A newly discovered vulnerability in Wi-Fi security could be hugely problematic for both hoteliers and guests, and action must be taken to mitigate the risks, sources said.
REPORT FROM THE U.S.—A widely used Wi-Fi security standard long thought to be safe and secure was recently proven to be neither, and experts are now warning that both businesses and consumers need to respond as quickly as they can to protect themselves from possible security threats.
In mid-October, security researchers announced a widespread exploit in the Wi-Fi Protected Access 2 (WPA2) standard that “could be exploited to read and steal data that would otherwise be protected,” according to reports from various media outlets, including Wired. Researchers termed the issue a “Key Reinstallation Attack,” which they call “Krack” for short.
Ted Harrington, executive partner with Independent Security Evaluators, put the issue in relatively simple terms.
“It is extremely bad; it is extremely widespread; (and) it is relatively easy to fix,” Harrington said in an email interview with HNN.
John Bell, president and founder of AjonTech, said the vulnerability “impacts both sides of the WPA2 handshake.”
“You’re vulnerable from both the access-point side and the device side,” he said. “That means hotel systems and deployed access points probably all need to have firmware updates. Otherwise, this will be a continuing problem forever.”
The “four-way handshake” is a technical term describing the process in which an access point and a device verify the network password and encrypt data. The new exploit allows hackers to manipulate the third step in the process to unencrypt or forge data.
“This means that an attack could obtain unencrypted data, including things like passwords, personally identifiable information and payment card information,” Harrington said.
Hackers could also exploit the vulnerability to “modify or forge data,” “provide ways to inject ransomware or other types of malware into certain websites” and “access any attached storage,” he said.
Patrick Dunphy, CIO for Hospitality Technology Next Generation, noted the impact could be nuanced across the hotel industry.
“Hoteliers need to remain vigilant and care for the guests as they would their own corporate network, but most hotels do not use the unpatched vulnerable protocol WPA2,” he said via email. “Guest networks are not in the scope unless a WPA2 network is provided, but hoteliers should be aware that these type of attacks and vulnerabilities have existed for years.”
However, he noted, the vulnerability does call attention to long-existing issues within hotel networks.
“The Krack vulnerability underscores the fragility of our communications systems, and hoteliers need to prepare for a future where these vulnerabilities are commonplace,” Dunphy said.
Steps must be taken
Bell agreed that hoteliers need to be more proactive in general about securing information transmitted by guests. He noted that it’s a common frustration for him that hotel websites and networks don’t utilize the HTTPS security protocol to encrypt traffic.
Without HTTPS, “those credentials are going in plain text in what’s now not even a secure connection,” he said. “So first, you must fix that, so then at least your content is not available to those snooping.”
He said hoteliers must seek to update their devices to resolve the vulnerability, and should be transparent through the process.
“In the meantime, you have to warn guests,” Bell said. “Tell them ‘Our routers are (impacted) just like yours are.’ And help them understand this is not a unique problem to (the hotel).”
Dunphy said HTNG is making better encryption of guest and staff data a priority through its centralized authentication workgroup. He suggested concerned hoteliers or people working on a solution can lean on that resource.
He also noted a silver lining in the new vulnerability is that it can only be exploited within the range of the hotel’s Wi-Fi, not remotely. But hoteliers should be careful to check older systems that might be tied to sensitive data.
“In recent years, hotel operations may have relied on WPA2 networks to secure point-of-sale communications with back-end servers, but recent advances in device communication encryption—called tokenization—may negate the risks of the Krack vulnerability,” he said. “Legacy POS and other sensitive devices should be thoroughly checked and verified with the manufacturer and known secure configurations.”
Harrington noted “most or all” hotels will likely be affected by the vulnerability since it’s more impactful to enterprise networks than personal networks. He said the fact that many people are continually flowing in and out of a hotel means more people have access to your networks and could potentially cause harm or steal data.
“Hospitality environments are designed to foster the ability for the unknown public to access at least certain aspects of the network,” he said.
Look for updates
Harrington said the next steps are pretty straightforward.
“Patch everything, immediately,” he said. “Patching is very effective against this issue and does not break functionality, as the patches are backwards compatible—meaning a patched access point will still work with an unpatched client. Many vendors have already rolled out effective patches.”
He noted that to solve the problem both the access points and the devices accessing the network need to be updated.
“Many older devices will never be updated, (and) thus remain insecure,” Dunphy said.
“Hoteliers need to take special care to ensure that legacy Wi-Fi enabled appliances—older point-of-sale and other highly sensitive devices—are patched or decommissioned in favor of newer, more secure devices that support modern encryption schemes that are regularly updated,” he said.
Bell said the fact many devices are not expected to ever see a patch means some hotels will be forced to invest in new technology earlier than they had planned. He said some hoteliers who opted to go with cheaper devices could now be paying the price for that decision.
“That’s one of the choices you make when you buy,” he said. “Are you going with the good manufacturer who regularly updates or the least costly product?”
He said it’s important for hoteliers and other business owners to recognize this is a serious issue.
“Each hotel has to do (an assessment of risk versus cost to replace) and figure out what we have to do and how to protect customers the best we can,” Bell said.
He also suggested this should be a reminder to hoteliers to be careful when choosing which vendors to work with, including seeking out vendors who “do a better job keeping up to date.”
In the interim, Bell said, hotels should push guests to use more secure connections if they’re on the Wi-Fi, such as VPN.
While working through updates, Harrington suggested that guests and staff “may want to consider plugging in via Ethernet, rather than using the Wi-Fi functionality.”
“This issue does not affect connections via Ethernet, so that is an easy and effective mitigation to this issue,” he said.
What he suggested not doing was switching to WEP password, which is an older and even less secure password protocol for Wi-Fi.