It’s as bad as open Wi-Fi.
Hotel internet security is one of the most overlooked risks travelers face. I’m not just talking wireless — I’m talking about any internet connection provided by your hotel.
In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.
Become a Patron of Ask Leo! and go ad-free!
Any internet connection provided by a hotel or other business or public place is as untrustworthy as an open Wi-Fi hotspot, and you should treat it as such. That means making sure all connections are encrypted, using a VPN, or using some alternate internet connection, such as your mobile data plan.
It’s as bad as open Wi-fi
I’ll put it as bluntly as I can: hotel internet connections are just as unsafe as an unsecured “open” wireless hotspot.
Any hotel internet connection, wired or not.
There are two basic issues.
When you’re in a hotel, the hotel is your ISP, your Internet Service Provider. They provide your connectivity to the internet.
Thus, like a traditional ISP, they have the ability to monitor any and all traffic on their network.
You must realize it’s their network you’re using. They own it, control it, and they have the right to monitor its usage.
Unfortunately, it also means employees can abuse their power to go snooping.
2: Your neighbors might be able to see everything you do
This is less common. Depending on how the network is configured, it’s possible you and the rooms around you are connected through a hub. The “problem” with a hub is that it’s a dumb device; it sends everything it gets to everything connected to it.
When you send data through the hub, not only does the upstream internet connection get the data, as you want, but it’s also sent down the wires to neighboring rooms. Computers there should ignore it, but it’s there for the taking.
This is exactly like connecting to an open Wi-Fi connection, where anyone in range can “sniff” your internet traffic.
Staying safe while at a hotel
So, what do you do?
Follow all the steps one should take to stay safe using an open Wi-Fi hotspot.
- Use a firewall. Make sure your Windows or other software firewall is enabled. The good news is that this is typically on by default.
- Use https. Only access sensitive websites using an https connection. This includes both sensitive sites like banking, as well as common things like email. The good news is that this is typically the default for most websites these days.
- Encrypt your email connection. If you’re using a desktop email program downloading email via POP3 or IMAP, or sending email via SMTP, make sure those connections are encrypted. Check with your email provider for the appropriate settings. The good news is that most email services provide them.
- Consider a VPN. A Virtual Private Network encrypts all of your communications through the hotel’s network. The bad news is that this is an additional service you sign up for.
- Consider not using the hotel’s network. If your smartphone can be used as a Wi-Fi hotspot, or if you can perform all of your tasks on your mobile device using your data plan, you’ll bypass the hotel completely.
What I do
When I run an actual email program, such as Thunderbird, I make sure to configure mail server connections to use an SSL encrypted connection. My mail is secure.
For encrypted websites (those using https) I do nothing, other than make sure the connection remains “https” as I navigate from page to page.
For unencrypted (http without the s) websites, I do one of three things:
- Avoid anything that might be considered secure or sensitive.
- Use a VPN.
- Use my mobile connection instead.
It’s more than just hotels
I’ve been talking about security in the context of hotels, since it’s common for the traveling public to rely on the internet provided by the facility in which they’re staying.
All of this applies to any internet connection provided by anyone. Everywhere, from a coffee shop or airport Wi-Fi to the internet provided by convention centers, libraries, and other public facilities, there’s an IT department in the background able to examine your unencrypted internet traffic.
Whether or not they would take the time to do so is unknown, but as our original questioner found out, sometimes they do.
It pays to be aware and make conscious, hopefully secure decisions regarding your security wherever you connect.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!