Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can Hotel Internet Traffic Be Sniffed?

It’s as bad as open Wi-Fi.

Laptop in a Hotel Conference Room
(Image: canva.com)
Many hotels offer both wired and wireless internet, but with those hotel internet connections comes a security risk most folks don't consider.
My friend’s husband has been getting into her email even though she’s not given him her password. He has confronted his sister about an email and when asked how he got into the email he says that where he works (a large hotel chain), they have a program that searches emails for keywords and brings info up. Could that be true? Can they snoop on hotel internet traffic?

Yes.

Hotel internet security is one of the most overlooked risks travelers face. I’m not just talking wireless — I’m talking about any internet connection provided by your hotel.

In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Any internet connection provided by a hotel or other business or public place is as untrustworthy as an open Wi-Fi hotspot, and you should treat it as such. That means making sure all connections are encrypted, using a VPN, or using some alternate internet connection, such as your mobile data plan.

It’s as bad as open Wi-fi

I’ll put it as bluntly as I can: hotel internet connections are just as unsafe as an unsecured “open” wireless hotspot.

Any hotel internet connection, wired or not.

There are two basic issues.

1: Your ISP can see everything you do

When you’re in a hotel, the hotel is your ISP, your Internet Service Provider. They provide your connectivity to the internet.

Thus, like a traditional ISP, they have the ability to monitor any and all traffic on their network.

You must realize it’s their network you’re using. They own it, control it, and they have the right to monitor its usage.

Unfortunately, it also means employees can abuse their power to go snooping.

2: Your neighbors might be able to see everything you do

This is less common. Depending on how the network is configured, it’s possible you and the rooms around you are connected through a hub. The “problem” with a hub is that it’s a dumb device; it sends everything it gets to everything connected to it.

When you send data through the hub, not only does the upstream internet connection get the data, as you want, but it’s also sent down the wires to neighboring rooms. Computers there should ignore it, but it’s there for the taking.

This is exactly like connecting to an open Wi-Fi connection, where anyone in range can “sniff” your internet traffic.

Staying safe while at a hotel

So, what do you do?

Follow all the steps one should take to stay safe using an open Wi-Fi hotspot.

  • Use a firewall. Make sure your Windows or other software firewall is enabled. The good news is that this is typically on by default.
  • Use https. Only access sensitive websites using an https connection. This includes both sensitive sites like banking, as well as common things like email. The good news is that this is typically the default for most websites these days.
  • Encrypt your email connection. If you’re using a desktop email program downloading email via POP3 or IMAP, or sending email via SMTP, make sure those connections are encrypted. Check with your email provider for the appropriate settings. The good news is that most email services provide them.
  • Consider a VPN. A Virtual Private Network encrypts all of your communications through the hotel’s network. The bad news is that this is an additional service you sign up for.
  • Consider not using the hotel’s network. If your smartphone can be used as a Wi-Fi hotspot, or if you can perform all of your tasks on your mobile device using your data plan, you’ll bypass the hotel completely.

What I do

When I run an actual email program, such as Thunderbird, I make sure to configure mail server connections to use an SSL encrypted connection. My mail is secure.

For encrypted websites (those using https) I do nothing, other than make sure the connection remains “https” as I navigate from page to page.

For unencrypted (http without the s) websites, I do one of three things:

  • Avoid anything that might be considered secure or sensitive.
  • Use a VPN.
  • Use my mobile connection instead.

It’s more than just hotels

I’ve been talking about security in the context of hotels, since it’s common for the traveling public to rely on the internet provided by the facility in which they’re staying.

All of this applies to any internet connection provided by anyone. Everywhere, from a coffee shop or airport Wi-Fi to the internet provided by convention centers, libraries, and other public facilities, there’s an IT department in the background able to examine your unencrypted internet traffic.

Whether or not they would take the time to do so is unknown, but as our original questioner found out, sometimes they do.

It pays to be aware and make conscious, hopefully secure decisions regarding your security wherever you connect.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

Podcast audio

Play

56 comments on “Can Hotel Internet Traffic Be Sniffed?”

