Having a fast internet connection in your hotel room is as likely to lead to a five star TripAdvisor review as to the quality of the sausages served from breakfast. In fact, a survey from UK four-star hotel chain Amba Hotels found that 67 per cent of guests thought free Wi-Fi was the most important factor when choosing a hotel . It was deemed more important even than a good night’s sleep, which came in at 58 per cent, and friendly, knowledgeable staff, at 40 per cent.
Belinda Atkins, CEO of Amba Hotels said at the time: “Fast, free, unlimited Wi-Fi is as important to our guests as any other facilities provided by the hotel – it’s actually as important as a good night’s sleep. Our WiFi has no caveats, no loyalty schemes no limit on up or down loading.”
However, in their rush to make their networks as open and accessible to guests as possible, hotel chains could be opening themselves up to untold security implications that could lead to substantial damage to the brand.
A lack of control
Even the largest hotel brands seem unsure how to handle the issue. Hilton Hotels recently acknowledged that it has little control over what its guests can do via Wi-Fi on their personal devices. The chain announced in August that whilst it was removing adult video-on-demand entertainment from its hotels, guests have a “high degree of choice and control on their stays with us, including Wi-Fi on personal devices.” Basically, Hilton acknowledges that you’ll still be able to stream porn on your iPad, which many were undoubtedly already doing anyway.
A full IP address book
It’s not just from lackadaisical guests that hotels need to worry when it comes to infecting its networks with untold nasties. A modern day hotel has a plethora of internet connected devices plugged into its network at any one time. Whether you are Marriott or Premier Inn, pretty much everything in a hotel bedroom which has a DC voltage also has an IP address that can be infiltrated by a wily hacker.
Think about when you check in to your room for the first time. Aside from the basket of fruit and the chocolate on your pillow, the phones and TVs in your room will likely be displaying your name as soon as you walk in, meaning that there’s been a database connection to a corporate database containing guest information all the way to that network cable in your very room. That’s a huge vulnerability which needs to be fenced.
The growing trend of the internet of things (IoT) – and the challenge it presents the hospitality industry – seems no chance of slowing. Gartner forecasts that almost five billion connected things will be in use in 2015 , up 30 percent from 2014, and will reach 25 billion by 2020. Whilst the IoT has become a powerful force for business transformation – from hotels to retail – its disruptive impact will be felt across all industries and all areas of society.
Producing a skeleton key
The problem is very real. Back in March, researchers from Cylance discovered a vulnerability in eight of the world’s top ten hotel chains, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems. Guests at hundreds of hotels were found to be susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks.
The devices in question functioned as a gateway for hotels and convention centres to provide guests with internet access. However, they are often also connected to a hotel’s property management system, the core software that runs reservation systems and maintains data profiles about guests. Meaning an attacker could potentially identify guests and upcoming guests at a hotel and learn their room numbers. Anytime, anywhere
Research from Forrester found that some 37 per cent of office workers are regularly working remotely two or more days a week. Not only hotels, but coffee shops, restaurants and even trains all allow the modern day remote worker to remain online. Wi-Fi has become a necessity of the digital age, whether it’s to access a presentation for an upcoming pitch, host a video conference call, or edit and email sensitive documents, public Wi-Fi means nearly anywhere can become an office. Couple this with the fact that there are as many mobile devices on the planet as there are people, and businesses now have the most flexible and tech-saturated workforce in history – but hotels’ desire to adhere to the modern traveller has led them to providing a plethora of entry points to their network.
Hotels need to provide a strong, complete and flexible security solution that is easy to configure and fine tune to meet the growing needs of guests and staff alike across a multitude of devices. All the while, enabling them to keep working 24/7 from the comfort of their desk, room or suite, safe in the knowledge that they are fully protected.
Secure Wi-Fi
Not all Wi-Fi solutions are created equal and knowing the difference could save hotels disasterous brand tarnishing. Many Wi-Fi solutions such as the one identified by Cylance to have serious vulnerabilities, are implemented and managed separatey from the hotels’ private networks. These stand-alone Wi-Fi solutions mean there are two sets of security and network policies for hotel IT to worry about and this just opens the door for hackers to find small gaps and oversights caused by having to manage two separate systems. On top of that, the stand-alone Wi-Fi solutions simply pass any and all traffic, including malware drops, backdoors, and other malicious bad stuff coming from the “script kiddie” in the room down the hall.
A secure Wi-Fi solution is one that integrates a single management system for combined security, network policy, and multiple layers of traffic inspection services such as anti-malware, anti-virus, and intrusion prevention. This kind of solution stops the opportunistic hacker from sniffing around the hotel’s Wi-Fi looking for soft points of entry as well as the more sophisticated attackers utilizing botnets like Gorynych which targets point of sale (POS) systems for extracting guest credit cards.
[su_box title=”About WatchGuard” style=”noise” box_color=”#336588″]
WatchGuard® Technologies, Inc. is a global leader of integrated, multi-function business security solutions that intelligently combine industry standard hardware, best-of-breed security features, and policy-based management tools. WatchGuard provides easy-to-use, but enterprise-powerful protection to hundreds of thousands of businesses worldwide. WatchGuard products are backed by WatchGuard LiveSecurity® Service, an innovative support program. WatchGuard is headquartered in Seattle, Wash. with offices throughout North America, Europe, Asia Pacific, and Latin America.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.