America's FBI Warns of Security Risks in Using Hotel Wi-Fi (ic3.gov) 88
"Most users don't seem to realize the severity of the risks they're subjecting themselves to while using hotel Wi-Fi networks," writes Windows Report, noting that America's FBI "issued a Public Service Announcement concerning the risks of using hotel Wi-Fi networks while teleworking."
Apparently, more and more U.S. hotels started advertising room reservations during the daytime for those who seek a distraction-free environment. This comes as a blessing for teleworkers who can't seem to focus on their work environment while at home. On the other hand...there are a few quite serious risks you may expose yourself to while using Wi-Fi networks in hotels:
- Traffic monitoring: Your network activity could be exposed to a malicious third-party
- Evil Twin attacks: Cloning the hotel network, misleading clients to connect to the fake one instead
- Man-In-The-Middle attacks: Intercepting and stealing sensitive information from one's device
- Compromising work" Facilitating cybercriminals to steal work credentials or other similar resources
- Digital identity theft
- Ransomware
Among other things, the FBI points out: Guests generally have minimal visibility into both the physical location of wireless access points within the hotel and the age of networking equipment. Old, outdated equipment is significantly more likely to possess vulnerabilities that criminal actors can exploit. Even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment's default passwords. The hotel guest must take each of these factors into consideration when choosing whether to telework on a hotel network.
Or, as Slashdot reader SmartAboutThings puts it, "Using hotel Wi-Fi, in general, is not safe at all, and if you have no other choice, then you might as well give VPN services a try."
Or, just don't use the hotel's wifi (using your cellphone as a mobile hotspot instead).
- Traffic monitoring: Your network activity could be exposed to a malicious third-party
- Evil Twin attacks: Cloning the hotel network, misleading clients to connect to the fake one instead
- Man-In-The-Middle attacks: Intercepting and stealing sensitive information from one's device
- Compromising work" Facilitating cybercriminals to steal work credentials or other similar resources
- Digital identity theft
- Ransomware
Among other things, the FBI points out: Guests generally have minimal visibility into both the physical location of wireless access points within the hotel and the age of networking equipment. Old, outdated equipment is significantly more likely to possess vulnerabilities that criminal actors can exploit. Even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment's default passwords. The hotel guest must take each of these factors into consideration when choosing whether to telework on a hotel network.
Or, as Slashdot reader SmartAboutThings puts it, "Using hotel Wi-Fi, in general, is not safe at all, and if you have no other choice, then you might as well give VPN services a try."
Or, just don't use the hotel's wifi (using your cellphone as a mobile hotspot instead).
This is why you plug in the cable (Score:3)
The few times I had to stay in a hotel for work related matters I always brought a network cable with me. Plugged into the jack and used the provided password. No guessing what to connect to, no one intercepting my signal.
The majority of of problems we have with people working from home saying they have connection issues are directly related to them using wifi rather than plugging in a cable, including not knowing which signal is theirs because they see their neighbor's signal.
Plug the cable in and be done with it.
Re: This is why you plug in the cable (Score:4, Insightful)
Plug in where?
Where do they offer actual nework sockets?
Re: (Score:3)
Plug in where?
Where do they offer actual nework sockets?
In my experience, China.
Never in a US hotel.
Re: (Score:2)
"China": Well, _that_ makes it safe and secure. Not.
Re: (Score:2)
"China": Well, _that_ makes it safe and secure. Not.
Of course doesn't make it secure. You need to make your own computer secure from bad actors. So a VPN is helpful, as is not running vulnerable software.
Re: (Score:2)
I'm not a frequent traveler, but I've seen them in most of the hotel rooms I've stayed in in the US. These are the "free WiFi included" hotels, which are also the "free breakfast" hotels where "breakfast" really should be in quotes.
Re: This is why you plug in the cable (Score:3)
Except where they don't offer wired network access. Or if you're on a device without an RJ45.
Re: (Score:1)
Been a long time since I've been to a hotel/motel with a rj45 port.
Personally, what I do is bring a burner and use that to join the network / go through the captive portal. Then I plug in my travel router which spoofs the burner's mac address and automatically connects to my VPN. My devices then connect to that router.
