Attacks on Hotel Wi-Fi Networks
Wi-Fi (Wireless Network LAN) is a widespread wireless networking technology that is used in various public places (e.g., coffee shops, libraries, stations, city squares) for providing access to a free or a low-cost Internet connection. A variety of electronic devices, including personal computers, cameras, and smartphones, can be connected using the 2.4 gigahertz UHF and 5 gigahertz SHF ISM radio bands, which support Wi-Fi.
Most of the hotels around the world provide a free Wi-Fee connection for their guests in addition to a package of other free services, such as transportation, parking, telephone alarms, board games, and other facilities. However, not many hotel guests know about the risks posed by hotel Wi-Fi networks. A hotel Wi-Fi network may interrupt at regular intervals (for more information on hotel Wi-Fi quality testing, see http://www.hotelwifitest.com) and expose the hotel guests to potential cyber-crimes.
This article will discuss the susceptibility of hotel Wi-Fi networks to various information security attacks (Section 2) as well as five common attacks against hotel Wi-Fi networks (Section 3). Finally, a conclusion is drawn (Section 4).
2. Susceptibility of hotel Wi-Fi networks
After the US Federal Trade Commission (FTC) fined a number of hotels and other businesses for conducting de-authentication attacks on their own guests, the public attention on the vulnerabilities of hotel Wi-Fi networks has significantly increased. Currently, the FTC warns US consumers that logging into accounts through a hotel Wi-Fi network can have serious consequences because hackers are aware of the security vulnerabilities of those networks. Paying bills, making financial transactions, transferring files, replying to emails, and other activities performed via a hotel Wi-Fi network can result in a theft of online credentials and other sensitive information.
The website of the FTC provides a comprehensive summary of information security attacks targeting hotel guests: "here's how it works: as a hotel guest, you try to get online using their Wi-Fi network and get a pop-up for a software update. But the network has been compromised. When you click to accept the download, you unknowingly load software designed to damage your computer or steal your information."
The susceptibility of hotel Wi-Fi networks to cyber-attacks usually arises from the vulnerabilities of the router systems used in hotels. A research conducted in the beginning of 2015 identified major security vulnerabilities in popular InnGate routers which are used in hotels and convention centers in 29 countries, including the United States, Australia, and Italy. The detected security flaws revealed that malicious attackers were able to access network's root file system, copy and update files stored in the system, and distribute malware to the devices connected to the hotel Wi-Fi network. The identified security vulnerabilities may be used for gaining unauthorized access to hotel reservation and payment systems as well as guests' online credentials.
In 2014, researchers from Kaspersky Lab announced that a group of hackers called DarkHotel performed numerous cyber-attacks against high-profile individuals in luxurious hotels in Asia. In order to access victim's sensitive data or corporate information, DarkHotel installed spying software to the machines of the targeted guests via the hotel Wi-Fi network. After logging into the hotel Wi-Fi network, the guest was requested to download updates of legitimate software (e.g., Windows Messenger, Google Toolbar, or Adobe Flash) which contained DarkHotel's spying software. Next, DarkHotel collected personal data from the victim by using sophisticated attack methods, such as installation of Trojan Karba, kernel-mode keystroke logger, and cracking weak digital signing keys. In order not to leave any traces of the attack, DarkHotel's hackers deliberately deleted all suspicious data from the hotel Wi-Fi network. The level of sophistication of the attacks conducted by DarkHotel suggests that DarkHotel are not amateur hackers, but professionals. In this regard, Kurt Baumgartner (Principal Security Researcher at Kaspersky Lab) noted that "this threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision."
Although some of the attacks on hotel Wi-Fi networks are conducted by highly skilled hackers, attacks on hotel Wi-Fi networks may be conducted by amateur cyber criminals using freely available security tools, such as Wifiphisher. Wifiphisher floods the Access Point (AP) and clients with de-authentication packets. When the traffic between the target AP and its clients is jammed, the tool sets up a rogue AP that mirrors the real one. As a result, clients connect to the rogue AP. When a user connected to a rogue AP opens a website, he/she will be redirected to a phishing webpage which is masked as a router configuration page. Wifiphisher allows the attacker to customize the router configuration page for each attack.
