Noting an increase in telework from hotels, the FBI issued a public service announcement regarding the cybersecurity risk this could pose for guests.
“The Federal Bureau of Investigation is issuing this announcement to encourage Americans to exercise caution when using hotel wireless networks for telework,” the PSA states. “FBI has observed a trend where individuals who were previously teleworking from home are beginning to telework from hotels. U.S. hotels, predominantly in major cities, have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment.
“While this option may be appealing, accessing sensitive information from hotel wi-fi poses an increased security risk over home wi-fi networks. Malicious actors can exploit inconsistent or lax hotel wi-fi security and guests’ security complacency to compromise the work and personal data of hotel guests. Following good cyber security practices can minimize some of the risks associated with using hotel wi-fi for telework.”
It noted that cybercriminals seek to take advantage of the hotel environment, where unaffiliated guests are using the same wireless network without the ability to control, verify or monitor network security.
“Much of a hotel’s network infrastructure is entirely out of the control of the hotel guest,” the PSA states. “Guests generally have minimal visibility into both the physical location of wireless access points within the hotel and the age of networking equipment. Old, outdated equipment is significantly more likely to possess vulnerabilities that criminal actors can exploit. Even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware of that equipment or whether the hotel has changed the equipment’s default passwords. The hotel guest must take each of these factors into consideration when choosing whether to telework on a hotel network.”
It provided the following signs that may indicate your computer, phone or tablet has been compromised:
- “Mobile device slows down suddenly;
- Websites automatically redirect away from the website you are attempting to visit;
- The cursor begins to move on its own;
- A mobile device begins to launch apps on its own;
- An increase in pop-up advertising;
- A sudden increase in data usage;
- Faster than usual decrease in battery life;
- Unexplained outgoing calls, texts, or emails.”
The PSA stated that if your device has been compromised, you shouldn’t forward any suspected emails or files. You should disconnect your device from all networks and turn off wi-fi and Bluetooth. Notify your IT department or qualified third-party cybersecurity expert of any significant changes. It also stated you should report cyberattacks and scams to the Internet Crime Complaint Center.
It provided the following recommendations for reducing the risk of hotel wi-fi:
- “If possible, use a reputable Virtual Private Network (VPN) while teleworking to encrypt network traffic, making it harder for a cybercriminal to eavesdrop on your online activity.
- If available, use your phone’s wireless hotspot instead of hotel Wi-Fi.
- Before travelling, ensure your computer’s operating system (OS) and software are up to date on all patches; important data is backed up; and your OS has a current, well-vetted security or anti-virus application installed and running.
- Confirm with the hotel the name of their wi-fi network prior to connecting.
- Do not connect to networks other than the hotel’s official wi-fi network.
- Connect using the public wi-fi setting, and do not enable auto-reconnect while on a hotel network.
- Always confirm an HTTPS connection when browsing the Internet; this is identified by the lock icon near the address bar.
- Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as Social Security numbers.
- Make sure any device that connects to hotel wi-fi is not discoverable and has Bluetooth disabled when not in use.
- Follow your employer’s security policies and procedures for wireless networking.
- If you must log into sensitive accounts, use multi-factor authentication.
- Enable login notifications to receive alerts on suspicious account activity.”