Can hotels sniff my internet traffic?

More and more hotels are offering both wired and wireless internet, but along with those connections comes a security risk most folks don't consider.

//

My friend’s husband has been getting into her email even though she’s not given him her password. He has confronted his sister about an email and when asked how he got into the email he says that where he works (A large hotel chain) they have a program that searches emails for keywords and brings info up. Could that be true?

Yes.

Hotel network security is one of the most overlooked risks travelers face. And I’m not just talking wireless, I’m talking any internet connection provided by your hotel.

In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.

It’s a topic c|net blogger Michael Horowitz has also written about: Ethernet connections in a hotel room are not secure and the title says it all.

I’ll put it another way: hotel internet connections are just as unsafe as an unsecured wireless hotspot.

Any hotel internet connection.

There are two basic issues:

WirelessYour ISP can see everything you do. When you’re in a hotel, that hotel is your ISP. They provide the connectivity, the routers and other equipment that connects you to the internet. As a result, they have the ability to monitor any and all traffic on the network. And you need to realize that it’s their network that you’re using – they own it, they control it and they have the right to monitor its usage. And, as you’ve seen, employees can abuse that power to go snooping.

Your neighbors may also be able to see what you’re doing. Depending on exactly how the network is configured, it’s possible that you and the rooms around you are connected through a hub. The “problem” with a hub is that it’s a dumb device – it sends everything it gets to everything connected to it. So when you send data through the hub, not only does the upstream internet connection see the data, as you want, but that data is also sent down the wires to your neighboring rooms. Any computers there should ignore it, but it’s there for the taking if they do not. This is exactly like connecting via an open WiFi connection where anyone in range can “sniff” your internet traffic.
… hotel internet connections are just as unsafe as an unsecured wireless hotspot.”

There’s actually a third more sinister problem where an intentionally malicious hotel guest “poisons” some of the information used to route internet traffic and inserts his computer into the middle of your conversations.

So, what do you do? What do I do?

In a word: encrypt.

This basically boils down to following all the same steps one might take to stay safe in an internet cafe:

  • Use a Firewall: make sure your Windows or other software firewall is enabled.
  • Use https: only access sensitive websites, for example, banking, but also things like web mail, using an https
    connection. Most banks are secure by default, most web mail is not.
  • Encrypt your email: if you’re using a normal email program and downloading your email via POP3 or IMAP, or sending your email via SMTP, then you need to make sure that those connections are encrypted. Check with your email provider for the appropriate settings.

Now there’s one more aspect to internet usage that often gets overlooked, and that’s simple web browsing.

For example, as I sit in this hotel room it’s possible that if I didn’t take appropriate precautions my neighbors, were they technically savvy enough, could monitor which web sites I’m browsing. In fact, if any of those web sites require me to login, they could potentially see my login information and password. Recall that I said most web mail is not encrypted using https? That’s exactly what I’m talking about here: if you connect with a normal http connection any usernames and passwords you might enter are transmitted in the clear and are visible to anyone who has enough access to sniff your internet traffic.

Once again, the answer is a single word: encryption.

The most common solution is a VPN or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. The way it works is simple; after signing up you create a VPN connecting to their servers and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted and sent on to its final destination. Anyone in between – meaning your hotel guests, staff and whoever else might be peeking, cannot see your data. More correctly they can see your data, except it’s encrypted and total gibberish to them.

So what do I do?

Well, I run Thunderbird as my email program, downloading and sending via POP3 and SMTP. I’ve configured each to connect to my mail servers using an SSL encrypted connection. My mail is secure.

For unencrypted (http without the s) websites, I establish an encrypted tunnel – think of it as a kind of partial VPN – to my server.

For encrypted websites (https with the s) I need do nothing, other than make sure that the connection remains “https” as I navigate from page to page.

My web surfing is secure.

Since I’m not using a “true” general purpose VPN, as I outlined above, I have to be careful about instant messaging programs. My approach to date has been to connect via remote desktop (which is encrypted) to one of my machines at home and run the instant messaging programs there. In fact, I use this technique for everything that access the internet that isn’t web surfing, email or already inherently secure.

Is it all overkill? I think not. With more and more computers and more and more public internet access, hackers and thieves need very little in the way of technology to steal all sorts of sensitive information. Are they doing it here and now? I’d guess not.

But I’m not so sure of that guess that I’d let down my guard.

Better secure than sorry.

There are 13 comments:

  1. N3T D3VIL Reply

    I hate to burst your bubble Leo but using SSL is no more secure these days than unencrypted connections. With modern poisoning programs (ie Cain, Wireshark) you can easily sniff https as well as http.

    Of course you can sniff it, but actually decrypting the data within it is significantly harder, to the point of being practically impossible.