  1. I hate to burst your bubble Leo but using SSL is no more secure these days than unencrypted connections. With modern poisoning programs (ie Cain, Wireshark) you can easily sniff https as well as http.

    Of course you can sniff it, but actually decrypting the data within it is significantly harder, to the point of being practically impossible.

    -Leo

    Reply
  2. Hotel Chains will most likely not sniff any end users traffic. Being in the industry, We do not sniff or monitor web traffic, accept for bandwidth usage. We do use an advanced network management software system, to assign and act as a proxy server, thus that is why you will always see a browser tell you the connection is not secure, when in fact it is very secure. Our system does not allow DHCP address’, that we assign to be shared or seen by any other ip address with in the same domain. And you cant be part of the domain with out being assigned a dhcp address. There is no reason for me or my IT department to waste our time trying to sniff our guests usage, or any other monitoring of any kind. The vast majority of IT professionals agree with this, and do everything possible to ensure the security of our networks. Unless you go to a cheap hotel, that has not spent money on a good infrastructure, and network management system, there is no reason to be worried about someone sniffing your system. If you do get sniffed, it is most likely that you have a virus or malware on your system, and it has been doing this all along. Not because of the hotels system.

    I’m sure that the vast majority of hotels are exactly as you describe: not in the least bit interested in what their guests are doing on the internet. However I’ve also absolutely heard of situations where random individual employees watching guest’s internet traffic. Perhaps the most risk comes from network setups that often allow guests to sniff each others internet traffic.

    Leo
    26-Mar-2010

    Reply
  3. I’m a bit confused about the VPN part. Suppose I register with an online VPN server to route my web surfing through them. Then, my traffic between my machine and the VPN server is encrypted, but isn’t it in the clear from the VPN server to the actual service I want to access? Otherwise, the other service won’t be able to understand my request. Unless, of course, the VPN server also opens a tunnel to the other side. Does it do it? If it does not, anyone watching between the VPN and the final service could theoretically steal my login information, right?
    Please, this is a doubt I’ve had for a long time and I couldn’t still find a satisfying answer.

    You are correct – a VPN protects your connection to the VPN service, which is typically that part of your connection most at risk by virtue of being in a hotel, coffee shop or whatnot. The connection between the VPN service and the final destination is typically in the clear, but it also travels a much less vulnerable path: server to server.

    Leo
    22-Jul-2010

    Reply
  4. Hi Leo, I’m guessing this still does not stop the Hotel from seeing the amount of Traffic you are downloading?

    That’s correct.

    Leo
    24-Nov-2010

    Reply
  5. Gmail now uses https for web mail by default. If you have an older account, you need to switch it from http. Also, Teamviewer is a free service that allows you to set up a VPN to your home machine. Then you can run your web browser from there. Either method should take care of the concern in this article.

    Reply
  6. Good advice.

    As Lester pointed out, Gmail was the first to offer HTTPS, now Hotmail has followed suit. I use it all the time for both services.

    Reply
  7. Hi guys,

    I was wondering, with a VPN (such as hotspot shield) can the hotel still see the websites you visit?

    Thanks.

    In general, no. A VPN sets up an encrypted tunnel between your computer and the VPN service that the hotel would not be able to penetrate. They’d see that you’d connected to the service, and nothing further.

    Leo
    25-Oct-2011
    Reply
  8. I have a Cisco VPN for small business device in my office. And I use Quick VPN to connect to it for work.
    Can I use that VPN in hotels or public hotspots? That means I have to remote into my office and access my email & IE with my office computer?

    thanx

    Reply
  9. When we are in an airport, hotel or any place that offers free access to internet we trend to take that for granted. Before receiving and sending any data we’d better consider what you’ve talked about as we are very vulnerable in places like that. Thank you for clarifying it.

    Reply
    • They have busted illegal pornography traffic that way, her there and everywhere. While I would feel certain that’s not a concern for you yourself if others used your wifi to access illegal materials and they would be at your door with a lot of questions that you would have to prove to them. If you are out of town, or out of the country, keep your traffic secured and PG, knowing the laws about what is legal in the country you are in. Best to shun adult content and not even carry it on your computer should it be investigated.

