Roughly 160 million Americans are expected to travel this holiday season between late November through mid-January, marking a return to what feels more like pre-pandemic trends. And of those, about 56% are expected to stay in hotels.
As more and more of people’s lives are lived online, it’s important not to leave cyber hygiene at home when traveling this holiday season — especially while working from the road. Hotel Wi-Fi networks are notoriously poorly secured, raising the risks for those logging in.
The potential pitfalls of Wi-Fi on the go
Most hotel networks, and most open networks, aren’t encrypted. Instead, they’re focused on ease of use.
However, it’s not difficult for a Wi-Fi network to enable encryption. For most modern routers, the encryption would be either WPA2 or WPA3, which is pretty good at withstanding external attacks.
Not sure whether the network is locked down? Check the properties of the network.
If there isn’t an encryption protocol, there’s good reason to be worried. That’s because whatever is sent or received on that network is broadcast openly, no matter how that data is established. Now, that doesn’t mean everything is visible to bad actors. Protocols like https encrypt the traffic no matter the medium they operate on. And there are other apps that internally encrypt their traffic, at least to some extent. Some are encrypted end to end, and others just encrypt logon credentials.
Navigating log in challenges
Different hotels have different log-in processes, and understanding the level of security at each typically isn’t obvious. Some require a room number and last name, others may use a standard login for everyone or have a separate Wi-Fi network for each guest room.
Another common configuration is what’s called a “captive portal,” which uses what’s typically set up as an open network. Until someone connects to a certain landing page, all network traffic is blocked. This usually requires the user to pay a fee before getting access to the internet at large.
Though this method is a popular way for hotels to limit access to Wi-Fi, it’s not that effective in terms of securing network infrastructure. That’s because it’s meant to force an action — like paying a fee — before granting Wi-Fi access, but once that’s done, it’s unlikely that the user is protected inside that network.
Even if using a protected network, it’s still one that’s shared and thus can be monitored by bad actors or specialized devices.
How zero trust and VPNs factor in
Zero trust is a great way to manage the attack surface. If using a company laptop that uses the zero trust approach, there will probably be significant protection. However, though zero trust defends the network from connections that could be dangerous, it doesn’t concern itself with the traffic. A system that doesn’t distrust and then verify every connection essentially isn’t protected at all.
Also bear in mind that smart devices, gaming systems, digital media players and similar devices that are used in a hotel room have a terrible security track record and create vulnerabilities on the network. A bad actor who uses one of these devices to access the network then has an open door to monitor traffic and move laterally within the network.
In the same vein, Virtual Private Networks (VPNs) — even though they can be quite helpful in this situation — have their challenges. Standard VPNs definitely can secure traffic, but sometimes they have to be disabled prior to joining a hotel network. This typically happens if the hotel uses a captive portal. The network can’t communicate with the VPN, so users have to log off the VPN so the necessary connection handshake can happen. Then users have to log back on.
The problem here is that a bad actor can compromise encryption during the handshake. If that happens, the criminal can monitor a session and capture a VPN connection data, too. And then there’s the fact that using a VPN usually reduces network traffic to a crawl, sometimes to the point that it’s unusable.
Always put security first
It’s best to avoid hotel networks if users can’t verify the encryption protocol, they aren’t already filtering dangerous sites at the device level, or they’re otherwise concerned about the network’s security. Knowing the potential for security issues before clicking that “connect” button is an important step in the right direction.