Are you at risk from the Dark Hotel?

Peter Crush

Thursday 26 February 2015

For years, many of the worst things that could happen to executives checking into an unfamiliar hotel weren’t actually very bad at all. Getting a dirty room, one directly above a noisy night-club, or being served some dodgy food could all be very annoying, but it was nothing worth losing a sense of proportion about. That is until now…

Don’t let data cause heartbreak at your hotel 

What’s changed now is that businesspeople are increasingly being hit by a security threat known as ‘DarkHotel’ – a particularly pernicious piece of malware specifically targeting senior travellers as they access Wi-Fi in what they think is the safety of their hotel rooms. Unsuspecting users are asked to update popular software, such as Adobe or Windows Messenger to access the web, but what they’re really installing is these updates plus DarkHotel coding that can be used to steal email log-in details, reveal computer keystrokes, collect data and hunt for other cached passwords.

Although first identified as long ago as 2007, the respected Kaspersky Lab recently revealed there has been a significant rise in attacks, particularly in the APAC region. Those targeted included CEOs, senior VPs and sales and marketing directors. TK Keanini, CTO at Lancope, says: “There have been reported cases of malware physically installed on a laptop left out in a locked hotel room via USB – to be accessed later when the corporate device is back on the corporate networks or operating in sensitive transactions. It is now a very real threat.”

The only 100% safe way to avoid this is for execs not access any email at all – but that’s hardly very practical. So are there any tips?

“DarkHotel is a good reminder that any hotel Wi-Fi network is potentially unsafe,” says Chris Boyd, malware intelligence analyst at Malwarebytes, the IT security company. “Travellers should take the time to research ISPs in the regions they’re visiting and invest in Wi-Fi data sticks.”

Often, advice to executives includes signing directly into the organisation’s own corporate VPN (Virtual Private Network), and accessing data that way, but according to Ian Pratt, co–founder at security firm, Bromium, this should be still be avoided: “Most hotel/airport Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access,” he says. “In many cases, it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine which is then compromised.” He adds: “Bringing a VPN up at this point actually plays directly into the attackers hands, because it brings the infection onto the enterprise network.”

Because malware is cryptographically signed with digital certificates belonging to a trusted third party, business leaders are advised to always regard software updates as suspicious, or at least confirm that any update installer is signed by the appropriate vendor. Any work PCs with pre-installed internet security solutions should also include proactive defences against threats rather than just basic antivirus protection.

This is all very good, but should hotels and internet providers themselves be doing more to tackle the issue? “It’s highly likely that a hotel will have far less stringent security practices for its internet provision than a business; that’s why it makes the travelling user an easy target,” says Fraser Kyne, principal systems engineer, also at Bromium.

Because hotels are primarily in the hospitality sector, and not in the business of providing hacker-proof access to the internet, he believes the problem can only be solved at what he calls ‘the endpoint’, i.e. by people at the end of the chain – the actual users. He states: “Innovative solutions like micro-virtualization – which abstracts applications and sub-processes from hardware, and runs them in isolated environments – protect you from this kind of attack by design.”

One approach could be to make sure executives consume any internet services through a portable Wi-Fi device, but connected via a cellular network. This gives users a self-contained source of internet access that is for their use only. As a method of connectivity, this has been proven to be one of the most secure when it comes to hackers trying to eavesdrop. It’s more hassle, but ultimately it’s much more secure. It’s either this, say experts, or impress that busy traveller stick to the ‘no changes allowed’ rule – that is to say no downloads, and no new software or hardware installations. That will prevent virtually every known malware attack.

That being said, it’s seems that the best defence is perhaps education. “If the primary threat is pop-ups asking potential victims to install fake Flash files, then perhaps the security teams of companies should be spending more time educating their CEOs on the dangers of basic social engineering,” Boyd concludes.

Download our free ebook for your essential guide to cybersecurity and practical advice on keeping your business secure.