SecureMac, Inc.

Checklist 108: Hotel Wi-Fi How-To

September 27, 2018

This week on The Checklist, we’re going on vacation! No, wait — it’s a business trip. Maybe… the house is being fumigated! Whatever the reason is, we have to check into a hotel, leaving our home network behind. Good news, though: the hotel has free Wi-Fi for us to use! The bad news: we weren’t the ones to set up the security for the hotel’s wireless network. We don’t know who’s staying in the room next door, or what they might be up to… and then to top it …

Checklist 108: Hotel Wi-Fi How-To

This week on The Checklist, we’re going on vacation! No, wait — it’s a business trip. Maybe… the house is being fumigated! Whatever the reason is, we have to check into a hotel, leaving our home network behind. Good news, though: the hotel has free Wi-Fi for us to use! The bad news: we weren’t the ones to set up the security for the hotel’s wireless network. We don’t know who’s staying in the room next door, or what they might be up to… and then to top it all off; we see a message on our computer saying that our current Wi-Fi network connection “exposes all traffic.” What’s a traveler to do?

A few weeks ago, we received an email from a listener, John, filled with questions and concerns about logging into hotel Wi-Fi. John raised a lot of interesting concerns, and it occurred to us that he was probably not the only person wondering these things. Sure, people who travel for business all the time might have these things perfectly understood, but for the rest of us, the occasional trip to a hotel can leave us with some concerns about safe browsing. This week, our checklist consists of John’s many questions — and our answers.

Let’s kick things off with some information about that scary-sounding message you might see on your Mac after you connect to not just a hotel’s Wi-Fi network, but any public Wi-Fi network.

What does “exposes all network traffic” really mean?

We can explain this easily through a comparison. First, think about your network at home. If everything is the way it should be — no malware, no viruses, and good security like WPA2 set up on your router — then you’re working in a pretty secure place. There’s no chance anyone is “sniffing” your traffic or trying to tap into devices on your network, and no one looking to see what you’re doing directly. On public wireless networks, it’s a different story altogether.

Everyone needs to be able to connect to public Wi-Fi, so it’s often unencrypted. This includes places like hotels and airports to coffee shops and your local fast food restaurants. Note that even if somewhere requires a password to log in to the network, that doesn’t necessarily make it more secure. It’s a basic line of defense that stops anyone from looking, but how hard was it for you to get the password? It’s probably printed on a card some place and easily accessible, so you shouldn’t treat these public networks as secure, either.

With the traffic unencrypted and available to everyone, it’s effortless for bad guys to use a “network sniffer,” capturing the packets of information flying back and forth between your laptop or phone with the intent of looking inside to see what they contain. Are you sending messages on an unencrypted service? Visiting an insecure site and logging in to your account? With the right tools, hackers can see all this information, including usernames and passwords. So “exposes all network traffic” means exactly what it says: everything is visible on these open Wi-Fi networks. The only choice to avoid prying eyes is to use encryption yourself, transforming your publicly-visible data transmissions into garbled gibberish.

Can hackers merely see your data, or can they harvest it too?

Hackers don’t literally see your screen, but instead can see the raw data transmitted by your system. They aren’t looking at the page as you type your password in, but when you hit the “log in” button, the packets containing your username and password could be detected and your information compromised. So yes, it is possible for a savvy hacker to harvest this information.

For this reason, when you’re using public Wi-Fi, you should always look for the green lock icon, the word “Secure,” or the letters HTTPS in your URL bar. This symbol indicates that the website is using its own form of encryption, adding a line of defense against these network attacks.

With that said, you’ll also need to watch out for “man in the middle” attacks. Let’s say you check in to a place named the Hudson Hotel. You settle into your room, and you see that there’s an unsecured network called Hudson Hotel Guest. You think, “Sounds like me!” and connect to the network, ready to take care of business. In reality, though, the real Wi-Fi network might be secured with a password found in the information booklet in your room, and the network you just connected to is a phony hotspot run by a bad guy. When you connect to this network, they can capture all your web traffic in real time. Whenever you connect to an unsecured network, be certain it’s actually the correct network for the place offering an Internet connection.

When my mail app opens, emails auto download to my Inbox. If I don’t open/select them can someone hacking the network view the content of these emails? How about the contents of the inbox? Senders address? My address?

