Study: Hotel network security lacking

Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from internet security problems, claims a study published by Cornell University.

The study, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels” examined the security of 147  hotels through surveys, interviews and on-site testing.

“Many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests,” the study says.

One of the study authors, Josh Ogle, a Cornell University graduate and founder of IT services company TriVesta, performed on-site testing at 46 hotels in Virginia, North Carolina, Texas, Maryland, Tennessee and Pennsylvania - making sure to hit both tourist and business travel destinations.

Ogle tested wireless networks at 38 hotels and wired networks at eight.  He found the majority were vulnerable to attacks.

“Out of the 38  wireless, I was able to break into 33,” Ogle told SCMagazineUS.com Monday. “And by break into I mean, accept data from someone else's computer that wasn't meant to be on mine.”

Ogle used the Linux distribution BackTrack, meant for network testing. In addition, following recommendations of hackers on vulnerability mailing list Full Disclosure, Ogle used a high-power wireless card and high-gain omnidirectional antenna to crack the networks. The setup cost less than $100, he said.

Ogle said using this method a hacker can see all unencrypted information coming into and leaving the network -- including passwords, email messages and any web pages people are viewing.

Of the hotels compromised, each took about 10 minutes to breach. Some hotel employees inadvertently assisted in the breach by providing passwords and access instructions.

“They are extremely unsecure,” Ogle said of hotel wireless security. “I was very disheartened by what I saw. I wasn't surprised, but I was disheartened.”

Ogle recommended that all hotels use Wi-Fi Protected Access (WPA) encryption, which requires a password to get on the network and encrypts all data transmitted. Of the hotel networks that Ogle was not able to crack, the majority used WPA encryption

For guests, Ogle recommended connecting to the internet using a Virtual Private Network (VPN), having updated anti-virus and firewall software and making sure each secured website starts with “https://” rather than “http://”.

The danger of not securing a hotel's network is that a malicious user could gain access to guest information or other confidential files, Domenic Carmona, director of IT at the W Dallas-Victory hotel, told SCMagazineUS.com Monday.

Carmona recommended hotels use WPA encryption as the minimum standard. He also stressed the importance of having a robust set of firewalls that are managed and properly configured, splitting networks, and educating staff of the importance of security standards.

Or is the general computing public really that naive about security still?

I do think its still not really apparent to the common person. I am not sure if its really their fault to some extent, as I feed to some degree the security community do not take the responsibility to share the required awareness, so it just sits in the InfoSec security space.

I see it as my responsibility as an InfoSec professional to educate the people (I am sure I bore many), but it if saves a few people getting owned, its worth it.

I disagree. If you're going to use the technology, then it's your responsibility to learn how to use it safely. Ignorance is no excuse.

I've had people's eyes glaze over (like BofH's 'dummy mode') and often respond with 'don't care'.

Ultimately, if people (in any situation) don't have to deal with the consequence of the 'if' then they don't see the benefit in taking the longer, correct route.