Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Can Hotel Internet Traffic Be Sniffed?

//
My friend’s husband has been getting into her email even though she’s not given him her password. He has confronted his sister about an email and when asked how he got into the email he says that where he works (a large hotel chain), they have a program that searches emails for keywords and brings info up. Could that be true? Can they snoop on hotel internet traffic?

Yes.

Hotel internet security is one of the most overlooked risks travelers face. I’m not just talking wireless – I’m talking any internet connection provided by your hotel.

In fact, I’m actually writing this in a hotel room, and yes, I have taken a few precautions.

Become a Patron of Ask Leo! and go ad-free!

It’s as bad as open Wi-fi

I’ll put it bluntly: hotel internet connections are just as unsafe as an unsecured “open” wireless hotspot.

Any hotel internet connection.

There are two basic issues:

Hotel Internet spying?1: Your ISP can see everything you do.

This is the biggie. When you’re in a hotel, that hotel is your ISP. They provide the connectivity, routers, and other equipment that connect you to the internet.

Thus, like your traditional ISP, they have the ability to monitor any and all traffic on the network.

You need to realize that it’s their network you’re using. They own it, control it, and they have the right to monitor its usage. And, as you’ve seen, employees can abuse that power to go snooping.

2: Your neighbors may also be able to see everything you do.

This is less common. Depending on exactly how the hotel network is configured, it’s possible that you and the rooms around you are connected through a hub. The “problem” with a hub is that it’s a dumb device; it sends everything it gets to everything connected to it.

When you send data through the hub, not only does the upstream internet connection see the data, as you want, but that data is also sent down the wires to neighboring rooms. Any computer users there should ignore it, but it’s there for the taking. This is exactly like connecting via an open WiFi connection, where anyone in range can “sniff” your internet traffic.

Staying safe while staying at a hotel

So, what do you do? What do I do?

In a word: encrypt.

This boils down to following all the same steps one should take to stay safe when using an open Wi-Fi hotspot.

  • Use a firewall: make sure your Windows or other software firewall is enabled.
  • Use https: only access sensitive websites using an https connection. This would include not only obviously sensitive things like banking, but even more common, simple things, like web mail.
  • Encrypt your email: if you’re using a desktop email program and downloading your email via POP3 or IMAP, or sending your email via SMTP,  you need to make sure that those connections are encrypted. Check with your email provider for the appropriate settings.

Even simple browsing can expose a lot

There’s one more thing that often gets overlooked: simple web browsing.

For example, as I sit in this hotel room, it’s possible that if I didn’t take appropriate precautions, the hotel operators (and possibly my neighbors, were they technically savvy enough), could monitor the web sites I’m browsing. In fact, if any of those web sites require me to log in, they could potentially see my log-in information and password.

If you connect with a normal http connection, any usernames and passwords you enter are transmitted in the clear, visible to anyone who has enough access to sniff your hotel internet traffic.

Once again, the answer is a single word: encryption.

The most common solution is a VPN, or virtual private network. There are several commercial services tailored specifically to folks who travel a fair amount. After signing up, you create a VPN connecting to their servers, and all your internet traffic is encrypted and routed through them. At the service, the data is decrypted, and sent on to its final destination. Anyone in between – meaning your hotel’s guests, staff, and whoever else might be peeking, cannot see your data. More correctly, they can see your data, except it’s encrypted, and total gibberish to them.

What I do

When I run an actual email program, such as Thunderbird, I make sure to configure mail server connections to use an SSL encrypted connection. My mail is secure.

For encrypted websites (those that use https with the s) I need do nothing, other than make sure that the connection remains “https” as I navigate from page to page. When I access my email via Gmail, for example, this simply works, as do administrative functions on my own web sites, which are also https.

For unencrypted (http without the s) websites, I do either of two things:

  • Avoid anything that might be considered secure or sensitive.
  • Use my mobile connection instead, avoiding the hotel’s internet completely.

It’s more than just hotels

I’ve been talking about security in the context of hotels, since it’s common for the travelling public to rely on internet provided by the facility in which they’re staying.

But all of this applies to any internet connection provided by anyone. Everywhere, from coffee shop or airport Wi-Fi to the internet provided by convention centers and other public facilities, there’s an IT department in the background that absolutely can examine your unencrypted internet traffic. Whether or not they would take the time to do so is unknown, but as our original questioner found out, sometimes they do.

It pays to be aware and make conscious, hopefully secure decisions regarding your security wherever you connect.

