Hotel Wi-Fi Hacks by Russian Group a Stark Reminder

Researchers are warning that the notorious Russian cyber espionage group behind last year's DNC hack appear to be now targeting hotel Wi-Fi to harvest sensitive data. It's a stark reminder of the need for VPN protection on these networks.

Russian Hackers Target Hotel Wi-FI
Claire Broadley
By Claire Broadley

Most of us are relieved when we find open, fast internet access away from home. But public Wi-Fi is a privacy nightmare. The need for convenience when traveling has created a honeypot for hackers who scrape private data from public Wi-Fi networks and create fake hotspots that scan users’ devices.

Fancy Bear, the Russian hacking group implicated in the DNC hacks last year, has allegedly used the security flaws in public Wi-Fi to hack patrons at premium hotels. Some of their strategies are sophisticated, but many use simple phishing attacks — the same type of attack that was used to obtain John Podesta’s emails.

This latest attack is surprising in both its simplicity and its effectiveness. And it proves that our warnings about public Wi-Fi are still falling on deaf ears. Fancy Bear might be the highest profile group carrying out these attacks, but they are certainly not alone.

The Problem With Public Wi-Fi

Whenever you travel overseas, Wi-Fi is essential to avoid huge roaming charges in some places. It’s much easier to connect to an open network than ask for passwords or login tickets from staff. And hackers are all too aware of that.

Traffic on open networks isn’t encrypted, so it’s relatively simple to eavesdrop and intercept network traffic. The hacker simply has to connect to the same network, and run an application that scans network traffic to see what you’re up to.

In the hotel hack, the culprits — assumed to be Fancy Bear — used a notorious tool called EternalBlue, which was originally developed for the NSA and used by the hackers behind the recent WannaCry global ransomware attack. Alongside it, they used more basic methods like the distribution of malicious Word documents. For around a year, they’ve been silently compromising hotel servers, stealing usernames and passwords from hotel guests, and installing malware on computers.

That should be enough convince you to use a VPN when traveling. But the details of this attack are even more alarming.

Have You Been Hacked Without Realizing?

We tend to assume that we’ll only be hacked if we click a link in a dubious email, or log on to a network that’s run by a seedy provider rather than a trusted hotel chain.

But there are two important facts about these hotel attacks that topple both assumptions.

First, the usernames and passwords were collected passively; the user didn’t need to type them in for them to be captured. The Fancy Bear team used software that impersonates trusted network devices like printers, tricking the user’s computer into logging on and revealing its credentials in the process. It’s a silent process, and one that would catch every user completely unaware until they realized someone else was logging onto their computer.

These hacks have two major features: user names passwords were collected passively and then decrypted.

Secondly, the passwords in this attack appear to have been decrypted. So not only do the hackers have a method of gaining victims’ data, but they also appear to be able to unscramble it remarkably quickly — within hours, in one case.

We tend to assume that hashed passwords are safe. In this case, it seems they were anything but.

Everyone is a Target

Fancy Bear — or whoever the hackers are in this case — have clearly targeted upscale hotels for a reason. Identity theft and hacking can be lucrative when the right victims are chosen, and business travelers offer valuable back-door access into corporate and government networks — a potential goldmine of valuable information.

But we know that targets of hacking vary, and hackers are just as interested in sending out spam emails, stealing intellectual property, and rooting around for payment apps on your phone.

If you’re still using Wi-Fi networks that don’t have a password, you need to understand that you’re giving hackers an open invitation to browse your device, log onto it, and install whatever they want. Your social media traffic and camera roll reveal far more about you than you realize, and could be used to doxx you, blackmail you, or rob you blind.

VPNs can’t protect you from every threat. But they do add a layer of protection when using public Wi-Fi. Next time you stay at a hotel, get a VPN set up beforehand. You never know who’s been logging into the network before you checked in.