Re: (Score:2)
Wait... Hotels offer cabled network where you stay? Do you also get a trouser press and a shoe shine machine to make it really feel like the 80s?
VPNs aren't necessarily any better privacy-wise (Score:4, Informative)
Re: (Score:1)
Well, any 3rd party service might be compromised or unethical, but that concern wouldn't apply to a VPN host you set up yourself. Using a commercial VPN service isn't just risky, it's lazy.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Good point. So long as your ISP doesn't get mad you're 'running a server'.
As long as you have no high traffic usage and no publicly usable services, they should not care or even notice.
Carrier-grade NAT (Score:2)
The ISP would notice "running a server" from your home Internet connection because of a bunch of SYN packets inbound to the IP address of the carrier-grade NAT device in front of your neighborhood's network. Because all subscribers in your neighborhood have the same public IP address, the NAT doesn't know for which subscriber the SYN packet is intended and therefore drops it.
Re: (Score:2)
You have carrier grade NAT? My condolences. ISPs that do it _this_ cheaply never caught on here.
Re: (Score:2)
You have carrier grade NAT? My condolences. ISPs that do it _this_ cheaply never caught on here.
Until every hotel Wi-Fi provides IPv6, and until every city has a home ISP that provides IPv6, ISPs as a whole must fit 7 billion people into 4 billion IPv4 addresses. Thus "ISPs that do it this cheaply" will be the norm, not the exception, in countries with a smaller allocation of IPv4 addresses. As Bert64 has occasionally pointed out (1 [slashdot.org], 2 [slashdot.org]), Myanmar in particular didn't get home IPv6 until July 2019, and even then on only one ISP [apnic.net].
Re: (Score:2)
Re: (Score:2)
I'm not sure I understand what you mean.
Some ISPs, facing an allocation of IPv4 addresses smaller than their subscriber base, use network address translation to put a whole neighborhood's worth of home customers behind one public IP address. See "Carrier-grade NAT" on Wikipedia [wikipedia.org]. And ILostMyBeaver thinks this is fine [slashdot.org].
Re: (Score:2)
Re: (Score:2)
Like most other wired Internet providers in the United States, Xfinity by Comcast does not use CGNAT. However, most countries don't have quite as many IP addresses per 100,000 people as the United States.
Re: (Score:2)
Re: (Score:2)
Use one that was tested and did pass the test.
I have mine on my phone active 24/7 just on general principle, hotel or no hotel.
Re: (Score:2)
The problem with VPN is that you have to hardware, a good link. And a good service to get over 100 MPs. My mobile router only gets about 50 MPs.
It is unclear if a hotel is any less secure than the average home where the consumer plugged in the hardware and has faith that it does not have the default password or WEP encryption. It used to be everyone on the same cable area had access to all
Re: VPNs aren't necessarily any better privacy-wis (Score:1)
Setup your own wireguard VPN on your home network like I did, it is faster then OpenVPN
Re: VPNs aren't necessarily any better privacy-wis (Score:2)
The idea is not to use somebody else'a VPN! That is indeed very stupid.
Just look at your home router's config. It should have VPN server support. (And dynamic DNS.) FritzBox routers do since at least 15 years.
Re: (Score:2)
Good luck setting up a tunnel to reach your home VPN across your ISP's NAT.
Re: (Score:2)
Re: (Score:2)
In developing countries, all ISPs use NAT [slashdot.org]. There aren't enough IPv4 addresses to go around otherwise. Even in G-20 countries, wireless ISPs that serve rural areas are more likely to use NAT.
Re: (Score:2)
Took me around 90 seconds, most of which was installing the OpenVPN client on my phone.
Re: (Score:2)
And how much of that was getting out your credit card, debit card, or other payment credentials to subscribe to the VPN provider that you chose?
Re: (Score:2)
None. Connect to my router, configure the OpenVPN server, sorted.
Re: (Score:2)
Connect to my router, configure the OpenVPN server
This works so long as your ISP gives your router a public IP address instead of using carrier-grade NAT.
I'm curious: which dynamic DNS provider is your router using?
Re: (Score:2)
The router manufacturer's one: Asus.