      Reply
  10. Hi Leo
    When I tried using CyberGhost, I found that I could not connect to my bank. Is that just me or is this common with VPN?

    Reply
  11. Leo:

    If I use my celluar provider’s WiFi card (e.g., a jetpack) in place of the hotel’s wifi (or any other public/semi public wifi), does this provide me the same level of security and privacy as using a VPN? Thanks for all the help…

    Reply
  12. Is using a mobile phone through a hotel’s Wi-Fi facility a lot safer than using a laptop or tablet device? If so, why would this be, and what precautions would still be needed?

    Reply
    • Yes. It bypasses the hotel network completely, and while cellular data can technically be sniffed in practice it’s exceedingly rare that it is.

      Reply
    • Rick — Are you referring to switching your phone to the hotel’s WiFi, and using that *instead* of your cellular network to make calls and access the internet? In that case it would be no more secure than any other device and would require similar precautions, if I’m understanding all this correctly.

      Reply
      • Thanks for the replies – seems to be a bit of dissent! For clarity, what I am referring to is the common situation of when you check into a hotel and they say “we offer free Wifi – the network will show up as (something like) ‘Hotelname Guest Wifi’ and the password to use it is abcdwxyz” So you identify the guest wifi, put in the password, and the phone picks up the Wifi each time you enter the environs of the hotel. Works great most of the time, but this whole piece has made me question the security now. I am only talking about internet access on Wifi, not making calls, which would either be through regular network or through local phone network if one is in another country.

        Leo seems to suggest there is no security risk, but might have thought I meant just using whatever the public wifi would be (3G or 4G in UK) which I can see would bypass the hotel network, but Ray, I think assumes that I am talking about the scenario of using the hotel’s Wifi as I have described in the first few lines of this post. Dan – you seem to have spotted the problem and are asking the relevant questions, which I hope I have answered above.

        So, what’s the general consensus now? Thanks in advance for your help. (And to you Leo specifically for running this brilliant website).

        Reply
        • There IS a security risk. On the typical motel wifi, these days, you are putting in a password simply to enter the “unsecure” wifi network. If you are seeing a motel-chain website, and putting in a password there, then you know you are on this type of wifi. If you go to a smaller motel that has wifi set up like a home wifi network, then you would enter the network just like you do at a friend’s house. You would click on settings and network connections, you would find the right network in the list, enter the password, and then be behind a firewall. Even in this situation you are behind a firewall with everyone else who has the password — including the motel itself which could easily sniff your activities. Any way you look at it, sharing a wifi connection is not that secure.

          As Leo mentions at the beginning of this article – “Can hotel internet traffic be sniffed?” The answer is “Yes!”

          Reply
        • If your phone is using the Wi-Fi then there IS a security risk. You’re using the hotel’s internet and it CAN be sniffed.

          Using your phone’s own mobile connection without connecting to the hotel’s Wi-Fi is more secure.

          Reply
        • To keep things in perspective, the risk involved with using a hotel’s wireless network is small. Remember, millions of people using public networks – at airports, libraries, coffee shops, hotels, etc. – every day and the vast majority suffer no adverse consequences. Additionally, the majority of sensitive online transactions – such as banking, purchases and even Facebook logins – are encrypted via HTTPS and so even if somebody were to be snooping, they’d be unable to see the data exchanges in transactions.

          Reply
  13. I have used the VPN side of “TeamViewer” to directly access my main PC at home, to then access the Web generally.

    This generally achieved faster access, presumably that the limited hotel WiFi was not having to handle all the primary traffic, which was to/from my main PC over its faster Broadband connections.

    I also suspect that by using the VPN facility through the hotel WiFi, I was also achieving a higher/better security level locally.

    Reply
    • Alex, I like that but does it mean your PC at home is on TeamViewer 24/7 and ready for you? I’ve read this could be risky. Opinion?

      Reply
      • Afternoon Bob.