The cyber-attacks of hotel Wi-Fi networks may lead not only to unauthorized collection of sensitive information, but also to more serious incidents. For example, in 2011, a high-ranking Hamas official was assassinated in a hotel located in Dubai after the electronic key lock of his room had been compromised. In order to enter the victim's room and commit the crime, the attackers reprogrammed the electronic key system of the hotel where the victim was staying.
In order to limit the security threats to their Wi-Fi networks, some hotels use rather questionable techniques. Last year, Marriott (an American hotel chain) was fined by FTC for blocking business travelers' Wi-Fi hotspots in "at least one" of its hotels, thus pressing the guests to pay for using the hotel Wi-Fi service. The management of the hotel chain claimed that such measure was used not for gaining profits, but for detecting and containing "rogue and imposter Wi-Fi hotspots used in our meeting and conference spaces that pose a security threat to meeting or conference attendees or cause interference to the conference guest wireless network."
3. Common security attacks on hotel Wi-Fi networks
In comparison with a regular wired network, hotel Wi-Fi is a less secure option for connecting to the Internet. Although security measures, such as encryption technologies (e.g., WPA and WPA2), Wi-Fi Protected Setup (WPS), and router passwords, may enhance the security of hotel Wi-Fi networks, the hotel Wi-Fi technologies are still not completely resistant to security flaws. Common attacks on hotel Wi-Fi networks include: (1) traffic analysis attacks, (2) eavesdropping attacks, (3) denial-of-service attacks, (4) dictionary-building attacks, and (5) replay attacks. These five types of attacks will be examined below.
Traffic analysis attacks
Traffic analysis monitoring can be used to determine the type of the information (e.g., email, chat, and web page requests) exchanged through a hotel Wi-Fi network. It is worth mentioning that traffic analysis attacks can be performed even when the messages are encrypted.
Eavesdropping is a technique that allows the attacker to obtain sensitive confidential information, including session tokens and passwords, through "sniffing" the private communication carried through a Wi-Fi network. Eavesdropping can be classified as (1) passive eavesdropping and (2) active eavesdropping.
In passive eavesdropping, the attacker merely monitors the communication without interfering with the communication channel. Passive eavesdropping allows the attacker to watch over a decrypted wireless session, to read data that is transmitted during the session, and to gather information indirectly through surveying the session packages. Passive eavesdropping is difficult to detect because it does not produce any noticeable effects.
In active eavesdropping, the attacker not only monitors the communication, but also interferes with the communication channel. Active eavesdropping attacks are typical examples of man-in-the-middle attacks.
Denial of Service (DoS)
Wireless denial-of-service attacks on hotel Wi-Fi networks aim at a temporary or indefinite interruption of the operations carried through the attacked Wi-Fi networks. A DoS attack can either crawl the Internet speed or disable the network availability. DoS attacks are conducted by interfering with the Wi-Fi session data before it is communicated to the sensor node. The protection against DoS attacks requires the proper setting of the network software (e.g., firewalls) and hardware (e.g., switches, routers, application front end hardware).
Dictionary-building attacks are usually performed by hackers who already have knowledge about the traffic in the targeted hotel Wi-Fi network. In order to access particular devices connected to the attacked network, the attacker goes through a list of candidate passwords. For example, the list may include the words from a dictionary or words related to the victim.
The best way to prevent dictionary attacks is to use lengthy randomly generated passwords which include uppercase letters, lowercase letters, and numerals. Furthermore, the vulnerability to dictionary-building attacks can be significantly decreased by limiting the number of attempts to enter a password. It is recommended that no more than 4 password entries should be allowed within a time period of 15 minutes.