Re: (Score:2)
(Summary so far: Parent poster works around snooping by public WLAN operators, such as those in hotels, by using a non-CGNAT home ISP, an OpenVPN endpoint built into an ASUS home router, and the router maker's dynamic DNS to give the router a name.)
How long do you expect ASUS to keep operating its dynamic DNS service for you and other users after the router's warranty expires? I ask because the same question has come up in past discussions about the FQDN requirement imposed by the CABF to obtain a TLS certi
Re: (Score:2)
Well, you're making some assumptions here. For instance, this is a service that Asus have offered across multiple router models over a period of several years, I don't use the Asus dynamic domain as my connection point, the router supports other DynDNS services should I choose to switch and of course, I could install non-Asus firmware on the device with support for whatever I choose to build in.
I think if you need a demonstrably secure context then investing in a static IP allocation would be a sensible cho
Re:VPNs aren't necessarily any better privacy-wise (Score:5, Informative)
Well, it depends. A well known VPN provider will _not_ steal your identity or your credentials. That would get them out of business and into prison pretty fast. That said, privacy is another matter. But fortunately, there is a really simple and really cheap solution: If you do any privacy relevant browsing, use the Tor browser. This is exactly the use case it is there for in free countries.
You may also use an European VPN provider (I frankly do not know how many are there), because the GDPR comes with rather harsh penalties if they store any personal data and have not gotten explicit and informed consent.
5 Cafe Owners Arrested for Running No-Log Networks (Score:3)
You may also use an European VPN provider (I frankly do not know how many are there), because the GDPR comes with rather harsh penalties if they store any personal data and have not gotten explicit and informed consent.
Until you discover that all VPN providers require "explicit and informed consent" to keep logs for one year as a condition of operation in the country. See "Five Bar and Cafe Owners Arrested in France For Running No-Log WiFi Networks" from earlier this week [slashdot.org].
Re: (Score:3)
a) Europe is quite a bit bigger than just France
b) They still have to tell you what exactly they log
c) They cannot legally look at content of traffic because they would need individual permissions for any specific bit of privacy-relevant data first
Item c), they may need in writing on paper, depending on country. There is a loophole in c) that may allow some keyword-scanning and statistics on that.
Re: (Score:2)
I don't use a VPN (although I've considered it in various circumstances) but I've heard that some VPN services may be invading your privacy and sifting your data as much as anyone else. Realistically, what guarantees do you have the any VPN service is respecting and protecting your privacy whether they claim to or not?
There's a location based risk to take into account. Who do you trust more:
a) a local nefarious entity in the same building as you
b) some paid for specialist service located in some far flung country where even if they catch you downloading the terrorism manifesto they can do bugger all about it?
It's the same as those people who fear China who *may* be monitoring them and who can't touch them more than they fear their own government, who is definitely monitoring them and actually has the ability to directly
Re: (Score:2)
Easy answer.
Run your own VPN server. Problem solved.
My phone auto-connects to my VPN the moment it is out of range of my wi-fi signal at home. Anytime I have a laptop
and I'm away from home, you guessed it, the VPN is the first connection made after the laptop connects to any wi-fi network
that isn't mine.
If you value your data / privacy enough, you'll be motivated to learn how it works.
Doh! (Score:2)
This has been known about for several decades. Back in early days of WiFi, we were instructed to only use the WiFi to connect to our VPN and do everything else over that.
Even today, WiFi does come at a very stiff price at hotels.
Most phones these days can run a HotSpot. Use it.
If you have to use Public WiFi, use a VPN. Stop the slurpers. Don't make it easy for them.
Re: (Score:2)
WiFi is generally free at lower-end hotels that are trying to attract families and people on road trips, but it's an expensive add-on at higher-end hotels that cater to business travelers who can expense it and don't care.
Re: (Score:1)
Re: (Score:2)
Most phones these days can run a HotSpot. Use it.
Fuck no. Have you _seen_ international roaming data rates?
Re: (Score:2)
Strange that. My UK carrier has in-plan roaming with over 40 countries including the USA.
In the US, your phone plan comes with a built in arse reamer, ready to fire all the way up your junction if you step close to a border.
