In-hotel Internet access can be a boon for travellers – but it can also be a security nightmare, as David Braue found out.
There's nothing like traveling to bring into focus the broad range of technologies people are relying on every day: in some cities you're awash in free WiFi, while others seem to be full of hoteliers who can't even spell USB. But what do you do when this lack of technological sophistication causes a major security breach?
This is the situation I faced during a recent trip to Washington, DC, where the inhouse Internet access seemed reasonably priced – $US9.95 for 24 hours – and it was more than fast enough for all the things your average traveler would want to do. Considering I was in town to cover Microsoft's high-energy Worldwide Partner Conference, this largely consisted of writing stories, video Skype calls back to family in Australia, and doing loads of Web surfing to do backup research and lodge stories in their various forms.
It was only during a late-night Web session, jacked into the hotel network, that I noticed something a bit strange: in the Shared section of my Finder window, a computer called rvt-michelle had made itself known. It wasn't there previously, but had appeared, uninvited, on my system thanks to the robustness of today's network discovery protocols.
Intrigued, I clicked on it, and was presented with a file structure that included folders called 'Brianna School', 'Brianna Senior Year', 'My Videos', 'SharedDocs', and something called 'Auction2006'. From my guess, this was Michelle's computer, and Brianna would be her – daughter?
You can't run across something like this without at least looking: Brianna's school stuff, I confirmed, was full of study notes, vocabulary lists for college entrance tests, something about Dracula, and a bunch more stuff that brought back uni flashbacks so strong I couldn't bear to dig anymore. I didn't open any of the files, but the fact that they were there – and shared in a public folder – confirmed that Michelle was definitely sharing things she probably didn't mean to.
.
It was around then that it hit me: if I could see the shares that Michelle's computer was offering, Michelle's computer could probably see my system, which is also set up to share some information by default in order to make it easier to access from other computers on my home network. I rushed to System preferences, shut off file sharing, and suddenly felt like I needed a shower.
This sort of stuff isn't supposed to be available on a large network like the ones hotels install, but it's a sure sign that the network has been set up with suboptimal access controls. Ideally, the hotel should have a carefully controlled link between your computer, the Internet router, the Internet and nothing else – but some hotels just bundle all their guests onto a single shared LAN and call it a day.
I once saw this difference in Singapore, where one (expensive, name-brand) hotel restricted paid network access to one device using its MAC address, while another (cheap and cheerful) hotel didn't care what I plugged into the network and provided access for all. The latter approach may have made my life easier at the time, but the implications are significant when it's clear that unfettered – and often accidental – sharing of documents could well pose a very serious security risk for travellers who may inadvertently share far more than they want to when going online.
Similar issues could potentially taint access to many wireless LANs, which are invaluable to travellers but are also more than capable of facilitating sharing between connected devices.
The moral of the story? Shut off network shares while you're travelling. Make sure your firewall is on and active, since unfettered access from other systems means your computer could easily be targeted by someone with malice at heart and too much time on their hands. And, if you ever worry about being too paranoid on the road, just think of Brianna.