Podcast audio

Play

42 comments on “Can Hotel Internet Traffic Be Sniffed?”

  1. I hate to burst your bubble Leo but using SSL is no more secure these days than unencrypted connections. With modern poisoning programs (ie Cain, Wireshark) you can easily sniff https as well as http.

    Of course you can sniff it, but actually decrypting the data within it is significantly harder, to the point of being practically impossible.

    -Leo

  2. Hotel Chains will most likely not sniff any end users traffic. Being in the industry, We do not sniff or monitor web traffic, accept for bandwidth usage. We do use an advanced network management software system, to assign and act as a proxy server, thus that is why you will always see a browser tell you the connection is not secure, when in fact it is very secure. Our system does not allow DHCP address’, that we assign to be shared or seen by any other ip address with in the same domain. And you cant be part of the domain with out being assigned a dhcp address. There is no reason for me or my IT department to waste our time trying to sniff our guests usage, or any other monitoring of any kind. The vast majority of IT professionals agree with this, and do everything possible to ensure the security of our networks. Unless you go to a cheap hotel, that has not spent money on a good infrastructure, and network management system, there is no reason to be worried about someone sniffing your system. If you do get sniffed, it is most likely that you have a virus or malware on your system, and it has been doing this all along. Not because of the hotels system.
    Come visit us at Zermatt Resort

    I’m sure that the vast majority of hotels are exactly as you describe: not in the least bit interested in what their guests are doing on the internet. However I’ve also absolutely heard of situations where random individual empoloyees watching guest’s internet traffic. Perhaps the most risk comes from network setups that often allow guests to sniff each others internet traffic.

    Leo
    26-Mar-2010

  3. I’m a bit confused about the VPN part. Suppose I register with an online VPN server to route my web surfing through them. Then, my traffic between my machine and the VPN server is encrypted, but isn’t it in the clear from the VPN server to the actual service I want to access? Otherwise, the other service won’t be able to understand my request. Unless, of course, the VPN server also opens a tunnel to the other side. Does it do it? If it does not, anyone watching between the VPN and the final service could theoretically steal my login information, right?
    Please, this is a doubt I’ve had for a long time and I couldn’t still find a satisfying answer.

    You are correct – a VPN protects your connection to the VPN service, which it typically that part of your connection most at risk by virtue of being in a hotel, coffee shop or whatnot. The connection between the VPN service and the final destination is typically in the clear, but it also travels a much less vulnerable path: server to server.

    Leo
    22-Jul-2010

  4. Hi Leo First I really would like to thank you for this article it is very interesting and clears off a lot of ideas. But I was looking to find if someone can suggest me a good, fast and highly secure free VPN and help me on how to set it up because I need to encrypt my data between my pc and this VPN so that ISP won’t sniff around. I’m sorry I’m this newbie but any help I would appreciate it.

    +I used a free VPN which was very easy to set up and when I went to a website that is blacklisted by my ISP this site still didn’t load up and when I went to an encrypted proxy the page got up fine (although very slow)

    Thanks alot for any help

  5. Hi Leo, I’m guessing this still does not stop the Hotel from seeing the amount of Traffic you are downloading?

    That’s correct.

    Leo
    24-Nov-2010

  6. Gmail now uses https for web mail by default. If you have an older account, you need to switch it from http. Also, Teamviewer is a free service that allows you to set up a VPN to your home machine. Then you can run your web browser from there. Either method should take care of the concern in this article.

  7. Good advice.

    As Lester pointed out, Gmail was the first to offer HTTPS, now Hotmail has followed suit. I use it all the time for both services.

  8. Hi Leo,

    Please compare the security provided by VPN, VNC, and SSH.

    Related to this, I have been trying to connect an iPad using iSSH to a Win 7-64 bit desktop and an XP laptop both running tightVNC and freeSSHd. The problem is that on both machines the SSH tunnel is established but then immediately disconnects without connecting to VNC no matter what settings I try. Perhaps you have a suggestion as to what might be wrong.

  9. Hi guys,

    I was wondering, with a VPN (such as hotspot shield) can the hotel still see the websites you visit?

    Thanks.

    In general, no. A VPN sets up an encrypted tunnel between your computer and the VPN service that the hotel would not be able to penetrate. They’d see that you’d connected to the service, and nothing further.

    Leo
    25-Oct-2011
  10. I have a Cisco VPN for small business device in my office. And I use Quick VPN to connect to it for work.
    Can I use that VPN in hotels or public hotspots? That means I have to remote into my office and access my email & IE with my office computer?

    thanx

  11. When we are in an airport, hotel or any place that offers free access to internet we trend to take that for granted. Before receiving and sending any data we’d better consider what you’ve talked about as we are very vulnerable in places like that. Thank you for clarifying it.

    • They have busted illegal pornography traffic that way, her there and everywhere. While I would feel certain that’s not a concern for you yourself if others used your wifi to access illegal materials and they would be at your door with a lot of questions that you would have to prove to them. If you are out of town, or out of the country, keep your traffic secured and PG, knowing the laws about what is legal in the country you are in. Best to shun adult content and not even carry it on your computer should it be investigated.

  12. Hi Leo
    When I tried using CyberGhost, I found that I could not connect to my bank. Is that just me or is this common with VPN?

  13. Leo:

    If I use my celluar provider’s WiFi card (e.g., a jetpack) in place of the hotel’s wifi (or any other public/semi public wifi), does this provide me the same level of security and privacy as using a VPN? Thanks for all the help…

  14. Is using a mobile phone through a hotel’s Wi-Fi facility a lot safer than using a laptop or tablet device? If so, why would this be, and what precautions would still be needed?

    • Yes. It bypasses the hotel network completely, and while cellular data can technically be sniffed in practice it’s exceedingly rare that it is.

    • Rick — Are you referring to switching your phone to the hotel’s WiFi, and using that *instead* of your cellular network to make calls and access the internet? In that case it would be no more secure than any other device and would require similar precautions, if I’m understanding all this correctly.

      • Thanks for the replies – seems to be a bit of dissent! For clarity, what I am referring to is the common situation of when you check into a hotel and they say “we offer free Wifi – the network will show up as (something like) ‘Hotelname Guest Wifi’ and the password to use it is abcdwxyz” So you identify the guest wifi, put in the password, and the phone picks up the Wifi each time you enter the environs of the hotel. Works great most of the time, but this whole piece has made me question the security now. I am only talking about internet access on Wifi, not making calls, which would either be through regular network or through local phone network if one is in another country.

        Leo seems to suggest there is no security risk, but might have thought I meant just using whatever the public wifi would be (3G or 4G in UK) which I can see would bypass the hotel network, but Ray, I think assumes that I am talking about the scenario of using the hotel’s Wifi as I have described in the first few lines of this post. Dan – you seem to have spotted the problem and are asking the relevant questions, which I hope I have answered above.

        So, what’s the general consensus now? Thanks in advance for your help. (And to you Leo specifically for running this brilliant website).

        • There IS a security risk. On the typical motel wifi, these days, you are putting in a password simply to enter the “unsecure” wifi network. If you are seeing a motel-chain website, and putting in a password there, then you know you are on this type of wifi. If you go to a smaller motel that has wifi set up like a home wifi network, then you would enter the network just like you do at a friend’s house. You would click on settings and network connections, you would find the right network in the list, enter the password, and then be behind a firewall. Even in this situation you are behind a firewall with everyone else who has the password — including the motel itself which could easily sniff your activities. Any way you look at it, sharing a wifi connection is not that secure.

          As Leo mentions at the beginning of this article – “Can hotel internet traffic be sniffed?” The answer is “Yes!”

        • If your phone is using the Wi-Fi then there IS a security risk. You’re using the hotel’s internet and it CAN be sniffed.

          Using your phone’s own mobile connection without connecting to the hotel’s Wi-Fi is more secure.

        • To keep things in perspective, the risk involved with using a hotel’s wireless network is small. Remember, millions of people using public networks – at airports, libraries, coffee shops, hotels, etc. – every day and the vast majority suffer no adverse consequences. Additionally, the majority of sensitive online transactions – such as banking, purchases and even Facebook logins – are encrypted via HTTPS and so even if somebody were to be snooping, they’d be unable to see the data exchanges in transactions.

  15. I have used the VPN side of “TeamViewer” to directly access my main PC at home, to then access the Web generally.

    This generally achieved faster access, presumably that the limited hotel WiFi was not having to handle all the primary traffic, which was to/from my main PC over its faster Broadband connections.

    I also suspect that by using the VPN facility through the hotel WiFi, I was also achieving a higher/better security level locally.

    • Alex, I like that but does it mean your PC at home is on TeamViewer 24/7 and ready for you? I’ve read this could be risky. Opinion?

      • Afternoon Bob.

        Agreed that normally TeamViewer would have to be on 24/7 at home, I don’t know the answer.

