This FBI Wi-Fi warning could spoil your working from home escape plan
If you were planning to swap working from home for working from a hotel in an attempt to get a bit of peace and quiet, the FBI wants you to be careful about connecting to Wi-Fi networks.
The FBI said it has noticed more people who had been working from home were now working from hotels instead, and that hotels in big cities have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment.
Networking
"While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks," the agency warned in an alert. It said hackers can exploit lax hotel Wi-Fi security to steal work and personal data.
SEE: Network security policy (TechRepublic Premium)
Because guests are mostly unable to control the security of the Wi-Fi network they are using, criminals will try to monitor a victim's web browsing or redirect victims to false login pages, which can steal passwords and other information. The FBI said criminals can also conduct an "evil twin attack" by creating their own network with a similar name to that of the hotel's network, which guests might then log into by mistake, giving attackers direct access to their computer.
Smaller hotels will rarely change the password on their Wi-Fi, and even the most secure hotel Wi-Fi network is typically secured by a combination of room number and password. "If teleworking from a hotel, guests should not implicitly trust that the hotel has properly secured their network or is monitoring it for attacks," the FBI said.
It's not just poor passwords that are the problem with hotel networks – old and outdated network equipment is much more likely to possess known flaws that hackers can exploit. And the FBI notes that even if a hotel is using modern equipment, the guest has no way of knowing how frequently the hotel is updating the firmware, or whether default passwords have changed.
In many respects, the threats are not new: the FBI has previously warned of this, as well as the risk of using Wi-Fi in airports. Many of these security issues also apply to cafes and other open networks. While few us are likely to be flying soon, the idea of a change of scenery from the home office might tempt some workers into trying working from a hotel, rather than their now all-too-familiar home environment.
Getting hacked via hotel Wi-Fi might seem like a low risk to some, but the consequences can be far-reaching, from data theft, to cyber espionage and even ransomware attacks.
"Once the malicious actor gains access to the business network, they can steal proprietary data and upload malware, including ransomware," the FBI said.
"Cyber criminals or nation-state actors can use stolen intellectual property to facilitate their own schemes or produce counterfeit versions of proprietary products. Cyber criminals can use information gathered from access to company data to trick business executives into transferring company funds to the criminal."
The FBI also lists a number of ways to reduce the risk of being hacked while using hotel Wi-Fi
- If possible, use a reputable Virtual Private Network (VPN).
- If available, use your phone's wireless hotspot instead of hotel Wi-Fi.
- Ensure your laptop's software is up-to-date and important data is backed up
- Confirm with the hotel the name of their Wi-Fi network prior to connecting.
- Do not connect to networks other than the hotel's official Wi-Fi network.
- Connect using the public Wi-Fi setting, and do not enable auto-reconnect while on a hotel network.
- Always confirm an HTTPS connection when browsing the internet; this is identified by the lock icon near the address bar.
- Avoid accessing sensitive websites, such as banking sites, or supplying personal data, such as social security numbers.
- Make sure any device that connects to hotel Wi-Fi is not discoverable and has Bluetooth disabled when not in use.
- If you must log into sensitive accounts, use multi-factor authentication.
- Enable login notifications to receive alerts on suspicious account activity.