    -Leo

  2. Kevin Reply

    You bet they can sniff any traffic on their network. Large hotel chains likely use advanced network management software and platforms to keep an eye on what’s happening on their network, particularly as it relates to bandwidth hogging etc… There’s tons of high-end network management software that does this.

  3. Anthon B Reply

    Hotel Chains will most likely not sniff any end users traffic. Being in the industry, We do not sniff or monitor web traffic, accept for bandwidth usage. We do use an advanced network management software system, to assign and act as a proxy server, thus that is why you will always see a browser tell you the connection is not secure, when in fact it is very secure. Our system does not allow DHCP address’, that we assign to be shared or seen by any other ip address with in the same domain. And you cant be part of the domain with out being assigned a dhcp address. There is no reason for me or my IT department to waste our time trying to sniff our guests usage, or any other monitoring of any kind. The vast majority of IT professionals agree with this, and do everything possible to ensure the security of our networks. Unless you go to a cheap hotel, that has not spent money on a good infrastructure, and network management system, there is no reason to be worried about someone sniffing your system. If you do get sniffed, it is most likely that you have a virus or malware on your system, and it has been doing this all along. Not because of the hotels system.
    Come visit us at Zermatt Resort

    I’m sure that the vast majority of hotels are exactly as you describe: not in the least bit interested in what their guests are doing on the internet. However I’ve also absolutely heard of situations where random individual empoloyees watching guest’s internet traffic. Perhaps the most risk comes from network setups that often allow guests to sniff each others internet traffic.

    Leo
    26-Mar-2010

  4. Alex Reply

    I’m a bit confused about the VPN part. Suppose I register with an online VPN server to route my web surfing through them. Then, my traffic between my machine and the VPN server is encrypted, but isn’t it in the clear from the VPN server to the actual service I want to access? Otherwise, the other service won’t be able to understand my request. Unless, of course, the VPN server also opens a tunnel to the other side. Does it do it? If it does not, anyone watching between the VPN and the final service could theoretically steal my login information, right?
    Please, this is a doubt I’ve had for a long time and I couldn’t still find a satisfying answer.

    You are correct – a VPN protects your connection to the VPN service, which it typically that part of your connection most at risk by virtue of being in a hotel, coffee shop or whatnot. The connection between the VPN service and the final destination is typically in the clear, but it also travels a much less vulnerable path: server to server.

    Leo
    22-Jul-2010

  5. Keith Reply

    Hi Leo First I really would like to thank you for this article it is very interesting and clears off a lot of ideas. But I was looking to find if someone can suggest me a good, fast and highly secure free VPN and help me on how to set it up because I need to encrypt my data between my pc and this VPN so that ISP won’t sniff around. I’m sorry I’m this newbie but any help I would appreciate it.

    +I used a free VPN which was very easy to set up and when I went to a website that is blacklisted by my ISP this site still didn’t load up and when I went to an encrypted proxy the page got up fine (although very slow)

    Thanks alot for any help

  6. Jessie Reply

    Hi Leo, I’m guessing this still does not stop the Hotel from seeing the amount of Traffic you are downloading?

    That’s correct.

    Leo
    24-Nov-2010

  7. Lester Reply

    Gmail now uses https for web mail by default. If you have an older account, you need to switch it from http. Also, Teamviewer is a free service that allows you to set up a VPN to your home machine. Then you can run your web browser from there. Either method should take care of the concern in this article.

  8. Ron Reply

    Good advice.

    As Lester pointed out, Gmail was the first to offer HTTPS, now Hotmail has followed suit. I use it all the time for both services.

  9. Eric Reply

    Hi Leo,

    Please compare the security provided by VPN, VNC, and SSH.

    Related to this, I have been trying to connect an iPad using iSSH to a Win 7-64 bit desktop and an XP laptop both running tightVNC and freeSSHd. The problem is that on both machines the SSH tunnel is established but then immediately disconnects without connecting to VNC no matter what settings I try. Perhaps you have a suggestion as to what might be wrong.

  10. Ossy Reply

    Hi guys,

    I was wondering, with a VPN (such as hotspot shield) can the hotel still see the websites you visit?

    Thanks.

    In general, no. A VPN sets up an encrypted tunnel between your computer and the VPN service that the hotel would not be able to penetrate. They’d see that you’d connected to the service, and nothing further.

    Leo
    25-Oct-2011
  11. Michael Reply

    I have a Cisco VPN for small business device in my office. And I use Quick VPN to connect to it for work.
    Can I use that VPN in hotels or public hotspots? That means I have to remote into my office and access my email & IE with my office computer?

    thanx

  12. JOSE CARLOS SANTOS Reply

    When we are in an airport, hotel or any place that offers free access to internet we trend to take that for granted. Before receiving and sending any data we’d better consider what you’ve talked about as we are very vulnerable in places like that. Thank you for clarifying it.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.