The days of making "analog accommodations" at hotels - filling out a reservation slip, taking ownership of a door key and having only a telephone handset to communicate with the outside world- are long over. Today's hotels are rife with digital trapdoors, metaphorical sinkholes that have the capacity to compromise your personal information and identity.
Many hotel breaches have been disclosed in recent months, most notably through the installation of malware on point-of-sale terminals within restaurants, gift shops and spas. Likely the last hoorah for hackers before most terminals make their way to EMV migration. As if worrying about getting your credit card stolen wasn't enough, here are some other hotel hacks to watch out for.
The Hotel's Network
Hackers have a track record of being able to spy on traffic navigating the hotel's network and inserting malware onto the embedded hotel portal users are typically redirected to for authentication. As detailed in an anecdote included in Wired Magazine, when a user tried to get onto the hotel's Wi-Fi network, they were met with a pop-up that alerted him to a software update from Adobe. Not thinking twice about it, the user accepted the alert, but instead actually downloaded a malicious executable. Additionally, hackers can also set up so-called "rogue" Wi-Fi access points that mirror the network name, the SSID (service set identifier) used by the hotel and trick users into connecting to them.
The "solve" for both of these potential eventualities is for guests to only use an encrypted VPN connection, which prevents data from being snooped at the network level. It's also considered a good practice, especially in hotels, to plug into a wired network, thus mitigating the chances of your data being snooped by rogue wireless networks.
While physical keys have given way to door-access cards based on magnetic stripes, turns out those cards can be easily duplicated or cloned.
Interestingly, in a demonstration, a device was introduced that, when placed in proximity to a card reader, can send malicious keyboard commands that can be executed by a point-of-sale system, resulting in the device downloading and installing "memory-scraping malware" using simply keyboard commands.
The device was also shown to be used with hotel door locks to brute force the typically unencrypted data encoded on the hotel key card such as the date the guest has checked in, the room number as well as when the guest will be checking out. A hacker can then leave the device on the door and be notified over his mobile device when the correct data combination has been discovered. Estimated time to break a hotel lock: 20 minutes.
Other Inflection Points
While you might not think twice about it, USB charging stations can be modified in order to inject malware payloads into those very same devices. Additionally, RFID (Radio Frequency Identification) tags can mine data from both digital room keys as well as RFID access cards. Even a hotel's hidden cameras can be re-directed to look over the shoulder of anyone checking in and thereby, once again, exposing personal information to anyone trying to obtain it.
If you're planning to check in to a hotel for business (or even pleasure traveler), take a moment to survey your surroundings (as well as any machine prompts) before using your device. By taking such precautions - your data, as well as your identity, may be protected from even the most determined hotel hacker.
Now, in hoping I did not utterly ruin your well-deserved vacation with tales of security miscreants, go enjoy some sun and have a fruity little drink on me.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Cybercrime, Cybercrime and Fraud, Fraud, Hospitality, Malware, POS malware