How to protect yourself from common hotel security threats

Frequently travelers who aren't prepared for the security risks associated with staying in hotels put potentially sensitive information and their own personal safety at risk. Here's how to spot common threats, and protect your data while on the road.

Hotels are digitally dangerous places these days. And that's not idle speculation. Security researchers have been sounding the alarm on sophisticated attacks directed at hotel users for years.

Most of the earliest reports pointed to surgical strikes on high-profile executives or representatives of government agencies, but they could prove to be precursors for more wide-ranging attacks on the general public. Modern business travelers, with their treasure troves of files and personal information, will be prime targets, and they're also more likely to let their guard down after an exhausting journey.

Here's a look at some of the most likely avenues of attack on hotel goers, along with some suggestions that can mitigate, if not altogether block, such attempts.

Beware the hotel network

Without question, the greatest potential danger resides in the hotel network. Hackers have been known to infiltrate hotel networks to spy on traffic flowing through them or to plant malware at the captive portals users are automatically redirected to for authentication. One advanced scheme pushed malware via a software update that was designed to install on Windows PCs.

Rogue Wi-Fi access points (APs) represent another potential risk. By mirroring the network name, or service set identifier (SSID), used by the hotel, hackers can set up fake APs and trick victims into connecting to them. Such schemes open the door to man-in-the-middle attacks, and they let attackers snoop on unencrypted traffic and see the URLs of any SSL-protected websites people might visit. The threat of rogue APs certainly isn't limited to hotels, but business travelers are often high value targets that are easier to identify than staking victims out at crowded cafés.

An encrypted VPN connection is the only effective way to protect your data from snooping at the network level. Business travelers should make sure their IT departments set up VPN connectivity for access to their corporate networks, though they will still need to remember to connect to the VPN before surfing the web.

Cloud-based VPN services such as VyprVPN provide encrypted connections in addition to technologies that can be used to circumvent internet censorship in global regions. VyprVPN also offers clients for popular computing platforms such as Windows, OS X, Android and iOS, and it eliminates much of the configuration work that is required to get corporate VPNs up and running.


VyprVPN lets you access blocked Google search in China.

It's also good security practice to plug into a wired network port whenever possible, to reduce the risk associated with rogue wireless networks.

If you have more than one Wi-Fi device, a travel wireless router such as the D-Link AC750 portable router [ find it on Amazon - *what's this?* ] can connect to a wired network via its built-in LAN port and provide 802.11ac wireless connectivity. However, you should make sure to encrypt that network and secure it with a strong password. The D-Link portable router can be used to connect directly to another Wi-Fi network, as well, though using it in such a way will not offer protection against rogue APs. In any case, you should continue to use a VPN and only connect your wireless devices directly to a secured network.

It may also be a good idea to hold off on software updates while travelling, because hostile networks can push through spoofed software updates. If you need to update software while on the road, do so only after connecting to a secure network via a VPN connection and only download updates from official vendor websites.

Strategically navigate the hotel minefield

Networks aside, hotel rooms can also be veritable minefields. For example, USB charging stations can be modified to inject malware payloads into the devices travelers plug into them, and RFID skimmers can siphon data from digital room keys and other RFID access cards. Hidden cameras could also be strategically positioned in front of a desk to look over the shoulder of anyone working there — or into a shower stall.

A perpetuator who gained entry to the room earlier could have installed such devices, and the high turnover rate of many hotel rooms means it is unlikely that hotel staff would find these subtle modifications, even if they looked for them.

One way to avoid potentially modified USB charging ports is to bring your own chargers. If you don't want to lug along another adapter, you could consider laptop adapters with built-in USB charging ports, such as the Zolt Laptop Charger Plus [ find it on Amazon - *what's this?* ] or the PlugBug, [ find it on Amazon - *what's this?* ], which is designed for use with Apple's MacBook power adapter. You could also get a data-blocker USB cable or adapter (like this one from PortaPow) to ensure only power comes through.

usbcharger Anker

The Anker PowerPort 6 USB charger is compact and powers up to six devices simultaneously.

It's easier to defend against hidden RFID scanners due to the limited range of such readers. Simply avoid placing potentially sensitive items near expected places within the room—a wallet on the bed stand, for example. Or you could place them in anti-RFID sleeves when they're not in use. It might also be a good idea to leave any building access fobs and cards you don't need at home.

Hidden cameras may be harder to avoid, because hotel desks are often bolted in place. You may want to place your laptop at a slightly off-center angle and use a privacy shield while working at a desk in your hotel room. Keep an eye out for conspicuously placed camera lenses. It's also wise to cover your fingers when you types passwords and enable two-factor authentication for any services you plan to use in your room, where possible.

Foiling physical intrusions

The risk of physical intrusion at hotels is very real, and real-world hacks of hotel doors are well documented. Most of the hotels around the world continue to implement and use door-access cards based on magnetic stripes that can be easily duplicated, or basic RFID cards that are susceptible to cloning. Such cards are cheaper than more secure alternatives.

Of course, laptops and other electronics containing sensitive business information could be stolen outright, but the hard drives of many laptops can also be removed and cloned with off-the-shelf hardware, without leaving a trace. If you intend to step out of your hotel room at any time without bringing your digital devices, lock them up in a safe or protect your data with robust data encryption.

Full disk encryption is common today and is enabled by default on many newer devices. However, it still makes sense to increase your laptop security by setting a shorter sleep timeout period and marking sure the "require a password after sleep" setting is selected. (Read, "10 things to do before your lose your laptop," for more proactive security suggestions.)

To protect data on portable storage devices, you can enable software encryption, such as BitLocker To Go, or use a hardware encryption dongle, such as the Enigma 2.0. The latter dongle plugs into a USB port, between a portable hard disk and your laptop, and it transparently encrypts and decrypts data at wired speeds.

Of course, you could also choose not to bring along sensitive data on trips, and then rely on a remote desktop tool such as Parallels Access for access to desktop applications via iOS or Android devices. Alternatively, you could also log in to your remote desktop using a web browser and store no data on your portable device at all.

These tips aren't meant to be exhaustive, but they should help defend against most common hotel hacks.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleEnigmaGoogleLANModernParallels

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Mah

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts