Why You Don’t Want to Use WiFi at an Airbnb Rental

The threat exploded at the recent Black Hat conference when security researcher Peter Galloway  told what he had done on a recent vacation: he went back to his Airbnb rental and attacked the WiFi network.  Said Galloway: “Within five minutes flat, I owned the network.”

Read that again because what Galloway is saying is that – after he seized control of the network – he also owned just about everybody who used it to browse or send email. That means your every online move probably is his to see if you are also on that network.

Your banking, your email, your contacts, your every private thought is his.

Frightened?

Know: there are ways to protect yourself. Below there are two options that should keep your data safe.

The problem with vacation rental WiFi

Understand this first, however: this vulnerability is not unique to Airbnb. Any short term rental has the same susceptibilities. That means Vrbo, Homeaway, you name it.

Also know: this is a lot worse than the risks on hotel WiFi and those risks are so big that many experts have long advised travelers just to ignore the public WiFi in a hotel room or lobby.  But WiFi in a short-term rental may be dramatically more dangerous.

That’s because the bad guy usually will be able, easily, to physically access the router – and have his way with it.  In many cases, a paperclip is all that is needed to gain permission to reset the router. From there, the bad guy can do whatever his evil heart desires.  For instance, he can add a custom DNS server that in effect routes all network traffic through his own computer. That can persist for weeks, months, maybe years – because how often do you think Airbnb hosts exam their routers for security issues?

Here’s the scenario: a cyber criminal checks into a high priced sharing economy rental for one night.  The posher, the better and that is because the guests are that much likelier to themselves be affluent.  He takes control of the router and manipulates it into forwarding traffic through his computer where he can sift it.

And he has that data stream for months – probably, really, until the router is replaced. Most experts say a router will typically last 5 to 10 years before the owner replaces it.  Think on that. For an investment of a one night stay, the criminal is probably buying access to years of traffic. That’s everything from email log ins to online banking credentials and, with a little luck, maybe a stock brokerage account and health insurance credentials too.

What do you need to do to protect yourself?

Start by asking the host where the router is. Offer a pretext: I’m having trouble connecting, let me see the router and I’ll know if I need to do anything special on my end.

If the router is publicly accessible, you need to go into defense mode.

If it is under lock and key, it’s your call – but if you easily talked your way in to see it, know that a criminal could do likewise.

That’s why, without precautions, we cannot recommend using Wi-Fi in a sharing economy lodging – even if you personally are friends with the owner (because how is he/she to know a past guest has not seized control of the router?).  In fact even if you are the owner.

You have two options when it comes to using Wi-Fi at a shared economy lodging.

Option 1: Do not use it.

Create a Wi-Fi hotspot on your phone and tether a tablet or laptop to it.

On iPhone, open SETTINGS, click Personal Hotspot, slide the button to on.  Done.

On Android, open SETTINGS, under Wireless & networks, click more….then click Tethering & portable hotspot.  Slide to open the hotspot.

Your data will ride on the cellular data network – not the accommodation’s WiFi – and cellular networks usually are very secure.

The one downside: you can go through a lot of data using a hotspot. Don’t even think about streaming video and, honestly, songs, even large images and the occasional gargantuan PowerPoint will ding your monthly data charges. Stick with email, using simple apps, a little web surfing, tho, and a hotspot is fine.  It is what most security professionals turn to in their worried moments.

Option 2: Use a VPN.

Rocket VPN is free for light users.  The plus of a VPN is that it encrypts your data so that even if it is intercepted – and it will be when a criminal has hijacked the router – all the crook will see is computer gibberish.

The one downside of VPN: you may see a hit on speed but, honestly, you probably won’t notice it if doing routine tasks like sending email, posting to Facebook, and conducting mobile banking.

The good news: either of these avenues will let you stay in an Airbnb lodging knowing your data is safe. They are safe, they work, use them to travel more securely no matter where you stay.