Teleworking from Hotels – FBI Advises How to Avoid Cyber Risks

This post is also available in: עברית (Hebrew)

One of the consequences of the COVID 19 pandemic is the increase in telework from hotels as a distraction-free work environment. However, this could pose a cyber security risk for guests. The Federal Bureau of Investigation (FBI) has recently called Americans to exercise caution when using hotel wireless networks (Wi-Fi) for telework. 

Accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks. Malicious actors can exploit inconsistent or lax hotel Wi-Fi security to compromise the work and personal data of hotel guests, according to the FBI announcement. 

Attackers target hotels to obtain records of guest names, personal information, and credit card numbers. The hotel environment involves many unaffiliated guests, operating in a confined area, and all using the same wireless network. Guests are largely unable to control, verify, or monitor network security. Cyber criminals can take advantage of this environment to monitor a victim’s internet browsing or redirect victims to false login pages. 

Criminals can also conduct an “evil twin attack” by creating their own malicious network with a similar name to the hotel’s network. Guests may then mistakenly connect to the criminal’s network instead of the hotel’s, giving the criminal direct access to the guest’s computer.

At its most robust, access to a hotel Wi-Fi network is typically governed by a combination of room number and password. This combination only governs devices accessing the hotel’s network but does not provide a secure internet connection. Currently, there is no hotel industry standard for secure Wi-Fi access. 

Connecting personal or business devices to the hotel’s wireless network may allow malicious actors not only to compromise the individual’s device but also to access the business network of the guest’s employer. 

The FBI statement on ic3.gov recommends hotel guests to reduce the risks by taking the following measures:

• If possible, use a reputable Virtual Private Network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
• If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
• Before travelling, ensure your computer’s operating system (OS) and software are up to date on all patches; important data is backed up; and your OS has a current, well-vetted security or anti-virus application installed and running.
• Confirm with the hotel the name of their Wi-Fi network prior to connecting.
• Do not connect to networks other than the hotel’s official Wi-Fi network.
• Connect using the public Wi-Fi setting, and do not enable auto-reconnect while on a hotel network.
• Always confirm an HTTPS connection when browsing the internet; this is identified by the lock icon near the address bar.
• Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
• Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
• Follow your employer’s security policies and procedures for wireless networking.
• If you must log into sensitive accounts, use multi-factor authentication.
• Enable login notifications to receive alerts on suspicious account activity.