Encryption (Score:5, Interesting)
Well, with almost everything being encrypted, it's hard to see how they would hijack https, imaps, and ssh connections. Yes, they can see where you're connecting, and they can mess with your DNS, but certificates should protect against that.
Where's the actual risk?
Note: This suggests that web browsers should have an "insecure network" mode where they block http.
Re: Encryption (Score:1)
Why the hell do we still do encryption for each protocol separately?
Why is it not part of the OS's OSI network stack? Should be right on top of IPv6. Even below TCP. HTTPS shoild not even exist! (Ok, and neither should the security theater delusion known as "certificate autorities". Go take a look what's in that list of CAs your browser or phone uses. Good luck getting your hair back down!)
Re: Encryption (Score:3)
I feel like you don't really understand the Internet or how cert validation works.
But if you're using a VPN to an endpoint you trust, application layer encryption is only a part of the puzzle.
It *IS*. part of IPv6 (Score:3)
> Should be right on top of IPv6. Even below TCP.
It is. An IPv6 compliant device must support IPSec, as implemented as part of IPv6.
> HTTPS shoild not even exist! (Ok, and neither should the security theater delusion known as "certificate autorities". Go take a look what's in that list of CAs your browser or phone uses. Good luck getting your hair back down!)
That's the fundamental problem. The PKI is certainly not perfect. What are you going to do *instead*? How do you know whether you are talking to
Re: (Score:2)
I'm glad Slashdot is https, as I don't really want people in the middle profiling which stories I click on, and possibly getting information based on things I post. Sure, if they figure out which account is mine (it's not hard), they could do much of that correlation, but I don't want to make it automatic. For now, all they can see is that I'm connecting to slashdot.org, and how many bytes I'm transferring. True, if they connected themselves, they could try to match my downloads and figure out exactly wh
TLS 1.3 and DNSoX But Windows ... (Score:2)
> The only real flaw in https that I'm aware of is that the encryption kicks in after any virtual hosting is done, so an observer can see not just the IP address, but the host name that I'm using. I think I heard some talk of fixing that with some proposed new protocol tweak.
That's TLS 1.3, which is now being adopted.
The issue there is Windows had always defaulted to the 10-15 year old version of TLS. As of a few months ago, Windows didn't even use TLS 1.2 by default, which came out in 2006. I've heard
Re: (Score:1)
>It is. An IPv6 compliant device must support IPSec, as implemented as part of IPv6.
Really? Do you use ipv6 at all? Seems even Windows 10 doesn't support ipv6. At least not natively. Linux machines do, so does android.
I run an ipv6 network inside my house. It's a /64 off of comcast. I don't see any difference between them except I don't have to nat any more. I can also run machines that are off limits to most of the internet because they can't deal with ipv6. The only e-mail service that seems to support
Re: (Score:2)
I'm not sure if I'm quite understanding the main point of your post, if it has one, because your statements kinda seem all over the place to me.
> >It is. An IPv6 compliant device must support IPSec, as implemented as part of IPv6.
> Really? Do you use ipv6 at all? Seems even Windows 10 doesn't support ipv6. At least not natively. Linux machines do, so does android.
Here's a relevant Windows configuration page. Quoting it "IPsec is mandatory for all IPv6 implementations and optional for IPv4. Secure
Re: (Score:1)
Sorry. I'm making the point that I don't believe in IPV6 ipsec. In fact for Windows 10 it doesn't seem to support ipv6 at all. Certainly not out of the box for a machine you'll pick up off the shelf at any retailer or any retail store online. Even if presented with ipv6 route and ip address they won't configure it. Windows server 2016 will accept and configure.
For machines that set up ipv6 - that is Linux and Android boxes I don't see a difference between that and ipv4. The windows pages you refer to while
Re: (Score:2)
Yes, IPSec needs to be configured either way.
The difference here is that an IPv4 devices such as a router, might not support IPSec *at all*. It's very likely a particular IPv4 device does not have any options to configure IPSec. An IPv6 router must allow you to configure the IPsec.
Re: (Score:1)
Yes, IPSec needs to be configured either way.
The difference here is that an IPv4 devices such as a router, might not support IPSec *at all*. It's very likely a particular IPv4 device does not have any options to configure IPSec. An IPv6 router must allow you to configure the IPsec.