        Agreed that normally TeamViewer would have to be on 24/7 at home, I don’t know the answer.

        I posted my method, partly in the hope that someone more knowledgeable, would respond with a clear-cut answer.

        In the meantime, I am not aware of any problems that I could associate with such usage etc, for about 3 years now.

        My use of that means was very limited, typically about 2 hours every 6 or 7 weeks, when I was away on voluntary business, from which I have now retired, having entered my ninth decade.

        —-

        Part of the speed increase may be that my home PC is relatively new, fast in itself and 64 bit, with broadband operating at about 37 Mbps Down and 10 Mbps Up.

        The travelliing netbook, is getting a bit elderly etc., like all of us!

        Reply
    • “This generally achieved faster access, presumably that the limited hotel WiFi was not having to handle all the primary traffic” – Unlikely, as data still has to travel across the hotel’s network in order to reach your device. If anything, the extra step would slow speeds.

      Reply
  14. Ray

    I mainly used the combination to access my e-mail, running on my ISP’s server.

    Particularly from June 2015 after I had decided to retire at the end of 2015 thus being aware that it was unlikely that I would have similar opportunities in later years, I occasionally did informal comparison tests, going straight out over the hotel WiFi to my ISP; and going via the same hotel WiFi to my home PC, using TeamViewer.

    The latter, using TeamViewer and my home PC, were definitely faster.

    Those tests were carried out at odd moments from early evening to late; and both sides of breakfast time in the morning.

    Whilst not literally simultaneous, they were immediately sequential, so that specifically the hotel WiFi and the Web generally, were likely to be equally busy.

    It was close to sitting at home some 400 miles away.

    ———–

    However, my interest here is whether my use of TeamViewer’s VPN facility, rather than the other two, “Remote Control” and “File Transfer”, improved the local Security on the hotel’s WiFi part of the connections.

    ——-

    I also find TeamViewer useful at home, when I want to view my smaller-screen devices on a larger screen, avoiding the need for cables and moving devices closer etc.

    Reply
    • “However, my interest here is whether my use of TeamViewer’s VPN facility, rather than the other two, “Remote Control” and “File Transfer”, improved the local Security on the hotel’s WiFi part of the connections.” – Yes and no. It does improve security but, as the majority of your important transactions are encrypted anyway via HTTPS, that may or may not be particularly important (outside of things like banking – which is encrypted – I really wouldn’t care too much if somebody were to capture my – very boring – browsing data). Additionally, using TV does create news risks – see the link I posted previously.

      I see no way that TV could make things faster. Without TV, data travels from A (the website) to C (the hotel’s network). Using TV, it still travels from A to C, but via B (your home network). In either case, the connection will only be as fast as the hotel’s network permits.

      Reply
  15. Ray

    The increased “speed” or reduced time may be that the main processing particularly is occurring on my home PC B, so that hotel network only has to deal with the B’s screen video and with any command inputs.

    BUT whichever, it certainly speeds up the general access and process, in my experience.

    If I were to resume the work that took me down there, I would continue to use TV or possibly some other corresponding method, as I found it advantageous.

    ———

    I have followed your link for TV problems; but I have not observed any.

    Reply
  16. My thanks to the AskLeo organization for the high quality of the information provide. This article and the extended discussion are among the best. I have a few points to add:

    1) I do not feel safe SETTING UP a new VPN connection on a device when using an insecure (untrusted) network. I really really want to set up and test a VPN connection at home (or work) before heading out into the wild blue yonder. After all, this set up process involves entering the password for the VPN account.

    2) When using a VPN at a hotel (or airport, or your friend’s house), you first connect to the hotel Wifi (or ethernet LAN), then connect to your VPN. Connecting to the VPN might take a few minutes. It’s happened to me occasionally. During that time, your communications are NOT protected by your VPN. Also, if your VPN connection drops and you don’t notice, your communications are then not encrypted. I believe some VPN services allow you to cease communications when the VPN connection drops, perhaps through an option (called a “kill switch”). Private Internet Access, which I use, has a kill switch, and also provides a great big indication that the connection status is changing on macOS. I don’t believe this indication is so noticeable on iOS. I haven’t used this VPN on other OSes.

