Business travelers beware of Darkhotel.
There are a lot of reasons not to use Wi-Fi in a hotel. It’s often expensive, sluggish, and unreliable. Sometimes it seems like nobody knows the network password, and when trouble arises it’s hard to convince the front desk that there’s a problem with their network, not one with your devices.
Now you can add something new to that list: Hackers are using hotel Wi-Fi to steal data through zero-day vulnerabilities that companies like Adobe and Microsoft aren’t even aware of.
Kaspersky Lab has appropriately dubbed the attacks the Darkhotel APT. (It’s not as catchy as Heartbleed, but it’s a little more explanatory, I guess.) Darkhotel works by taking advantage of hotel Wi-Fi’s public nature and the willingness with which many people install updates to popular software like Adobe’s Flash. Hackers are said to have used the tactic to steal information from people traveling in Asia, but researchers found that the malware infected computer across North America and Europe, too.
The hackers are said to have targeted specific individuals — people they knew were visiting a hotel. Attackers also knew what room the targets were staying in, when they would arrive, and when they would depart — while ignoring others. Most of the attacks were made between 2010 and 2013, but Kaspersky says it’s investigating reports of attacks made in 2014. It’s not clear how the hackers knew about their targets’ plans, how they selected their targets, or even who the hackers really are.
Knowing about these attacks doesn’t just add to the list of reasons not to use hotel Wi-Fi — it also adds an item to the ever-growing list of reasons not to use public Wi-Fi, period.
Public Wi-Fi networks are tempting. Cellular data is expensive, it doesn’t reach everywhere, and many services work better with a reliable Wi-Fi connection than a cellular one. Connecting to a Wi-Fi network makes life a lot easier. It also makes everything transmitted via the connection easier for someone to steal, thanks to faulty security features and even worse business plans.
Consider the news that broke in July about how Google, Comcast, AT&T, and other companies made users vulnerable to attack. Google put people at risk by having its Android phones trust certain networks based only on their name; the others did so by naming all of their public Wi-Fi networks the same thing. The combination of the two created a situation where hackers could steal data just by setting up a network bearing the same name as already-trusted connections.
Then there was the news that Comcast is injecting advertisements into browsers connected to its public Wi-Fi networks. Besides annoying their viewers, the ads also make the connection even less secure than it was before, as Ars Technica reported back in September:
Now it seems that hotel Wi-Fi can be used to steal information from specific targets chosen by unknown hackers because they carry undisclosed information and traveled in some of the most popular countries in Asia. So there are two options: accept all these risks for the sake of convenience, or deal with slower, more expensive cellular connections to remain a little more secure. Neither option is particularly compelling, I’ll admit, but this is the sad reality of Internet security in 2014.
Via Pando Daily