The answer to this circles back to encryption again. If your mail client communicates securely, you’ll be safe in most cases. However, if these communications aren’t secured, then yes, much of this data could be subject to inspection by any hacker who has compromised the network. While that doesn’t mean they’ll be able to browse around in your inbox at will, it does mean they can see certain things — such as a hyperlink in an email that you received and opened — which they can turn around and use themselves.

However, keep in mind that if you already used the unsecured network to log in, then the bad guys might already have your username and password anyway if they were on the lookout. That renders the rest of these questions relatively moot; with your login information in hand, they can access this data on their own. That’s why making sure you’re using secure apps is so important. Communicating with something like iCloud would presumably involve end-to-end encryption on Apple’s part, so you’re more likely to keep your data in the cloud safe, but it’s best not to assume no one is looking when you’re on a public network.

I use a subscription app (e.g. Wall Street Journal) that has a log-in embedded so that when I select the app I am connected and logged-in for viewing.  Can someone hacking network view and get this auto login password? I have a brokerage app that has preset company names so that I can see today’s stock prices when I open the app.  Can a hacker see the same thing, thus knowing what companies I have listed? What about “Maps app” – can a hacker see results of my searching requests?

The answer to these questions is largely “it depends.” If the app uses security, such as transmitting data over HTTPS in the background or otherwise employing encryption, you’ll be fine. With a provider like the WSJ, it would be surprising if they didn’t use encryption to transmit this data — though stranger things have happened. With the Maps app specifically, encryption is in use, so you’re always secure when checking out what’s nearby. The brokerage app is also likely to use encryption since it deals with financial information, but this is a good moment to offer a word of advice.

It may serve you well to adopt a personal rule to simply never log in to anything online related to your finances on a public network — even if the app itself is encrypted. Don’t confuse this with using cellular data, but only public Wi-Fi. While the risk might be low that the encryption could be compromised, it can be a smarter and safer move not to tempt fate but putting those encrypted packets out there on the network. Unless you have no choice, it’s better to wait until you’re in a more secure position to check your portfolio or arrange for a transfer between your accounts. Remember, apps are the Internet: they could be just as vulnerable as an insecure website visited in your browser. Apps aren’t necessarily any safer just because they’re apps.

In Safari, can a hacker record my surfing sites? View my data entry? For example – see the Zip code I put in on the Weather App?

To the degree that this information might be transmitted unencrypted, yes, but the hacker does not have fine control over what data he intercepts. If you type something into your browser bar and erase it, for example, they can’t see that. If you type it in and then press “go” to visit the site, this is something they could see in an unencrypted connection.

Apple issues an OS update. If it requires Wi-Fi, is there any vulnerability when updating?

An interesting question. In most cases, the answer is “no” — you’re not at risk, and you won’t be exposing your personal data if you’re updating on the hotel’s Wi-Fi network. However, let’s go back to the “man in the middle” attack we mentioned earlier. If you’re connected to a malicious hotspot, and the hacker happens to know how to offer you a tainted version of the update, then you could be facing a risk. Therefore, it’s important to verify that you’re on the real, legitimate network for any establishment; however, this is a bit of a far-fetched scenario, and not one that the average user is likely to encounter owing to the time and effort it would take to execute.

Are the vulnerabilities the same using a cellular network with Wi-Fi disabled?

No. You are much, much safer on your cellular network, and it’s very difficult — perhaps next to impossible — for anyone but a major nation-state level hacker to execute “man in the middle” attacks on cell phones. There is no easy way to “sniff” this traffic either. You may prefer to use your cellular connection to create a personal hotspot if it’s an option for you.

The easiest solution? Get a VPN

We’ve talked about virtual private networks on The Checklist before several times, including all the way back in Episode 19. VPNs encrypt all of the traffic coming off your machine and make it so that no one can look inside and see what you’re transmitting. They’re the perfect solution for browsing safely and privately in public. Quit any apps that might convey information in the background as you log in to the hotel Wi-Fi, then start your VPN, re-launch your apps, and continue to browse or work as normal with no concerns about prying eyes.

With these last questions answered, we hope you feel a bit more confident about how to safely approach the challenges of dealing with hotel Wi-Fi networks. Want to head back into the archives and check out the episode we did on VPNs for more information? You can do that and more at SecureMac.com/checklist! With every episode we’ve recorded available for streaming plus the complete show notes for each show, it’s quick and easy to catch up on important info and any interesting stories you may have missed.

Get the latest security news and deals