Beware of hotel Internet connections
- By Joab Jackson
- Oct 03, 2008
Jetsetting federal workers should be careful about how they use the Internet connections supplied by hotels, as most are not secured properly, according to a new study from the Cornell University School of Hotel Administration.
"[H]otels in the U.S. are generally ill-prepared to protect their guests from network security issues," concluded the study
, titled "Hotel Network Security: A Study of Computer Networks in U.S. Hotels."
One hundred forty-seven hotels responded to a written survey sent out by the researchers, asking about each hotel's network infrastructure. In addition, the researchers paid a visit to 46 hotels in person in order to surreptitiously scan their networks. The hotels surveyed ranged from family-oriented hotels to those serving more of a business clientele.
They had found that 20 percent of hotel networks use simple hub topologies, in which every packet from every user gets broadcast to every other user. This is an unsecured network, the researchers warned.
"The key problem with a hub is that it simply repeats any information that is sent to it. ' In an ideal situation, only the transmissions that are associated with your computer would come back to you," the report states. An interloper could simply set his network card to save all the packets it is sent, not merely those designated to go to that computer's address.
In addition to the wired networks, about 90 percent of hotels offered wireless access, which operates in a hub-like setup.
The majority of other hotels managed patron traffic through switches or routers, which are slightly more secure than hubs, but the still have shortcomings. Switches and routers direct Internet packets only to the appropriate recipients, rather than to all parties on the network.
Users on such networks could still be vulnerable to man-in-the-middle attacks, though. In these scenarios, an attacker's computer broadcasts itself as the Internet gateway for the hotel and intercepts all traffic going to and from the Internet. In wireless environments, attackers could set up rogue hot spots which would mimic a similar spoof.
In the site visits, researcher Josh Ogle deployed a laptop that ran BackTrack, a modified version of Linux for network-penetration testing, as well as the Ethereal packet-capturing program. For wireless access, he used a SMC Networks' SMC2532-B EliteConnect wireless card. Only six of the 39 hotels offering wireless that researchers visited used encryption.
The researchers recommend that for maximum security hotels should set up Virtual Local Area Networks (VLANs). "If one were to set up VLANs on all ports in the hotel'that is, to make every single room its own VLAN'the chances for Address Resolution Protocol spoofing and other hacks are minimized," the report concluded.
For those using hotel networks, the researchers recommended ensuring that your computer has an updated firewall, and that any sensitive transaction you undertake uses the secure socket layer (SSL) protocol, as evidenced by the "https" prefix of the Web address. Use a virtual private network (VPN) or SSL-based e-mail when possible.
In the survey, 20.6 percent of the hotels reported that malicious activity had taken place on their networks.
Joab Jackson is the senior technology editor for Government Computer News.