Is It Safe To Use Hotel Wi-Fi?
Free Wi-Fi in your hotel room seems like a nice perk. But browsing, working, banking, or shopping while on hotel Wi-Fi can put you at serious risk.
In 2019, security researchers tested Wi-Fi hacking across 45 locations in five countries. Not a single hotel passed the test [*]. The situation hasn’t gotten any better in recent years.
Hotels are the third most common target of cyber attacks, representing 13% of all cyber compromises in 2020 [*]. If your data was leaked during a data breach or is circulating on the Dark Web, it might have gotten there from an unsafe hotel connection.
All hotels are vulnerable, from small brands to global chains. Here’s what you should know about hotel Wi-Fi and how to protect yourself when traveling.
Is Hotel Wi-Fi Safe? What Are the Risks?
In short: No, hotel Wi-Fi isn’t safe.
You might think your hotel room’s password-protected network is nearly as secure as your private Wi-Fi network at home. But despite common protections, hotel Wi-Fi security is very lax, making it one of the least trustworthy types of public Wi-Fi.
Hotel Wi-Fi is so easy to infiltrate that the FBI issued a public service announcement recommending that [*]:
“Guests should not implicitly trust that the hotel has properly secured their network or is monitoring it for attacks.”
Here are some of the most common risks when you use hotel Wi-Fi:
- Identity theft. Hackers can snoop on your online activity and collect enough information to steal your identity.
- Bank account theft. Cybercriminals can intercept your banking details (account numbers, password, etc.) and take over your bank and retirement accounts.
- Stolen credit card information. Hackers can collect your payment data, even on trustworthy shopping sites like Amazon.
- Business email compromise (BEC). If you’re traveling for work, fraudsters may target your business email credentials to scam your workplace and colleagues.
- Hacked accounts. Someone lurking on a vulnerable network can steal login credentials for your accounts, including social media.
- Stalking and blackmail. Hackers can collect your browsing history and use it to stalk or threaten you.
- Malware. Someone else on the network can install malware on your machine, giving them free access to your files and sensitive documents.
- Spear phishing. Hackers can send emails specifically targeted to you in order to collect your data or steal your identity.
How Do Hackers Hack Hotel Wi-Fi?
Cybercriminals use several popular methods to hack hotel Wi-Fi, and new vulnerabilities are constantly being discovered.
Here are some of the most common infiltration methods:
- Man-in-the-middle (MITM) attacks. A hacker intercepts data on the Wi-Fi network, collecting any data exchanged between you and the sites you visit.
- “Evil twin” attacks. A hacker creates a network that mimics the authentic one, and enables auto-connect without users knowing.
- Honeypot attacks. Hackers create a network with a more appealing name than the authentic network, like “Hilton Free Guest Wifi” instead of “hhonors.”
- Fake login pages. You’re redirected to a hotel Wi-Fi login page controlled by the hacker, who collects your personal information.
- Using public passwords. Hackers log in using a publicly posted Wi-Fi password.
- MAC address spoofing. Hackers find a verified device already logged in to a password-protected network, then pretend to be that device.
- Insider attack. A hotel employee gives a cybercriminal direct access.
- Social engineering. A hacker tricks someone at the hotel into sharing access to internal networks. This is how hackers infiltrated Marriott in 2020 [*] and again in 2022 [*].
- Router vulnerabilities. Hackers target hotel Wi-Fi routers running out-of-date software.
While there are ways to protect against these threats, hotels often lack basic security measures. For example, a hack in September 2022 revealed that Holiday Inn used the password “Qwerty1234” to protect its national database [*].
How To Stay Safe When Using Hotel Wi-Fi
- Confirm the name of the Wi-Fi network
- Use a VPN to encrypt your data
- Remove saved networks from your device
- Make your operating system is up to date
- Set your applications to auto-update
- Install and use antivirus software
- Don’t log in to critical accounts
- Turn off file sharing and Bluetooth
- Enter fake personal information when logging in
- Use mobile data instead of hotel Wi-Fi
- Use Safe Browsing tools to protect your device
The safest option is to never use hotel Wi-Fi or any public Wi-Fi network. But if you must, here are a few strategies that can help keep you and your data safe.
1. Confirm the name of the Wi-Fi network with hotel staff
Hackers often create “honeypot” Wi-Fi networks, hoping guests will log in to the fraudulent network instead of the official hotel Wi-Fi. Before logging in, verify the name of the network with staff.
