Has this happened to you? I was staying at a hotel where the WiFi creates one flat network, and, of course, there are numerous people who don't know the first thing about basic security practice. Why do I know this? Because I could see several of them who had file sharing turned on for their PCs. They were listed by name in my Mac's Finder (John Jones Computer, Sally Jenkins Computer, and so on), and it was a bit scary.
When I travel, I remember to turn off the file sharing setting on my PC for precisely this reason. It is a simple step, but a critical one.
So recently I was in this hotel in Silicon Valley and I was feeling somewhat puckish. I noticed that one person's computer was listed. I clicked on his computer to see if file sharing was turned on. It was, and in a moment, I could see his entire hard drive, including a "private" folder filled with PDFs of his credit card and other banking statements, and loads of business documents.
So I took one of my newfound friend's documents -- it was a boating license or something -- copied it to a USB key, and printed it out at the business center. I left it with a note to my friend at the front desk, suggesting that:
- He turn off file sharing tout suite if he didn't want anything else shared with the entire hotel for the rest of his stay, and
- He might want to invest in some hard disk encryption, particularly for all the stuff that he very conveniently left in his "private" folder for everyone to see.
Most hotels don’t really spend the time and energy to lock down their networks, and most business travelers don’t spend the time and energy to lock down their computers. The result is a boon for any corporate spy that has a laptop and minimal skills. Go to any city-center convention hotel today and within minutes you can collect PowerPoints, secret documents, and business plans on just about any industrial topic. And you don’t need any skill, other than showing up at the right time and place.
As I saw last week, many hotels typically don’t segment their guest LANs, meaning that everyone in the hotel is on the same segment, has the same access, and can see anything across the entire network. This is true for wired and wireless access. Obviously, if a wireless user can sit in the parking lot of the hotel and gain access to the entire hotel LAN, this is even more trouble waiting to happen. The best situation is to have every single guest on a separate virtual LAN so they can’t see anyone else’s traffic. This requires them to use more expensive switching hardware, of course.
How prevalent is all of this? Two colleagues, Lisa Phifer and Craig Mathias, traveled around the northeast and tested 24 hotels back in 2006. They found trouble almost everywhere they went. Just one in four sites could prevent wireless eavesdropping and block all notebook probes. Sadly, the situation isn't much different in 2013.
“Hotspot users might be unpleasantly surprised to discover they are reachable from the Internet [when they choose public IP addresses]. We expected paid networks would protect users from each other or Internet attacks more often than free hotspots, but this was not the case. Several free hotspots had noteworthy exposures, but so did paid networks, including the most expensive sites," reported the duo.
The only two Internet providers that passed all security tests were I-Bahn and T-Mobile. They segregate traffic by user and prevent people from inadvertently sharing their connection. The others, including Guest-Tek, Passsym, Starwood, TurboNet, StayOnline, and Wayport, all had security problems when the pair did their original research.
So don't forget the security basics when you travel. Don't leave your USB key drives lying around with all sorts of private stuff on them. Use a simple PIN to protect your phones. This isn't rocket science: it is basic Security 101, or not even but still something that everyone should just do and internalize. And if you stay at a hotel that has a flat network, use disk encryption and a VPN to keep people like me from looking around your computer's hard drive.
— David Strom is a world-known expert on networking and communications technologies. He has worked extensively in the IT end-user computing industry and has managed editorial operations for trade publications in the network computing, electronics components, computer enthusiast, reseller channel, and security markets.