    3) HTTPS web sites (“secure” web sites) might themselves be misconfigured, and that misconfiguration might allow a man-in-the-middle attack. Before signing in to a new HTTPS web site, I test its connection with the free Qualys SSL Server test:

    https://www.ssllabs.com/ssltest/

    A grade of A+ pleases me. If the grade is A or lower, I send an email to the web site asking them to improve the configuration to A+. I know this is not easy, but the HTTPS web site is after all the public face of the organization.

    Thanks again!

    Reply
  17. “For encrypted websites (those using https) I do nothing, other than make sure the connection remains ‘https’ as I navigate from page to page.”

    This is getting harder. Chrome now hides the https: or http: prefix from the address bar at the top of the window. (Current as of February 2021.) What is your current advice for easily monitoring whether a webpage is https or http?

    Reply
  18. What if you pack your own HUAWEI B331 3G/4G router and HUAWEI B331 3G/4G antenna and associated Wallwort and use that for all internet would that be better than using the Hotel Internet.

    Reply
  19. Here are a few things I use.
    Firewalla device in my home office, which allows me to VPN back to my personal home/office network/router, then I can remote to my office pc or use my email app & browse the internet as if I were sitting in my office, securely.
    I also use Windscribe, which offers a free VPN connection, upto 10GB.
    And finally, Tor Browser, which does private browsing (it may require a bit of adjustments, initially I was going through a lot of European Connections, so not in English, a lot of times!). With Tor you would need to do webmail to get the security.

    Reply
  20. I bring a travel router with me when I travel so I connect the router to the hotel network and my devices connect to the router. Would this give me the security I need?

    Reply
    • I believe this will only help as a more robust firewall than the software firewall your computer likely already has–using default settings, it would block incoming connections to your computer. But the router between your computer and the hotel’s network would not prevent any unencrypted network data you send/receive from being intercepted and sniffed, as your traffic would still be flowing right through the hotel’s system.

      Reply
  21. I carry a small travel router that I use between my laptop and the hotel. I use the wired connection to the hotel when available and wired from the laptop and my router. Before traveling, I check for any updates for the router.

    Reply
    • That wouldn’t prevent your data from sniffing. A VPN encrypts everything between your computer and the VPN hiding it from the hotel. The travel router encrypts traffic between itself and your computer. After the data leaves the portable router, everything going across the hotel’s network would appear the same as if the computer were plugged directly into the network via Ethernet cable. The main uses for a portable WiFI router are to use your computer wirelessly where only a wired connection is available and hid your computer behind a firewall.

      Nowadays, many, if not most, laptops are coming without Ethernet ports and most Hotels have ditched wired network for wireless.

      Reply
  22. Something I’ve encountered that I didn’t see addressed in these comments or anywhere else I’ve looked: I’m running into more frequent attempts to enter websites that are blocking me BECAUSE I’m using a VPN. If I close the VPN I get in with no problem.

    A support rep at one bank I use told me they do it to prevent traffic coming in from outside the United States. But I’ve had a few merchant websites doing the same thing.

    Is there any way other than using my phone data plan to deal with this? I’m assuming VPN blocking is simply going to become more prevalent over time.

    Reply
    • I’m not aware of any simple solution. If your VPN allows you to choose different locations to appear as, you might do that. (Mine, for example, allows me to “look like” I’m in any of several different countries.) But some VPNs are simply blocked no matter where they are. All you can do is try a different VPN to see if it’s also blocked or not, or use your mobile data.

      Reply
  23. Another concern is ‘free USB Charging Points’. USB connections are 4 wire being +, -, Data+ & Data- BUT only the + & – wires are required for charging BUT the charger port owner also has direct access to your laptop through the 2 x Data wires and do what they like.
    Simple solution in these untrusted site use a modified USB Male to Female cable with only the + & – wires connected and the 2 data wires cut.
    Regards all

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.