Just like hotel bedspreads, hotel business centers could be more hazardous than they look. With shared computers, minimal protections, and little oversight from the hotel itself, hotel business centers are the security equivalent of the Wild West.
But don’t blast the hotel you recently visited on Yelp just yet. A lack of security isn’t necessarily a sign of blatant negligence by the hotel. Often, business centers are managed by third parties, and hotels cannot directly control system settings. Moreover, by design, business centers are intended to provide maximum functionality, where guests can browse online, plug in thumb drives, email, print, and even fax. Securing these devices while preserving this level of functionality may not be feasible, or worth the investment it would require. Additionally, any kind of shared device is, by nature, open to greater risk. With multiple guests using the same computers every day, you can never be sure what previous users have intentionally or accidentally installed on the device.
What Attackers Can Do
Whether or not hotels want to or even can secure their business centers, they should be aware of the risks these environments pose to their guests and their own networks. Attackers know these environments have minimal security, and there can be numerous ways to obtain sensitive information from these systems.
Recently, we were conducting penetration tests at a hotel and found very sensitive guest information was available on business center systems. The scanner in the business center was set to save scanned documents. This scanner was also externally accessible, meaning anyone from anywhere could access it from over the internet. Though credentials were required to access the device, they were still default—something easily guessable, along the lines of ‘admin : admin’. Guessing this password provided access to all the documents that had been recently scanned, including an IRS employee’s health benefits election form that happened to contain his Social Security Number.
Another common attack vector against business center systems is the use of keyloggers. Key logging software can be downloaded from the internet or executed via a USB device plugged into the computer itself. This attack typically requires little skill, and it need not exploit vulnerabilities. It simply logs the keys that users enter into a computer, hoping to capture user credentials or other sensitive information. A widespread keylogging attack in Dallas area hotels provided attackers access to guests’ bank accounts, emails, and retirement accounts.
These attacks clearly pose a risk to guests, but they can also damage a hotel’s reputation if hotels are found legally liable for any damages guests endure while using their systems.
What Guests Can Do
Most guests are generally unaware of the security risks of using hotel business centers, but they need to treat this environment with the same—if not more—caution as the hotel bedspread. Here are some basic tips for guests.
- If at all possible, avoid using these systems for anything except basic web browsing, to find local attractions, directions, conduct some research, etc.
- Make it a rule to avoid logging in to anything on these systems. Many people reuse passwords across various accounts. So even if you don’t log in to an especially sensitive account on the business center computer, an attacker who obtains this password will attempt to log in to multiple other accounts to see if you’ve reused these credentials. Not only are keyloggers a threat, but many sites are configured to remember your credentials even after you’ve left. A guest who uses the computer after you may have access to your accounts without having to reenter any passwords.
- Be careful what you scan/print/fax. If these devices are externally exposed, any file you’ve scanned/printed/faxed may also be exposed. Printing directions is no big deal. Scanning detailed health or tax records could expose all the information an attacker needs to steal your identity.
- Leverage disposable email accounts like 10minutemail.com. These accounts provide free, private, unique inboxes that only last for 10 minutes. They are only accessible on the browser from which you initially access the site, meaning you do not create a username and password. If you want to print something from your real email account, log in to you real account on your phone, forward the message to the disposable account you’ve accessed on the hotel computer, and print from there. That way, you never have to log on to anything on the hotel computer. Of course, make sure you still avoid printing anything that’s overly sensitive.
- Plan ahead. It’s easier said than done, but if you know you’re going on the road, pay your bills, check your email, and shop online ahead of time or from your phone. Sometimes it happens, but you don’t want to get stuck in a position where you need to print those financial reports for the big meeting, and all you have is a hotel computer.
What Hotels Can Do
Typically, businesses secure user systems by restricting access to certain sites, blocking certain downloads, enforcing strong antivirus software, and preventing USB connections. By the nature of hotel business centers being accessible by all guests to conduct virtually any activity at virtually any hour of the day, these normal security measures are just not feasible.
That being said, there are some basic hardening techniques that hotels (or the third parties that manage these centers) can implement. These won’t stop all attacks, but it may address some of the low hanging fruit that attackers target:
- Change default credentials. Don’t make it any easier on attackers. Change passwords for printers, scanners, and other devices so that they cannot be easily guessed.
- Patch. Make sure security updates are regularly installed to prevent these machines from being especially vulnerable.
- Prevent systems from being exposed externally. Being exposed to the internet dramatically increases the attack surface. If there is not an express business purpose for doing so, don’t do it.
- If possible, secure the computer towers. If you don’t find it necessary to allow guests to use USB connections, lock the computer tower in a cabinet so that guests cannot tamper with wires and access USB ports. Guests should only be allowed to access monitors, keyboards, and mice.
- Consider running machines in kiosk mode to restrict the machine to only certain functions.
- Of course, make sure these systems are completely segmented from the employee network. They should be completely separate from any hotel systems so that guests and attackers cannot access any internal hotel resources.
Finally, hotels need to communicate the risk of using these systems. Even with basic hardening, attackers could still find a way to compromise these machines and sensitive guest information. Posting signs in the business centers will help guests understand that they are using these systems at their own risk, and it will help protect the hotel if a guest’s information is stolen.
Hotel business centers are what they are: convenient, accessible, and as a result, inherently insecure and likely to stay that way. By acknowledging the risks in these environments, both guests and hotels can better protect themselves.