My very first column for PC Week back in 1988 was called The Practical Networker, and the first topic was about hotel connection problems. Back then, we just had to take apart the phones in our rooms to gain access to the little red and green wires to hook up our modems. Sometimes it required surgical skills for those hard-wired phones. Those days seem so quaint now.
Today we have a much more difficult problem, that of insecure and leaky hotel networks. Most hotels don’t really spend the time and energy to lock down their networks, and most business travelers don’t spend the time and energy to lock down their computers. The result is a boon for any corporate spy that has a laptop and minimal skills. Go to any center city convention hotel today and within minute you can collect Powerpoints, secret documents, and business plans on just about any industrial topic. And you don’t need any skill, other than showing up at the right time and place.
The problem is several-fold. First, hotels typically don’t segment their guest LANs – meaning that everyone in the hotel is on the same segment, has the same access, and can see anything across the entire network. This is true for wired and wireless access. Obviously, if a wireless user can sit in the parking lot of the hotel and gain access to the entire hotel LAN, this is even more trouble waiting to happen. The best situation is to have every single guest on a separate virtual LAN so they can’t see anyone else’s traffic. This requires them to use more expensive switching hardware, of course.
Second, many hotels don’t understand their Internet connectivity, and provide little beyond the kind of consumer-grade access that you and I use from our homes. Some even have little or no protection on their Internet connection, as unbelievable as that sounds. There was one hotel I remember vividly in San Diego that had no firewall between its network and the Internet. None, nada. I was attending a conference there during one of the virus outbreaks, and sure enough, a lot of people got infected on Monday morning before they came down for their sessions. In some cases, hotels will give you a public IP address so that you can get out and use your VPN connection. Under these circumstances, these public IPs are really public, you know what I mean?
Some of the Internet providers also don’t understand security, and don’t do anything to protect their customers either. We’ll get back to this in a moment.
Third, most laptop travelers don’t use personal firewalls, still. And if they do use them, they don’t have their configurations setup properly to mask themselves from curious guests who know how to bring up Windows Network Neighborhood and surf around for open file shares. I recently did a demo with a vendor who was sitting in a hotel parking lot somewhere in Salt Lake City. In a minute or two, we were looking at the open file shares on a dozen or more users, all of whom were completely exposed. We were browsing one person’s extensive music collection in a few mouse clicks. Lucky for him, our tastes weren’t similar. (Just kidding.)
Finally, there is the whole wireless issue that just makes things even more insecure. There are hotspots called “evil twins” that are just traps run by clever people that use common names and are set up for the unsuspecting traveler to login to – I have begun noticing these traps more and more when I bring up my laptop. And let’s not even get into how poor wireless security can be.
How prevalent is all of this? Two colleagues, Lisa Phifer and Craig Mathias, traveled around the northeast and tested 24 hotels this past summer. They found trouble almost everywhere they went. Just one in four sites could prevent wireless eavesdropping and block all notebook probes.
Here are a few choice tidbits from their report:
“Hotels can thus be excellent venues for those interested in stealing confidential data from business travelers. Users may assume they are insulated from outsiders, but really have no idea whether any firewall lies between their notebook and the Internet. Business travelers willing to connect to any network that offers free Internet access are especially vulnerable to such attacks – it is literally impossible to tell the good from the bad in this case.”
“Hotspot users might be unpleasantly surprised to discover they are reachable from the Internet [when they choose public IP addresses]. We expected paid networks would protect users from each other or Internet attacks more often than free hotspots, but this was not the case. Several free hotspots had noteworthy exposures, but so did paid networks, including the most expensive sites. ”
The only two Internet providers that passed all their security tests were I-Bahn and T-Mobile. They segregate traffic by user and prevent people from inadvertently sharing their connection. The others, including Guest-Tek, Passsym, Starwood, TurboNet, StayOnline, and Wayport, all had security problems.
So, spend some time today making sure your own laptop is properly configured. By all means, if you don’t have a personal firewall on it, now is the time to download one. Zone Alarm is what I use on Windows and it works very well. And the next time you travel, you now have some additional options for in-room entertainment that are absolutely free of charge.
The report is available for download here. As the saying goes, don’t leave home without it.