Whether you travel on business or for pleasure, the chances are pretty high that you will make use of the Internet while abroad. If you are staying at a hotel then, given the high cost of international data roaming on most mobile networks, the chances are that you will make use of the Wi-Fi connection provided by the hotel. Unfortunately, for business travellers at least, the chances are increasingly high that doing so will put your data at risk. So much so, in fact, that the FBI has now issued an official advisory for Americans travelling abroad.
Why business travellers and not those simply taking a vacation? How many people disappearing abroad for a bit of rest and relaxation pack the laptop? I would suggest the answer is very few indeed, with the vast majority being happy enough with their smartphone when it comes to travel tech and maybe an iPad or Android tablet at a push. Things are very different for the average business traveller who will, most certainly, be packing a laptop bag in order to remain productive during the trip.
As far as the bad guys are concerned this opens up a double-whammy world of opportunity. First there's the lure of the kind of data that the business laptop can act as a gateway to, and if that weren't enough then there's the laptop itself which acts as the key. Although there are plenty of emerging threats to smartphones and tablets alike, in particular for users of the Android platform currently, these pale into insignificance when compared to those targeting users of the Windows OS in just about any variety. Users of Windows-powered laptops accessing the Internet in a foreign country by way of hotel room Wi-Fi pose a particularly attractive target indeed, as the FBI alert explains:
"Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to set up the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available."
What the FBI alert doesn't explain is that it matters not one jot if the hotel Wi-Fi service is secured, unsecured, free, paid for or anything else. This scam has nothing to do with the hotel wireless Internet service at all, but instead it has everything to do with the bad guys spoofing that service. It sounds like a complicated sting to set up on the off chance of catching a passing businessman, but truth be told it's nothing of the sort. All the would be hacker has to do is set themselves up in a hotel room, public area, car park or wherever and run a 'fake access point' using the same Service Set Identifier (SSID) as the hotel Wi-Fi itself. This identifies the access point as being part of the network that the hotel provides, and Windows will happily connect to the strongest signal any access point with the right SSID is kicking out. If that happens to be a fake one, then you are in trouble.
The FBI goes on to recommend that "government, private industry, and academic personnel who travel abroad" should update software "immediately before traveling" and if they absolutely must update whilst abroad then only to do so directly from the software vendor's website and only then after checking the digital certificate to ensure you really are connected to the genuine site.
Again, the FBI fails to mention one important thing that users of hotel Wi-Fi should be doing to mitigate the risk of fake access point hijacks, and that's applying the 'if it looks dodgy, disconnect' maxim. By which I mean that just about every genuine hotel Wi-Fi service will require you to initiate access via some kind of gateway page for the hotel chain or Wi-Fi service provider, or both. If, when you fire up your browser, you don't get to such a splash page then go ask the reception desk for advice. It also fails to recommend that those away on business should be investing in some kind of VPN for their connectivity if they expect some semblance of security while on the road.
Whatever, I'd go further than the FBI and say that the advice applies to anyone travelling abroad with their lappy, or even using the thing at home across a public Wi-Fi network. Indeed, when using any public hotspot it's worth remembering that the kind of pop-up scam mentioned by the FBI is not the only threat to worry about and some are nowhere near as visible. Take Firesheeping for example.
Firesheeping has become a generic term applied to the act of sniffing out your data whilst using an unsecured Wi-Fi connection. Also known as sidejacking, a bad guy with the right software tool can pluck your session cookie data out of thin air as you browse, answer your email, do a bit of online shopping, check your bank balances and the like. These cookie copies can then be used to continue your session after you have actually done an Elvis and left the building. Users of free public Wi-Fi, or any unsecured wireless connection, should get into the habit of only doing so if they use secure HTTPS connections exclusively during their sessions.
