Hotel internet security is one of the most overlooked risks travelers face. I’m not just talking wireless – I’m talking any internet connection provided by your hotel.
In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.
Become a Patron of Ask Leo! and go ad-free!
It’s as bad as open Wi-fi
I’ll put it bluntly: hotel internet connections are just as unsafe as an unsecured “open” wireless hotspot.
Any hotel internet connection.
There are two basic issues:
This is the biggie. When you’re in a hotel, that hotel is your ISP. They provide the connectivity, routers, and other equipment that connect you to the internet.
Thus, like your traditional ISP, they have the ability to monitor any and all traffic on the network.
You need to realize that it’s their network you’re using. They own it, control it, and they have the right to monitor its usage. And, as you’ve seen, employees can abuse that power to go snooping.
2: Your neighbors may also be able to see everything you do.
This is less common. Depending on exactly how the hotel network is configured, it’s possible that you and the rooms around you are connected through a hub. The “problem” with a hub is that it’s a dumb device; it sends everything it gets to everything connected to it.
When you send data through the hub, not only does the upstream internet connection see the data, as you want, but that data is also sent down the wires to neighboring rooms. Any computer users there should ignore it, but it’s there for the taking. This is exactly like connecting via an open WiFi connection, where anyone in range can “sniff” your internet traffic.
Staying safe while staying at a hotel
So, what do you do? What do I do?
In a word: encrypt.
This boils down to following all the same steps one should take to stay safe when using an open Wi-Fi hotspot.
- Use a firewall: make sure your Windows or other software firewall is enabled.
- Use https: only access sensitive websites using an https connection. This would include not only obviously sensitive things like banking, but even more common, simple things, like web mail.
- Encrypt your email: if you’re using a desktop email program and downloading your email via POP3 or IMAP, or sending your email via SMTP, you need to make sure that those connections are encrypted. Check with your email provider for the appropriate settings.
Even simple browsing can expose a lot
There’s one more thing that often gets overlooked: simple web browsing.
For example, as I sit in this hotel room, it’s possible that if I didn’t take appropriate precautions, the hotel operators (and possibly my neighbors, were they technically savvy enough), could monitor the web sites I’m browsing. In fact, if any of those web sites require me to log in, they could potentially see my log-in information and password.
If you connect with a normal http connection, any usernames and passwords you enter are transmitted in the clear, visible to anyone who has enough access to sniff your hotel internet traffic.
Once again, the answer is a single word: encryption.
The most common solution is a VPN, or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. After signing up, you create a VPN connecting to their servers, and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted, and sent on to its final destination. Anyone in between – meaning your hotel’s guests, staff, and whoever else might be peeking, cannot see your data. More correctly, they can see your data, except it’s encrypted, and total gibberish to them.
What I do
When I run an actual email program, such as Thunderbird, I make sure to configure mail server connections to use an SSL encrypted connection. My mail is secure.
For encrypted websites (those that use https with the s) I need do nothing, other than make sure that the connection remains “https” as I navigate from page to page. When I access my email via Gmail, for example, this simply works, as do administrative functions on my own web sites, which are also https.
For unencrypted (http without the s) websites, I do either of two things:
- Avoid anything that might be considered secure or sensitive.
- Use my mobile connection instead, avoiding the hotel’s internet completely.
It’s more than just hotels
I’ve been talking about security in the context of hotels, since it’s common for the travelling public to rely on internet provided by the facility in which they’re staying.
But all of this applies to any internet connection provided by anyone. Everywhere, from coffee shop or airport Wi-Fi to the internet provided by convention centers and other public facilities, there’s an IT department in the background that absolutely can examine your unencrypted internet traffic. Whether or not they would take the time to do so is unknown, but as our original questioner found out, sometimes they do.
It pays to be aware and make conscious, hopefully secure decisions regarding your security wherever you connect.