Russian hacking is still all over the news, but you may have missed hearing about one small but significant hack: hotel Wi-Fi networks.
The U.S. Department of Justice in October 2018 charged seven hackers with a range of crimes. Hackers would sit outside of hotels and, using simple tools that anyone could download, grab passwords, credentials, and other data as it passed over Wi-Fi. Last year alone, there were three major breaches at large, mainstream hotel chains affecting more than a billion pieces of guest information.
"Traveling has always been when people are more vulnerable. A few hundred years ago, the perpetrators were pirates or highwaymen. Now those criminals are still out there, but they've changed their methods to focus on digital attacks instead," Caleb Barlow, vice president of X-Force Threat Intelligence at IBM Security, says in a statement. This is extremely problematic for any organization that must adhere to the European Union’s General Data Protection Regulation (GDPR) and U.S. privacy regulations such as California’s Consumer Privacy Act.
The latest attack methods include not only hacking Wi-Fi signals but also using network-connected “internet of things” devices and tablets to gain access to confidential hotel and guest information and resources, explains Jay Rosenberg, senior security researcher for Kaspersky Global Research and Analysis Team. A hacker can get into a hotelier’s network by infiltrating smart blinds or smart lights connected to the IT infrastructure or hiding software or malware on a tablet.
“Hackers can also use an unsecured Wi-Fi connection to distribute malware,” Rosenberg says. “If a user is file-sharing across a network, the hacker can easily plant infected software on your computer by hacking the connection point itself, causing a pop-up window to appear offering an upgrade to a piece of popular software.”
Planners’ and Guests’ Wi-Fi Demands Increasing
It might seem as if these issues would be enough to scare some people into staying home, but business travel in particular is still on the rise. That said, hoteliers who are aware of these attacks on the hospitality industry and mitigate them using IT security can earn more trust not only from transient guests but also meeting planners and attendees, who are often using a dedicated Wi-Fi network.
As the Russian hacking arrests show, Wi-Fi can be a serious threat to security. However, studies show that free Wi-Fi is an amenity that business travelers and meeting attendees, in particular, require. A recent Hotel Internet Services (HIS) study found that more than 90% of hoteliers frequently encounter guests who want to connect more than three devices to a hotel Wi-Fi network, while the same percentage of guests characterized Wi-Fi access as “very important.”
“Hospitality professionals have increasingly recognized the critical role that guest Wi-Fi plays in boosting satisfaction scores and loyalty and are attempting to be more competitive in providing the service as a result,” HIS CEO Gary Patrick says in a statement. Planners, by extension, are being more meticulous about their events’ Wi-Fi needs in their RFPs from the start.
So how can you balance the need for Wi-Fi with the need for security?
Step 1: Protect Access Points and Separate Networks
Experts suggest making sure your network is using the latest technology and your security team is protecting your physical parameters, too. For instance, your organization probably has multiple Wi-Fi access points around your hotel. Make sure these hardware access points are not accessible to guests. You don’t want just anyone walking up to them, since they can be reset to factory settings with the push of a button.
In addition, it will be important for the hotel employee and guest networks to be separate so that even if bad actors do get onto the Wi-Fi network, they won’t gain access to financial or company information. Your IT department can help you segment your network so guest traffic and employee traffic are completely isolated from each other.
Step 2: Encrypt Guests’ Internet Traffic
That won’t keep hackers from intercepting guest Wi-Fi traffic, though. To do that, you’ll need authentication and encryption technology in place. For instance, although it’s slightly more work for guests, implement a captive portal, which uses a webpage and asks users to log in and accept your terms of service before gaining access to the network.
With a captive portal, you can also set time and bandwidth limits. Most captive portal solutions are password-protected, which means you can limit access. Many also use encryption such as Enterprise WPA2 with 802.1X authentication, which is standard framework for encrypting and authenticating network users.
This technology takes Wi-Fi traffic and “locks it down” using a special electronic key. The best part: You can private-label your captive portal for group planners hosting conferences or events at your location.
Step 3: Monitor Constantly for Threats
Even with these protections in place, hackers will try to find a way into the Wi-Fi network. Rogue access ports are one option hackers use, says Chet Wisniewski, a principal research scientist at IT security company Sophos. Technology has advanced so far that a hacker can bring his or her own access point on or close to property and set it up as part of the hotel’s network. Once a guest logs on, the hacker can see everything they do. If the traffic is encrypted, it’s much harder for them to gain access to the data, but it’s not impossible. Traffic from groups traveling for business meetings or conferences is going to be especially appealing to a hacker.
“You can’t prevent it from happening, but you can detect it and locate it,” Wisniewski says. “Better Wi-Fi equipment is constantly scanning for rogue (access points). It won’t delete it, but it will let you know it’s there so you can let your physical security team know what’s going on so they can find and eliminate the threat.”
Step 4: Pressure-Test the System
Finally, experts say it’s not enough to proactively protect an environment and forget about it. After all, no one wants to book a conference or business trip if they are afraid that their personally identifiable information and business assets will be stolen. That’s where testing comes in, experts say. At least once or twice a year, employ someone who can think like a hacker and test to make sure everything in your network is buttoned up.
“I would advise hotel owners to hire penetration testers to make sure their network and devices are secure,” Rosenberg says. “In addition, hospitality IT management should make sure that only the applications that guests are supposed to use are available, and all other apps are inaccessible.” Hoteliers who do this — ensuring both security and convenience for guests — are well positioned for success.