Replay attacks are conducted by replaying authentication sessions with the aim to obtain unauthorized access to a computer or a computer network. Since the replays do not take place in real time, the victims of replay attacks may remain unaware about the attacks. Replay attacks require the collection of information about the expired legitimate sessions that were taking place through the Wi-Fi network.
Replay attacks can be easily avoided by using session tokens and one-time passwords. A session token is a piece of data which identifies each session. Session tokens should be generated by a random process. Otherwise, the attacker may be able to predict a session token. The one-time passwords expire either immediately after their use or after a short period of time. One-time passwords are ideal for authentication of individual transactions.
On the basis of the information provided above, it can be concluded that the presumably innocent hotel Wi-Fi network can cause serious security threats, including a theft of personal and corporate information. This article has demonstrated that, although data security awareness is growing among hotel guests and hotel owners, hotel Wi-Fi networks still remain improperly secured.
Hotel Wi-Fi networks are lucrative targets for cyber criminals due to the amount of sensitive data passing through them. In order to enhance the security of a hotel Wi-Fi network, guests should be aware of several preventive security measures. Simple acts, such as (1) using a virtual private network (VPN) that encrypts traffic data, (2) choosing a mobile 3G or 4G connection instead of a hotel Wi-Fi connection, (3) avoiding installing any software updates during the stay in a hotel, or (4) checking if the Internet security solution used by the hotel employs a good antivirus protection, can help to avoid a security nightmare in your favorite hotel.
What should you learn next?
- "Kaspersky Lab sheds light on "Darkhotels", where business executives fall prey to an elite spying crew", November 10, 2015, Kaspersky Lab. Available at http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-sheds-light-on-Darkhotels-where-business-executives-fall-prey-to-an-elite-spying-crew.
- "Marriott's Updated Response to FCC Petition Filing", December 30, 2014, Marriott. Available at http://news.marriott.com/2014/12/marriotts-response-to-fcc-petition-filing.html.
- "Network Eavesdropping", The Open Web Application Security Project (OWASP). Available at https://www.owasp.org/index.php/Network_Eavesdropping.
- Adam, M.M.E., and Abdallah, A.G.E, "WIFI Security", February 2015, International Journal of Advances in Engineering and Management (IJAEM), Volume 2, Issue 2. Available at http://www.sustech.edu/staff_publications/20150412092456586.pdf.
- Barbara, J., "Handbook of Digital and Multimedia Forensic Evidence", Springer Science & Business Media, 2007.
- Boatman, K., "Is it Safe to Use a Hotel's Free Wi-Fi Service?, Norton. Available at http://us.norton.com/yoursecurityresource/detail.jsp?aid=free_wifi
- Constantin, L., "Free tool automates phishing attacks for Wi-Fi passwords", Network World, 5 January 2015.
- Hertzfeld, E., "Vulnerability in Wi-Fi routers put guests and hotels at risk", March 31 2015, Hotel Management. Available at http://www.hotelmanagement.net/homepage-technology/vulnerability-in-wi-fi-routers-put-guests-and-hotels-at-risk-30746.
- Kando-Pineda, C., "Hotel Wi-Fi: Weigh the risk", February 4, 2015, Federal Trade Commission. Available at https://www.consumer.ftc.gov/blog/hotel-wi-fi-weigh-risk.
- McGuire, R., "The Power of Mobility: How Your Business Can Compete and Win in the Next Technology Revolution", John Wiley & Son, 2007.
- Pathan, A., "The State of the Art in Intrusion Prevention and Detection", CRC Press, 2014.
- Vamosi, R., "When Gadgets Betray Us: The Dark Side of Our Infatuation with New Technologies", Basic books, 2011.
- Zetter, K., "Dubai Assassination Followed Failed Attempt by Same Team", April 1, 2011, WIRED. Available at http://www.wired.com/2011/01/dubai-assassination.
Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.