Network Security Lacking At U.S. Hotels, Study Finds

Oct 7, 2008 11:54 AM

Most U.S hotels are vulnerable to malicious attacks and are "ill prepared" to protect their guests from Internet security problems, claims “Hotel Network Security: A Study of Computer Networks in U.S. Hotels,” published by Cornell University.

The study examined the security of 147 hotels through surveys, interviews and on-site testing.

“Many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests,” the study says.

One of the study authors, Josh Ogle, a Cornell University graduate and founder of IT services company TriVesta, performed on-site testing at 46 hotels in Virginia, North Carolina, Texas, Maryland, Tennessee and Pennsylvania -- making sure to hit both tourist and business travel destinations.

Ogle tested wireless networks at 38 hotels and wired networks at eight. He found the majority were vulnerable to attacks.

“Out of the 38 wireless, I was able to break into 33,” Ogle told SCMagazineUS.com. “And by break into I mean, accept data from someone else's computer that wasn't meant to be on mine.”

Ogle used the Linux distribution BackTrack, meant for network testing. In addition, following recommendations of hackers on vulnerability mailing list Full Disclosure, Ogle used a high-power wireless card and high-gain omnidirectional antenna to crack the networks. The setup cost less than $100, he said.

Ogle said using this method a hacker can see all unencrypted information coming into and leaving the network -- including passwords, e-mail messages and any Web sites people are viewing.

Of the hotels compromised, each took about 10 minutes to breach. Some hotel employees inadvertently assisted in the breach by providing passwords and access instructions.

“They are extremely unsecure,” Ogle said of hotel wireless security. “I was very disheartened by what I saw. I wasn't surprised, but I was disheartened.”

Ogle recommended that all hotels use Wi-Fi Protected Access (WPA) encryption, which requires a password to get on the network and encrypts all data transmitted. Of the hotel networks that Ogle was not able to crack, the majority used WPA encryption.

The danger of not securing a hotel's network is that a malicious user could gain access to guest information or other confidential files, Domenic Carmona, director of IT at the W Dallas-Victory hotel, told SCMagazineUS.com.

Carmona recommended hotels use WPA encryption as the minimum standard. He also stressed the importance of having a robust set of firewalls that are managed and properly configured, splitting networks and educating staff of the importance of security standards.

Want to use this article? Click here for options!
© 2012 Penton Media Inc.

This month in Access Control

• Targeting The Customer
• Electronic Pedigrees
• One Hero Among Many
• Who? What? When? Where? Why?
• More from September's issue