A report released today by Kaspersky Lab should be a sobering wake-up call to traveling executives and the IT departments responsible for their care and feeding.
The company’s Global Research and Analysis Team highlighted the results from an investigation of Darkhotel, a criminal enterprise aimed at stealing data from executives staying in luxury hotels abroad.
Darkhotel, which the company said is at least four years old, is carefully executed. Nobody is targeted more than once and all traces of contacts are deleted after the first foray. The perpetrators settle for the information they get on the first try.
The attack on the hotel networks and guests is straightforward:
They wait until after check-in when the victim connects to the hotel Wi-Fi network, submitting his room number and surname to login. The attackers see the victim in the compromised network and trick the person into downloading and installing a backdoor that pretends to be an update for legitimate software, such as Google Toolbar, Adobe Flash or Windows Messenger. The unsuspecting executive downloads this hotel “welcome package,” only to infect his machine with a backdoor for the Darkhotel spying software.
The release says that once the victim falls for the hoax, more sophisticated data-stealing tools are downloaded and go to work.
Though this is an urgent and high-profile message on the importance of hotel Wi-Fi security, it is far from the first. Business Insider, in its report on the Darkhotel research, said that the FBI in 2012 issued a warning to international travelers to highlight just the sort of dangers Kaspersky uncovered.
Anecdotal evidence shows that hotels are anything but hospitable to guests’ data.
For instance, TripAdvisor posted a comment from a guest of the Marriott in Ghent, Belgium, bemoaning the lack of security on the hotel Wi-Fi. The man wrote that he and his wife’s iPhones were hacked and their accounts shut down by their ISP when their devices began sending thousands of emails per hour.
Likewise, the NBC affiliate in West Palm Beach, Florida, posted and broadcast a story detailing the poor Wi-Fi security at the local Four Seasons Resort. The report featured an on-site demonstration by Infostream’s David Parizek. The bottom line is that he very easily observed everything that was going on. If he had been a cracker, he would have done far more than observe.
The targeting of luxury hotels’ Wi-Fi networks makes perfect sense: They provide a rich concentration of users, and a high proportion of them are wealthy people doing things or storing data with monetary value. It’s cushy as well: The bad folks don’t have to sit in dark cars in parking lots and side streets barely within the hotel’s footprint. They can sit in lobbies and even go to the bar for a drink.
The message is exceedingly clear: Travelers should be extremely vigilant when about their use of hotel Wi-Fi. That’s not a new thought. The depth of the danger is, however.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.