Notes from the Battlefield: Cybercriminals vs. Business Travelers
and How to Keep Your Data Safe
It used to be that a business trip was just a business trip, complete with pay-per-view TV in bed, tiny bottles of shampoo and room service for anyone feeling extravagant. Yet in today’s era of global business travel, mobile devices, and ever-more-sensitive digital data, a seemingly innocuous stay in a hotel could result in disastrous security breaches for business travelers and the companies they represent. What are the security concerns currently affecting executive travelers, and how did they creep undetected into the hospitality industry to muck up a relatively good thing? More importantly, what can executives and security professionals do to fight back?
Tinker, Tailor, Soldier, Spy
DarkHotel hit the news a couple years ago following a spate of cyber attacks that targeted executive-level guests at luxury hotels in Asia. First recorded in 2007, the attacks came to light more fully a few years later when researchers got reports about a cluster of customer infections.
Here’s how it works: Attackers infiltrate hotel WiFi networks and fool users into downloading malicious software that looks like a bona fide software update. Once the user downloads the virus, an advanced key-logging tool is installed that enables the hackers to track passwords. They relentlessly spearphish specific targets in order to compromise systems and use a P2P campaign to infect as many victims as possible. To evade detection, the hackers delete their tools from the hotel network after the operation is finished.
The original DarkHotel attacks were striking due to their sophistication and the suggestion of a state-sponsored campaign. High-profile executives from businesses, government agencies and NGOs were among the targets, with the majority of infections located in Japan, Taiwan, China, Russia and South Korea. Researchers believe that the initial DarkHotel campaign was likely the work of a nation-state campaign, with signs that it may have originated in South Korea.
Not Just for the 1% Anymore: DarkHotel For the Rest of Us
The cloak and dagger nature of the original DarkHotel campaign and its possible tie-in to government spying make it all too easy for more run-of-the-mill companies and executives to continue along their merry way, harboring the illusion that DarkHotel won’t affect them. Sadly, that’s simply not the case.
Cyber attacks on luxury hotels have expanded greatly since they were first discovered, potentially numbering in the thousands, among hundreds of hotels worldwide. Starwood Hotels became a recent casualty of cybercrime late last year when point of sale systems at some North American hotels were infected with malware, enabling unauthorized parties to access payment card data of customers.
Corporate executives with valuable personal assets make enticing targets for hotel hackers. However, cyber criminals often set their sights on a bigger target: the victim’s corporate assets. It’s easy to see how enterprise data is at risk given that hackers can gain access to everything on a victim’s mobile devices. They can also install malware targeting files, photos, built-in cameras and microphones, enabling a level of cybercrime unthinkable in the past. And don’t forget that a hotel’s reservation database and keycard system can provide useful access to customer information.
Not surprisingly, a new wave of cyber criminals has turned hotel hacking into a veritable free for all, often lying in wait to cherry-pick their targets. There are businesses hacking competitors, governments hacking businesses, and governments hacking each other. And let’s not forget regular old cyber thieves who are simply out to make a buck.
As malevolent as it may seem, DarkHotel is a part of a digital ecosystem and the outgrowth of new ways of computing. What trends in today’s technology landscape have allowed them to take root?
The Evolving Digital Landscape: DarkHotel 2.0
Two key technology trends have emerged that account for much of the DarkHotel phenomenon and explain why business travelers and their enterprise endpoints are exposed to significant security risks.
- First, executive travelers are connecting to data and services using their own mobile devices. This widespread practice has increased hacking possibilities exponentially, with enterprise data especially at risk as executives work and check in with their corporate offices from the road. Not only do users often have several devices – smartphones, tablets, laptops, and wearables – but they’re weakly protected and regularly in use. They also handle large volumes of increasingly sensitive data. This is alarming since hackers can extract unencrypted or weakly encrypted data from devices, and even modify a device to obstruct security measures.
- The second trend in mobile computing presents a much bigger problem and involves executives using cellular or public WiFi networks rather than corporate networks. By taking data outside of corporate firewalls/IPS/NAS or DOS network protection, users are incurring risks to not only their own devices, but to others connected to the same business network. Whether hotels own and operate their network infrastructure or use a managed services firm, most carry little to no security and don’t encrypt their public networks. Sometimes hotels also have routers susceptible to easy hacking.
Hackers take advantage of the fact that every wireless device is designed to trust the network to which it connects. The threat is real: Dell recently misconfigured its certificate on laptops, resulting in exposure to commjacking of an estimated 10,000,000 laptops. Accordingly, “man-in-the-middle” attacks where hackers lure users to connect to fake public or cellular WiFi networks have become the preferred strategy for so-called “commjackers” that target hotels and other public spaces such as coffee shops and airports.
Whereas hijacking a public WiFi or cellular network was once time consuming, complex, exorbitant, big and bulky, the tools of the hacking trade have gotten simpler, cheaper, smaller and more powerful. Using inexpensive open source tools and widely available network equipment, even novice hackers can now easily commit man-in-the-middle attacks. Videos available on YouTube, attracting millions of views, describe the steps needed to accomplish this, with the tools needed to commjack networks now being sold online for nominal cost.
With the means so simple and the rewards so rich, it’s no surprise that DarkHotel have taken off. Where does this leave business executives who have sensitive data to protect?
Fighting Back: Security Strategies to Help Executive Travelers Stay in the Game
There are various common sense strategies that executive travelers can adopt to safeguard their mobile devices.
- All devices should be equipped with anti-malware and anti-virus solutions and include password protection, encryption, data backup and remote data wipe capabilities.
- Other smart protective measures include using a VPN or IPSec and paying attention to SSL certificates when conducting sensitive, online activity.
- Multi-factor authentication with one-time use tokens are a good safeguard and users should always delete saved public networks.
- It’s also important that travelers double-check update alerts that pop up on their computer during hotel stays.
Enterprise IT departments can also play a role in ensuring digital security. Executives should outline their travel plans to their IT personnel, who may have access to intelligence on cyber threats. Security professionals can also check devices upon the executive’s return for signs of hacking, and implement training to help executives minimize security risks while traveling.
Still, the above strategies can only do so much absent safe WiFi and cellular connectivity. Fortunately, enterprises can also take steps to secure the network used by executives who are on the road. To accomplish this, companies need comprehensive network protection equivalent to a corporate Firewalls/IPS/NAS. Enterprise IT departments can purchase and deploy such solutions that operate in conjunction with existing anti-malware solutions. Telcos and MSSPs are increasingly doing the same to provide network-level security on top of their core business services, software installation and maintenance.
Using monitoring solutions available on the market, users can install a software agent on their mobile devices to detect malicious networks in real-time and prevent devices from connecting to compromised hotspots. Such security packages can deliver real-time threat maps and enable companies to plan their response protocols. Enterprise security solutions are also available to protect against remote-based commjacking, where hackers remotely take control over routers and cellular base stations to access voice and data traffic.
Help for Those Who Help Themselves
Many of the original DarkHotel techniques remain in use today, with the addition of some new strategies. Like bedbugs, hackers are evolving alongside the strategies designed thwart them. Fortunately, while the risks posed to business travelers by DarkHotel are alarming, it is possible to secure data and prevent potentially astronomical losses to corporate data, assets and IP. What can’t be mitigated are the risks posed by inaction, where business travelers and their companies simply hope for the best and cross their fingers that hackers won’t hit them. In today’s mobile-first world, executive travelers who haven’t been hit already probably will be soon.