Don’t count on hotels to shut down fraudulent networks. Recent research shows that 28% of hospitality businesses don’t train employees to recognize cybersecurity threats [*].
Here’s what to do:
- At the front desk, ask for the exact name of the Wi-Fi network, or call the concierge. Spell out the name, if necessary.
- Pay close attention to networks that look particularly easy to join — like those without a password or login page — or ones that include “free” in the network name.
- If there are two networks with identical names, it’s best not to run the risk, as one may be an evil twin network controlled by a hacker.
⛳️ Related: Pros and Cons of Using a VPN – Do You Need One? →
2. Use a VPN to encrypt your data
A virtual private network, or VPN, encrypts any information that passes between you and the website you’re visiting. Even if you are hacked with a man-in-the-middle attack, the infiltrator will only see encrypted data, which looks like meaningless jumbled numbers and letters.
Here’s what to do:
- Before traveling (or while using your mobile hotspot), download a VPN, like Aura’s VPN software.
- Set up the VPN on all of your devices, including your cell phone. Enable the Kill Switch feature to shut off Wi-Fi if the VPN stops working.
- Verify that your VPN service is running correctly before logging in to hotel Wi-Fi.
💡 Related: 12 Reasons Why You Should Be Using a VPN →
3. Remove saved networks from your devices
By default, your device probably automatically joins networks that you’ve used before. This feature is helpful when you take your device to the office or a friend’s house, but it’s dangerous when auto-joining free public Wi-Fi.
The network could have been infiltrated since you last joined, or it may even have been replaced with an evil twin controlled by a hacker. Your device can connect to hacked Wi-Fi without you even realizing it.
Open the System Settings app, select Wi-Fi, then click the “Advanced…” button.
Eliminate known networks by clicking on the button with three dots; then select “Remove From List.”
Open the Settings app and click on “Network & internet” > “Wi-Fi” > “Manage known networks.” Click on “Forget” to remove.
Go to the Settings app > Wi-Fi. Tap the “Edit” button in the upper-right-hand corner.
Verify with your passcode, Touch ID, or Face ID. Tap the red delete icon to remove any unfamiliar networks.
Unfortunately, the steps differ depending on your device.
First, open Settings and select “Connections” (or “Wireless & internet”), then “Wi-Fi.”
Tap “Saved networks” or, if that’s not an option, tap the three dots and select “Advanced” > “Manage networks.” Select the network and click on the trash icon to delete.
4. Make sure you’ve installed the latest operating system updates
Scammers use security vulnerabilities in outdated software to hack your devices. In fact, upwards of 57% of today’s cyberattacks rely on out-of-date software [*].
Most major developers like Microsoft and Apple release firewall updates and security patches quickly, but they won’t protect you unless you update.
Many devices do this automatically by default, but it’s worth verifying that this setting is enabled and your operating system is up to date.
Here’s what to do:
If you’ve put off any operating system updates, install them as soon as possible. Then, ensure that your system has automatic updates enabled. Here’s where to find these settings:
- On iOS: Open the Settings app > General > Software Update.
- On macOS: Open the System Settings app > General > Software Update.
- On Windows 11: Go to the Settings app and select Windows Update.
- On Windows 10: Go to the Settings app and select Update & Security > Windows Update.
- On Android: Open the Settings app. Tap Software Update and then the gear icon in the upper-right-hand corner.
5. Set your applications to auto-update
Even if your operating system is up to date, connecting to the internet on outdated applications can expose you to vulnerabilities. Turning on automatic updates keeps you safe without requiring you to verify the security of every app.
Here’s what to do:
- On iOS: Open the Settings app and tap App Store. Under Automatic Downloads, enable App Updates.
- On Android: Open the Google Play Store app. Tap your profile icon > Settings > Network Preferences > Auto-update apps. Select either “on data and Wi-Fi” or “on Wi-Fi only.”
- On macOS: Open the App Store. In the menu bar, click App Store > Settings. In the pop-up window, enable Automatic Updates.
- On Windows: Open the Microsoft Store app. Select Account (or three dots button) > Settings (or App Settings). Enable App Updates.
6. Install and use antivirus software
Many hotel IT systems are out of date and mismanaged. In 2018, a security researcher discovered a major vulnerability in a popular hotel software platform. Three years later, in 2021, the vulnerability had yet to be fixed, and the platform was still being used at over 600 locations [*].
