACKS) to access sensitive information such as credit card details and users passwords. This vulnerability is in the WiFi standard itself and providers like our selves are working with the manufacturers to roll out security updates to ensure networks are secure.

It may sound like something from a James Bond film, but it won’t be the first or last time a vulnerability is detected or criminals set up a fake network, calling it something very similar to yours e.g. ‘Hotel Guest WiFi’ and fooling guests into thinking they’ve logged onto the hotel’s network. And then, once online, hackers suddenly have access to a wealth of personal data and the ability to infect your guests’ personal devices with malware. Worse still, hackers could even access the hotel’s IT system and gain access to guests’ credit or debit card payment details.

All public networks carry risks unfortunately, but beefing up your hotel’s WiFi security may not be as complex as you think and there are a number of proactive steps you can take to ensure your network remains safe from cyber criminals. Here are our top five tips:

1. Help guests to help themselves

It’s easy for hotel guests to be complacent about WiFi security with most not even questioning how safe their data is while browsing the web or checking emails. However, it’s essential that hotels have a robust set of terms and conditions in place so if the network is hacked, guests can’t hold the hotel responsible. Make sure guests are made aware of these T&Cs either at check-in or at the start of the logging-on process.

Also, make it clear to guests the name of the network they should join. Remember hackers will try and fool guests into choosing their network by naming it something very close to the name of yours. Be sure to make guests aware of the correct network to choose and the log on process they need to adhere to.

2. Onsite security

It sounds obvious, but don’t overlook the physical security of your onsite server. You could spend a fortune on securing your network, and then leave the comms room door unlocked, making it easily accessible for anyone looking to compromise your network. Physical security is extremely important in hotels. Think about it – you may have lots of different staff and of course guests walking around the hotel day and night and if left unlocked, a person could very easily enter your comms room unchallenged, and if someone does stop them, they could pretend to be a lost guest. A criminal could very quickly plug a suspect device in to your server, so make sure the room remains locked at all times.

3. People are the weakest link

From passwords scribbled on Post IT notes to not logging off their computers properly, it’s a sad fact that people are the weakest link when it comes to IT security. Hotel staff are well trained at keeping guest details secure, but how many could be easily duped into giving away the name of the IT manager? A criminal could then easily fool unsuspecting staff members that they’d been asked to meet the IT manager at the server room and then gain access to the hotel network. Ensure your staff are aware of the threat of cyber-crime and to not unwittingly give away the names of IT staff or access to the server room.

4. Device detection

Your hotel IT manager may have responsibility for a chain of hotels and only visit yours sporadically, performing most necessary IT maintenance checks remotely. As a result, if there is a rogue device plugged into your server or a suspect network appears as a guest is logging on, how long is it likely to take before he or she notices? They may not even check for anything unusual as it can be a difficult manual process. Functionality to detect a device that shouldn’t be on the network is available that sends an alert indicating that something has been found, however in my experience it is not something that is widely used in the hospitality sector. If your business outsources its IT management, speak to them to ensure that checks for rogue devices are part of the service.

5. Hotel home experience

As with most things in life, when it comes to the type of WiFi service you receive, you get what you pay for. Some providers will guide you through security risks, others may expect you to pay more for the privilege. If you’re happy with the service you receive you may want to enhance the online experience and boost security for your regular business guests, no matter which of your chain of hotels they stay in. Have you considered an upgrade to your service that will enable them to securely connect all of their devices to your network just like they do at home? Regular visitors to your hotels won’t want to have to log in each time they visit one of your hotels and fill out a different set of forms to get online, so consider setting up a private WiFi network which securely enables them to log on, no matter where they are in the world.

Guest WiFi is today considered more as a commodity than a luxury for customers, yet some of your guests probably don’t appreciate that their WiFi network at home is likely to be more secure than the hotel’s. However, as we’ve shown there are some practical steps you can take to boost physical security, while at the same time ensuring your guests take the necessary precautionary measures too.