There again, I hate to disagree. I wish I could say - "You're right IPSEC is supported." I own no less than 3 routers that support ipv6. It's a specific option to turn it on or not. Every one of them is just that - on or off. No other options than I have with IPV4.
That is the frustrating thing with ipv6. Even if I talked to the CISCO engineers and I had a chance to corner a bunch of them at lunch one time in a Washington DC hotel, I might as well have been talking to a bunch of high school students. "We imp
Re: (Score:2)
> I don't see a way to have say an encrypted ipv6 channel that is different than a ipv4 encrypted channel. ...
> No other options than I have with IPV4.
Yeah you won't see any difference as far as encryption. IPsec is IPSec, with IPv4 or IPv6. It's not a fundamentally different IPsec, it's just required that the router support IPSec. The packet format is slightly different because IPv6 was designed for IPSec, but that makes no difference to the user.
> I expected the ipv6 packets to keep their sec
Re: (Score:1)
Interesting. I remember being told that ipv6 IPSEC was the golden bullet back in the 2000s. No need for a firewall. It all just works. Everything is secure because everyone knows who you are... and so on. LOL. I have a DHCP ipv6 address and I have a DHCP /64 block. If I'm off the air for I think 3 days they'll reclaim that /64 and give me a new one. Power outage.
I'm also in the computer security world.
One of my routers runs DD-WRT, Linksys E4200, v3.0-r40559 mega (08/06/19). IPV6 is either on or off. Turn i
Re: (Score:2)
> Everything I typed in was taken. Even absurd things to the point I thought it was trolling me. So I put in the captcha and it took it.
That's how I came to own wellfuckit.com
Everything was taken. I was frustrated. Now I own wellfuckit.
> For my ipv6 routes at the FW the only thing I block to the inside is port 22. I have a /64 after all and machines are assigned numbers at random.
That's okay for now, IF nothing ever connects with a non-random IP. Be warned I've worked in a way to scan IPv6 networks
Re: (Score:1)
> Everything I typed in was taken. Even absurd things to the point I thought it was trolling me. So I put in the captcha and it took it.
That's how I came to own wellfuckit.com
LOL. That's funny. Just be patient. .com addresses come up from time to time. Now there are so many other domains. I'm blocking them like crazy from my e-mail. Things like .democrats, .republicans,christmas, date, dance,rocks,rip.... and so on. I figure no good can come from most of them. Just my car's extended warranty or penis enlargement.
Everything was taken. I was frustrated. Now I own wellfuckit.
> For my ipv6 routes at the FW the only thing I block to the inside is port 22. I have a /64 after all and machines are assigned numbers at random.
That's okay for now, IF nothing ever connects with a non-random IP. Be warned I've worked in a way to scan IPv6 networks looking for love hosts (which will then be port scanned). I got close. I can scan 32 bits, all of the IPv4 ips, in a few minutes. Somebody is going to find a way to scan a /64.
I forgot to mention I also block rdp. Nobody should be doing that. If you can manage to get onto one of my machines and run nmap with the script option, you can find all
Re: (Score:2)
Why is it not part of the OS's OSI network stack?
It's called a VPN you ignorant numpty.
Another ignorant post brought to you by BAReFO0t.
Re: (Score:2)
I don't know whether hotel's are working the same as restaurants like Burger King and stores like Walmart, but I find that those are often breaking https. Oddly, Burger King's often breaks the ability to pay via their app because the secure connection is broke.
I believe what they are doing is a man-in-the-middle where their device connects to the https site and then tries to pass it on to you with a different certificate. Now that browsers are getting picky, they warn about the mismatched certificate and yo
Re: (Score:2)
Wow! I've never seen anything like that except at work where they firewall everything to death (and have us add our employer's certificate to avoid the errors). That's really horrible.
I would like to think that since it means errors on every page load, they'll probably soon either change their policy or stop offering free WiFi.
Re: (Score:2)
Old news ... (Score:2)
... I was counseling people not to do this back when Moby Dick was a minnow.
It applies to all "free WiFi."
On public wifi, always use a VPN. (Score:2)
Most modern routers have VPN functionality and dynamic DNS support built-in. OpenVPN integrates well into Android. (Use always-on mode.)
