Industry News

The danger of using PCs in hotel business centres

Many of us in the Northern hemisphere are gearing up for our summer holidays – and will be looking forward to some sunkissed days away from home.

But I’ll tell you one place where you won’t find me – in the business centres of hotels.

Hotels big and small around the world provide internet access to their guests, so you can send emails home or give you the ability to print out tickets for a show that you’d like to attend, but – critically – these computers don’t belong to you.

Any time you use someone else’s computer you’re making a big jump of faith – can you be sure that the computer hasn’t been compromised? How do you know there isn’t malware lurking on the PC that might be waiting to steal your email password or log your every keystroke you as you access your online bank account?

At least on your home computer you know whether you’re doing a half-decent job of keeping it patched with the latest security patches for Java or Adobe Flash, or when the last anti-virus updates were installed. And you also have a good idea as to who has had physical access to the PC.

But on an unloved shared computer in a hotel you often have no simple way of knowing who might have accessed it, or how careless its previous users might have been.

That’s bad news if you’re away on holiday and need to use the internet to book outings or communicate with your family back home, and it’s bad news if you’re travelling on business and need to keep in touch with head office.

So it’s perhaps no surprise to read that the US Secret Service and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) have sent a non-public advisory to the hotel industry, warning them that criminals gangs might have been deliberately infecting the computers in their business centres.

“The following is an advisory for owners, managers and stakeholders in the hospitality industry, which highlights recent data breaches uncovered by the United States Secret Service (USSS). The attacks were not sophisticated, requiring little technical skill, and did not involve the exploit of vulnerabilities in browsers, operating systems or other software. The malicious actors were able to utilize a low-cost, high impact strategy to access a physical system, stealing sensitive data from hotels and subsequently their guest’s information.”

Security blogger Brian Krebs reports that authorities in Texas recently arrested people they suspected of compromising several hotel business centres in the area of Dallas and Fort Worth.

As the advisory explains:

“In some cases, the suspects used stolen credit cards to register as guests of the hotels; the actors would then access publicly available computers in the hotel business center, log into their Gmail accounts and execute malicious key logging software.”

“The keylogger malware captured the keys struck by other hotel guests that used the business center computers, subsequently sending the information via email to the malicious actors’ email accounts. The suspects were able to obtain large amounts of information including other guests personally identifiable information (PII), log in credentials to bank, retirement and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers.”

Hopefully you can see what a treasure trove of personal information could be stolen by hackers who have access to a hotel PC.

And note that the criminals didn’t need to plug in a USB stick to install the malware, or visit a dangerous site. They simply audaciously walked into the business centre and were could download it from an account they had created – it could just as easily have been planted in a Dropbox or Google Drive account under their control, and used to infect the PC in readiness for the next unsuspecting user.

It’s easy to imagine how such a boobytrapped computer might outwit a holiday maker, or could even be used in targeted attacks if a particular business conference was being held at the hotel.

And even though some business centre computers may have taken the safeguard of not allowing anyone to log in with Administrator rights, that’s no guarantee that a Windows PC cannot be infected by malware.

If you have a choice, use your own computer or smartphone to access the internet when away on business or on vacation. If you are concerned about the possibility of a hotel’s Wi-Fi being insecure, using VPN software to encrypt your communications and prevent them from being sniffed.

And if you run a hotel, think carefully about what steps you are taking to protect your customers when they use a business center computer. Lock down PCs as much as possible, make sure security patches and updates are applied, or consider installing web kiosk software (Linux-based Webconverger is an example) that can provide more secure, locked down browsing and wipe all private information when a session is over.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • Wow, the USSS acts like this is news. This alert could have gone out 10 years ago and it still would have been a doh notice.

    What next? Will the USSS tell us not use internet cafe PCs while travelling abroad?

  • Of course an additional option could be to use a Windows To Go drive to boot into a secure, encrypted partition that you take with you on a USB stick and still have full access to Windows…and it’ll probably recognize the printer that’s connected to the device too. There’s a few vendors in this space, Spyrus and Imation IronKey to name just two.