        I posted my method, partly in the hope that someone more knowledgeable, would respond with a clear-cut answer.

        In the meantime, I am not aware of any problems that I could associate with such usage etc, for about 3 years now.

        My use of that means was very limited, typically about 2 hours every 6 or 7 weeks, when I was away on voluntary business, from which I have now retired, having entered my ninth decade.

        —-

        Part of the speed increase may be that my home PC is relatively new, fast in itself and 64 bit, with broadband operating at about 37 Mbps Down and 10 Mbps Up.

        The travelliing netbook, is getting a bit elderly etc., like all of us!

    • “This generally achieved faster access, presumably that the limited hotel WiFi was not having to handle all the primary traffic” – Unlikely, as data still has to travel across the hotel’s network in order to reach your device. If anything, the extra step would slow speeds.

  16. Ray

    I mainly used the combination to access my e-mail, running on my ISP’s server.

    Particularly from June 2015 after I had decided to retire at the end of 2015 thus being aware that it was unlikely that I would have similar opportunities in later years, I occasionally did informal comparison tests, going straight out over the hotel WiFi to my ISP; and going via the same hotel WiFi to my home PC, using TeamViewer.

    The latter, using TeamViewer and my home PC, were definitely faster.

    Those tests were carried out at odd moments from early evening to late; and both sides of breakfast time in the morning.

    Whilst not literally simultaneous, they were immediately sequential, so that specifically the hotel WiFi and the Web generally, were likely to be equally busy.

    It was close to sitting at home some 400 miles away.

    ———–

    However, my interest here is whether my use of TeamViewer’s VPN facility, rather than the other two, “Remote Control” and “File Transfer”, improved the local Security on the hotel’s WiFi part of the connections.

    ——-

    I also find TeamViewer useful at home, when I want to view my smaller-screen devices on a larger screen, avoiding the need for cables and moving devices closer etc.

    • “However, my interest here is whether my use of TeamViewer’s VPN facility, rather than the other two, “Remote Control” and “File Transfer”, improved the local Security on the hotel’s WiFi part of the connections.” – Yes and no. It does improve security but, as the majority of your important transactions are encrypted anyway via HTTPS, that may or may not be particularly important (outside of things like banking – which is encrypted – I really wouldn’t care too much if somebody were to capture my – very boring – browsing data). Additionally, using TV does create news risks – see the link I posted previously.

      I see no way that TV could make things faster. Without TV, data travels from A (the website) to C (the hotel’s network). Using TV, it still travels from A to C, but via B (your home network). In either case, the connection will only be as fast as the hotel’s network permits.

  17. Ray

    The increased “speed” or reduced time may be that the main processing particularly is occurring on my home PC B, so that hotel network only has to deal with the B’s screen video and with any command inputs.

    BUT whichever, it certainly speeds up the general access and process, in my experience.

    If I were to resume the work that took me down there, I would continue to use TV or possibly some other corresponding method, as I found it advantageous.

    ———

    I have followed your link for TV problems; but I have not observed any.

  18. My thanks to the AskLeo organization for the high quality of the information provide. This article and the extended discussion are among the best. I have a few points to add:

    1) I do not feel safe SETTING UP a new VPN connection on a device when using an insecure (untrusted) network. I really really want to set up and test a VPN connection at home (or work) before heading out into the wild blue yonder. After all, this set up process involves entering the password for the VPN account.

    2) When using a VPN at a hotel (or airport, or your friend’s house), you first connect to the hotel Wifi (or ethernet LAN), then connect to your VPN. Connecting to the VPN might take a few minutes. It’s happened to me occasionally. During that time, your communications are NOT protected by your VPN. Also, if your VPN connection drops and you don’t notice, your communications are then not encrypted. I believe some VPN services allow you to cease communications when the VPN connection drops, perhaps through an option (called a “kill switch”). Private Internet Access, which I use, has a kill switch, and also provides a great big indication that the connection status is changing on macOS. I don’t believe this indication is so noticeable on iOS. I haven’t used this VPN on other OSes.

    3) HTTPS web sites (“secure” web sites) might themselves be misconfigured, and that misconfiguration might allow a man-in-the-middle attack. Before signing in to a new HTTPS web site, I test its connection with the free Qualys SSL Server test:

    https://www.ssllabs.com/ssltest/

    A grade of A+ pleases me. If the grade is A or lower, I send an email to the web site asking them to improve the configuration to A+. I know this is not easy, but the HTTPS web site is after all the public face of the organization.

    Thanks again!

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.