I just recommend running your own home server, so you can add two key parts: Your own certificate autority and your own self-resolving secured DNS server.
I've also got a sshfs behind the VPN for file server access, and port knocking so even the VPN is invisible. But obviously that is a bit much for the home gamer. Unless there is a nice RPi distribution out there that provi
Re: (Score:1)
Our company VPN used to be secure, but then... (Score:4, Insightful)
As a consequence, no longer could the company-provided laptops connect to our previous VPN server at a pre-configured, fixed IP address, mutually authenticating both ends via public/private key pairs, but instead now the laptops need to use a JavaScript-executing browser to go through dozens of weird boiler-plate web-sites from ever changing, arbitrarily "cloud"-hosted servers, that leave the client no chance of properly checking the authenticity of the VPN gateway. And I am sure every employee has meanwhile be conditioned to enter his credential in whatever fake or real web page dialog comes up when connecting to some foreign network.
IT-Security is totally fucked, and I can only imagine how hard some guys in Bejing and Moscow must laugh about hapless attempts like the one the article is about.
what kind of threats? (Score:1)
Re: what kind of threats? (Score:2)
This x1000. There was some truth in this 10 years ago but now?
I keep seeing this story, what are these unencrypted protocols people use. Is it just for the stupid who accept on cert errors.
Re: (Score:2)
If you actually check your apps you will probably find some that don't reliably use encrypted protocols all the time. Apple has been improving this with their certification process but will miss anything which doesn't trigger during their testing. Android seems to barely verify that at all and various advertising / spying libraries were caught using unencrypted traffic not so long ago - especially things installed on cheap chinese phones.
More importantly, if you control the DNS then you can redirect what
What is this, "stupid week"? (Score:3)
Sure, use a VPN connection on top of that WiFi if you do anything security relevant. If you just want to surf, you use a VPN as well or the Tor browser, but if you do not log in anywhere, using it directly is fine too. For remote-logins, use secure protocols.
You know, just like you should be doing on any other untrusted Internet connection.
Re: (Score:1, Offtopic)
Trump is president. No more evidence is needed that there are a lot of stupid people that need to be reminded of the basics.
Re: (Score:2)
Trump is president. No more evidence is needed that there are a lot of stupid people that need to be reminded of the basics.
I would say that Trump being president and possibly continuing to be president is a pretty clear sign that for a lot of people reminding them of the basics is probably pointless, because they cannot recognize a fact when it stares them in the face.
End-to-end encryption (Score:1)
Any particular hop's link layer security shouldn't matter much as long as all marginally sensitive traffic is encrypted end-to-end with a high quality encryption protocol. And while it is somewhat harder to intercept and mess with unencrypted traffic using wired connections and/or hooking interception into the VPN provider (and/or close to the ultimate endpoint) instead of the hotel wifi, it generally isn't all that hard (certainly not from a theoretical point of view).
Other parts of the FBI seem to be a
Public network risks (Score:2)
You have the same risks on essentially any public network. However it's actually much worse for cellular networks as they are more centralized and run by companies who have an incentive to do many of those things. (and are not prevented from it by laws like the the GDPR)
On Hotel WIFI-networks you'd either need someone rigging that network or someone being close to you to pull of such an attack.
In any case, we are now at way more than 50% encrypted traffic on the web. Nobody trusts the network for anything r
VPNs are cheap (Score:2)
Just a heads-up: You can buy a month's worth of VPNs, such as NORD VPN, for less than a meal at McDonalds. If you're going on a trip and you don't already have a VPN, it's well worth the expense. You won't even know it's running. The speed difference is negligible, and they're dead easy to set up and use.
shameless plug for Proton VPN (Score:2)
Re: (Score:1)
I'm not affiliated, just a customer, but I recommend Proton VPN, from the makers of Proton Mail. Based in Switzerland, they keep no logs, and have outlets in many countries, very useful to circumvent Geo blocking.
No logs? Thought that was a EU requirement that they keep logs for a year. Swiss still different?
Park your money there as well?
Re: shameless plug for Proton VPN (Score:2)
who would thought (Score:2)
I bring my own router. (Score:2)
Not true! (Score:1)