11 December 2013
By Bryan T. Smyth
Shocking cyber security breaches have been uncovered at 10 prominent hotels in Dublin and throughout Ireland, by IT Security Company Smarttech.ie. It has been discovered that all 10 hotels have a fundamental security flaw in their guest Wi-Fi service that puts users on the premises at risk. This security flaw can allow hackers in the proximity to access the guest web traffic and sensitive information.
Smarttech.ie carried out tests on 10 randomly selected hotels, ranging from 3, 4 & 5 star and found that even a novice internet-hacker would be able to collect everything from email logins, credit card details, Facebook passwords, PayPal account details, of people using the public Wi-Fi provided by the venues.
From October 22nd – November 27th, 10 test cyber-attacks were carried out in order to asses the risks involved and to demonstrate how dangerous unsecured Wi-Fi connections are in hotels throughout Ireland. 100% of the tests conducted revealed serious vulnerabilities and risks for the users.
Smarttech.ie wanted to demonstrate just how dangerous using unencrypted logins and passwords across a public network can be. Over the course of these security tests however, Smarttech.ie soon realised that the level of security being provided was a serious problem. In addition users seemed completely oblivious to the dangers of using public Wi-Fi.
All within twenty minutes at each location and with minimal effort, Smarttech.ie was able to observe customers’:
- · E-Mail addresses with accompanying passwords
- · Login details to workplace servers
- · CRM and VPN logins
- · Call logs from sip users
- · Phone calls recorded via sip trunk
- · Vodafone login information for mobile phone
- · Portal emails
- · Payment information and PayPal logins and passwords
- · IMAP (email logs)
- · Member logins for websites
- · Personal & Business Credit Card details
- · Website logins for classified sites
- · Facebook login and details
- · Online banking details including logins
- · Login for internet dating sites and login for other ‘classified sites’
Not only this, but one of these tests was carried out from outside the premises of the hotel meaning hackers wouldn’t even have to go inside in order to access and steal information from guests using the public Wi-Fi.
An engineer from Smarttech.ie simply sent out what is known as a “network sniffer” on the public Wi-Fi network, and in a matter of seconds a list of all devices and access to them was captured. Most public Wi-Fi networks share a single IP subnet this gives potential attackers and hackers the ability to pretend that their laptop or mobile device is the gateway on that subnet by spoofing the details of the actual gateway by a method known as ARP poisoning. This method is also known as a “Man in the Middle Attack” and is so straight forward that even novice hackers could do this.
This type of security breach is a most serious one and the duty of care rests squarely with the venue. This is terrifyingly simple crime and these hotels need to understand that it is the duty of the hotel to make sure that customers accessing its public WiFi are provided with a secure service as well as being informed of the potential risks. The weakness of the security on your public Wi-Fi means your Hotel could be in violation of EU Directive for public Wi-Fi ‘Directive 2006/24/EC’ (15 March 2006) passed in the wake of the 7 July 2005 bombings in London.
This is extremely dangerous and is exceptionally worrying as customers are almost completely unaware of the how dangerous using unencrypted logins and passwords across a public network can be.
According to Ronan Murphy, CEO of Smarttech.ie, “Consumers need to be aware that if you are accessing public Wi-Fi there are serious security challenges. The tests we carried out prove that these risks affect anyone using public Wi-Fi. However there are steps that hotels and restaurants can take to secure their Wi-Fi service and therefore protect their customers”. Smarttech.ie have written to each of the 10 hotels that were tested and outlined the steps they should take to secure their public network.”