Management, compliance & auditing

Security Policy Template For Hotel Networks

Dan Virgillito
February 12, 2015 by
Dan Virgillito

When booking a hotel room, you assume that it is the responsibility of the hotel to keep you and your belongings safe by not sharing your room keys or other details. But a greater threat could be lurking in your room – the WiFi connection.

While high-speed wireless Internet is always a welcome amenity for hotel guests who are looking to communicate and conduct business on the go with limited disruptions, it also illustrates the vulnerability of the hotel industry to cyber threats.

Hotel WiFi networks suffer from many security weaknesses, many of which are similar to the weaknesses of public WiFi networks. These networks increase the hotel guests' susceptibility to 'man-in-the-middle' and other attacks that compromise their personal information. The IC3 (Internet Crime Complaint Center) and FBI have already reported that instances of malware and other attacks on hotel-connected smart devices are on the rise.

Hotel WiFi Threats

As hotels become dependent upon wireless communications, security vulnerabilities of such an adoption continue to rise. WiFi now has the potential to open doors to cyber criminals, allow unauthorized entry of privacy hackers and just about every other security nightmare imaginable. Even though a router may provide advanced security features, it still doesn't translate into protection of the hotel's or guests' confidential/personal information.

The following are some of the leading threats to hotel networks:

Spear-phishing & backdoor attacks: The Darkhotel malware is one of the leading examples of these attacks. Hackers who conducted the attack waited for hotel guests to check-in and connect to the WiFi network by submitting their surname and room number to login. The attackers use the hotel's compromised network to send bogus software update messages to trick guests into downloading a backdoor that appears as a legitimate software update (for Adobe Flash or Google Toolbar). The guests download this new update, only to infect theirmachine with a backdoor that may be used to download further software such as Trojans and advanced stealing keyloggers.

Man-in-the-middle (MITM) attacks: This involves the hackers placing their malicious code between the victim and a valuable resource, such as a login page presented by the hotel body. The most sophisticated MITM attack type is conducted via browsers. In this case, the malware silently records the data transferred between the user's browser and the hotel login page that has been hardcoded into the malware. Such attacks don't require the attacker to be in close proximity to the victims, and can be used to target a large group of victims with less effort. Hackers may also use packet sniffers to intercept the information.

[download]Download accompanying files here[/download]

ARP (Address Resolution Protocol) spoofing: ARP spoofing or flooding is a technique that can be used to attack hotel networks. It allows hackers to sniff traffic on a hotel network and modify the exchange of data. Criminals send fake ARP messages to a LAN to associate the MAC address of an attacker to an IP address of a victim. As a result, any data meant to be transferred to the victim's IP address is transferred to the criminal instead. The attacker can also launch denial-of-service attacks against victims by forming a connection of a nonexistent MAC address to the victim's IP address.

Security policy template

The following security policy template highlights implementations required to mitigate and prevent attacks on hotel networks and hotel guests. The hotel's IT team should take these considerations into account, but hotel guests are also encouraged to take measures that minimize the chances of information theft.

The hotel's management & IT team should…

1. Display caution signs

Hotel networks and guests connecting to those networks can be an easy target for hackers. The management team should display caution signs at front desks and in rooms to remind guests of the following:

  • Don't enter sensitive information like social security numbers into a login page.
  • Check with the front desk for any software update announcement.
  • Do not enable the browser/ any site to remember your password and always logout of sensitive accounts.
  • Clear history and temporary Internet files when you've finished work.
  • Don't leave the computer unattended in public areas of the hotel.

2. Configure networks & servers with data encryption

To help secure the personal information of customers, hotels should configure data encryption on all networks and servers so that all information entered through hotel forms (pages that enable customers to enter information) on the hotel Internet login page are transmitted with data encryption.

By taking this measure, the personal information of the customer during the login or sign-up process is protected by SSL (secure socket layer) technology to ensure safe data transmission. Many hotels have begun taking advantage of 256-bit data encryption validated with a security certificate to protect the data of hotel guests.

3. Integrate data intelligence feeds

Modern data intelligence feeds require investment, but plays a significant role in creating a dataset that includes the domain, IP address and URL information of the associated malware. The feeds are updated frequently and easily converted into XML format for analysis. Such feeds have many uses such as detecting compromise or infection of the device owned by hotel guests, compromised accounts, infected networks and hotel profile.

Hotels are recommended to implement threat intelligence feeds that include a data breach notification system. Such systems provide notification and real-time threat reports which signify that hotel guests have been targeted (data already exists out there) or will be targeted in the future. The resulting reports should be analyzed by the management, IT team and any partners providing cyber security solutions to stop bad actors from targeting the guests again in the future.

The guests should…

4. Use a VPN service

The best way to block attacks like DarkHotel malware is to use a VPN whenever connecting to hotel WiFi. Any hacker can sniff wireless traffic, unless it's being routed via a virtual private network.

VPNs will encrypt all the digital communications and prevent sensitive data from being intercepted by adversaries, so consider them a vital part of keeping your privacy safe when going online from hotel rooms. There are several VPN options available, including free and paid solutions. Do your research to work out the one most suitable for your needs.

5. Look for HTTPS

HTTPS implies your browser is secure. With extensions like HTTPS everywhere, you can force your browser to use the secure connection. Websites, cloud, and email services often use HTTPS and display a locked padlock in the browser, indicating that your data is being encrypted automatically.

However, extensions can be used to activate encryption for all websites. They depend on the security features of individual websites that a user is browsing to activate those security features. However, security features should already exist in a site, as they can't be created by the extensions themselves.

6. Use VLAN where possible

Some hotels charge you for high-speed Internet or wired Internet services. The charge goes toward adding extra security to the provided service. The service allows you to login to a VLAN or virtual local area network that is safer than WiFi and secured against unauthorized activity. VLANs are password protected as well.

A hotel without a VLAN service would likely offer a WiFi connection. Avoid using credit cards, debit cards and other sensitive information on wireless networks, and plug into Ethernet where possible, as these provide more security.

7. Activate your firewall

A firewall is a security program that's present in most operating systems and antivirus programs. It blocks unauthorized access to your PC, thereby preventing hacking and malware attacks. It also regulates what data can and cannot be transmitted from the PC.

The firewall can also be configured to allow certain program access and data release. It should be activated before connecting to the web via hotel networks. You're advised to read the instructions provided by the manufacturer and adjust firewall settings accordingly. While surfing the web, deny access permission to any program that looks unfamiliar.

8. Update everything before checking in

Despite being on the go and busy with to-do-tasks, don't forget to update your operating system security and all the applications residing on your smartphone, tablet or laptop before checking into a hotel. Also see that antivirus and antimalware programs running on the device are fully updated.

Ignore the unsolicited software update offers while surfing the web on the hotel network. Any web page that is offering a software update, apart from the vendor's official website, may be a virus or malware. You can also use another device to verify security warnings.

Lastly, be very careful when using Hotel WiFi. It's best to save sessions that involve financial transactions for when you're able to go online via a secured network.

Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.