One of the most frequently asked questions in information security is: should I avoid using hotel Wi-Fi or any other public Wi-Fi hotspots? Well, the quick answer is:
Hotel Wi-Fi is not safe even though it is okay for general web browsing. But you should consider finding an alternative if you’re looking at potentially sensitive information.
I’m Aaron, a technology professional and enthusiast with 10+ years of working in cybersecurity. I have extensive experience in implementing and securing wireless networks and know the ins and outs of numerous wireless internet vulnerabilities.
In this article, I’m going to explain why hotel or public Wi-Fi isn’t safe, what that means, and steps you can take to make your internet use safer and more secure.
Table of Contents
How Does Wi-Fi Work?
Connecting to hotel Wi-Fi is very similar to connecting to your Wi-Fi at home:
- your computer connects to a “wireless access point” (or WAP) which is a radio station that receives and sends data to your computer’s Wi-Fi card
- the WAP is physically connected to a router which, in turn, provides access to the internet
This is what those connections look like:
Understanding how data flows from your computer to the internet is critical to understand why hotel and other public Wi-Fi isn’t safe.
Can I Trust Hotel Wi-Fi Wi-Fi?
You control your computer. You can secure it and use it intelligently. You don’t control anything beyond that. You trust that everything beyond your computer works well.
When you’re at home, that trust exists because you and your internet service provider (ISP) are the only ones with the keys to your router and WAP (which might be the same device!).
When you’re on your company’s network, that trust exists because your company has incentives to maintain a secure network. No one wants to be on the front page because they’re the latest to succumb to ransomware!
So why trust public Wi-Fi? There’s no incentive for a company providing public Wi-Fi to secure it – their corporate network is likely isolated from it and they’re providing it for free for guests.
There’s also great incentive for them not to secure it. Security measures impact service and people who use public Wi-Fi expect one thing: have impactless access to the internet.
Insecure networks have tradeoffs and performance benefits have security costs: someone can compromise the network. Typically, that happens via a “Man in the Middle Attack.”
Man in the Middle Attack
Did you ever play the game “telephone” as a kid? If not, the game is played by standing people in a line. The person at the back of the line says a phrase to the person in front of them, who passes it on. Everyone wins if the message at one end is mostly the same as the other end.
In practice, this is how the internet works: components sending messages to each other with the same message being passed in either direction.
Sometimes, someone in the middle of the line plays a joke: they change the message entirely. Put differently, they intercept the original message and inject their own. That is how a “Man in the Middle Attack” works and this is what that kind of compromise looks like:
A criminal puts a data collector somewhere between the computer and the router (either position 1, 2, or both) and intercepts communications from both directions and passes seemingly legitimate communications through.
In doing so, they can see the contents of all communications. This isn’t critical if someone is reading websites, but it is if someone passes sensitive data like log-in information, bank account information, or personally identifiable information.
Is It Safe to Use Hotel Wi-Fi with VPN?
No.
VPN, or a Virtual Private Network, provides a dedicated connection between your computer and a remote server over the internet.
For all intents and purposes, this is a Man in the Middle Attack, except you’re doing it to yourself and for a beneficial purpose: you’re disguising yourself as the server and sites on the internet believe that you’re the server.
As you can see from the diagram, however, only the internet is fooled. Any criminals sitting on your local network can still redirect traffic through them and see that traffic. So, a VPN doesn’t keep you safe from threat actors on your network.
How Do I Get Secure Wi-Fi at a Hotel?
Use your phone or tablet with a cellular connection. Alternatively, if your phone or tablet with a cellular connection supports it, use those as a wireless hotspot for your computer. In short: create an alternative to a hotel’s free Wi-Fi.
Conclusion
Hotel Wi-Fi isn’t safe. While this isn’t an issue for general web browsing, it is when you are looking at potentially sensitive information. We’d recommend trying to find an alternative to hotel or public Wi-Fi if you can.
I’d be thrilled to hear what you think about this. Please leave a comment below and let me know if you liked this article or not.