Your best protection is on your own device. Install antivirus software to detect, block, and remove malware.
Here’s what to do:
- Don’t disable your computer’s built-in antivirus. This is Microsoft Defender Antivirus in Windows and a proprietary behind-the-scenes antivirus in macOS.
- Before traveling, consider installing third-party antivirus software.
- Make sure the antivirus software is enabled and working correctly before using the internet, especially on a public network.
7. Don’t share sensitive information or log in to critical accounts
Even if you’re using a verified network and a VPN, it’s still smart to limit your online activity when using public or hotel Wi-Fi.
Nearly all of today’s malware is invisible, quietly sending data to a hacker or encrypting your files for a ransomware attack. Chances are, you won’t know your data is at risk until after you’ve been hacked.
Here’s what to do:
- When traveling, don’t log on to important sites like your online banking, retirement accounts, cryptocurrency exchanges, or government portals.
- Don’t enter sensitive personal details, like your Social Security number (SSN), passport number, or credit card number, on any site.
- If you absolutely must visit a sensitive site, use mobile data — ideally on your phone directly.
⛳️ Related: Do Hackers Have Your SSN? Do This ASAP →
8. Turn off file sharing and Bluetooth (when not using)
Your device’s file sharing feature is helpful when you’re on a network that you trust. But if hackers have infiltrated the network, they can access everything you’ve shared. In some cases, the hacker may also be able to share malware that your device downloads automatically.
Here’s what to do:
- On macOS and iOS: Set AirDrop to “Receiving Off” or “Contacts Only.” Turn off Bluetooth under “Settings / System Preferences.”
- On macOS: Open the Settings app, select General > Sharing, and disable any features that are turned on.
- On Android: Change the device visibility for Nearby Share to “Hidden” or “Contacts.” To turn off Bluetooth, go to “Settings” > “Connected Devices” > “Connection Preferences” > “Bluetooth” and then toggle it to “off.”
- On Windows: Open “Control Panel” > “Network and Internet” > “Network and Sharing Center.” In the sidebar, click on “Change advanced sharing settings.” Click on the network you want to change, and select “Turn off file and printer sharing.” For Bluetooth, select “Start” > “Settings” > “Devices” > “Bluetooth and other devices” and then toggle it to “off.”
9. Enter fake personal information when logging in to a network
Hackers set up fake Wi-Fi login pages in hopes that you’ll enter your email address or personal data — like your date of birth, full name, or even room number. Sometimes, they’ll include a fraudulent option to log in with Facebook or Google to steal your username and password for these accounts.
Even on authentic login pages, the data is not as safe as you might think. In March 2022, a cybersecurity researcher discovered a leak in the software used by 629 major hotels across 40 countries that gave him access to millions of guest Wi-Fi accounts [*].
Here’s what to do:
- Never use a third-party platform like Facebook, Google, or Okta to sign in to a Wi-Fi network.
- If you must share information like your email address or birthdate to log in to a Wi-Fi network, use fake details.
- If a network requires your last name and room number, consider intentionally entering incorrect information. A network that still lets you in doesn’t verify guest data and may be fraudulent.
10. Use mobile data instead of hotel Wi-Fi
If you need to connect to the internet in your hotel room, your safest option is to use your phone’s 3G, 4G, or 5G data connection. This connection is encrypted and more secure than any public Wi-Fi network.
You can also use a password-protected mobile Wi-Fi hotspot. Since you’re still using a Wi-Fi connection, it’s not as safe as using your device directly — but it’s much more secure than a public network.
Here’s what to do:
- Disable Wi-Fi on your mobile phone and enable your data connection.
- Whenever possible, use the device itself through the 3G, 4G, or 5G data connection.
- If you need to use another device without a data plan (like a laptop), set up a password-protected hotspot on your mobile device and connect your laptop to it.
11. Use Safe Browsing tools to protect your device
Phishing sites are a type of social engineering attack that uses lookalike pages to mimic legitimate sites. While dangerous websites are often hard to detect, Safe Browsing tools can spot irregularities in the code that are impossible to spot with the human eye.
Here’s what to do:
- Install apps for browsing securely, like Aura’s suite of intelligent safety tools. Aura can alert you before you visit a dangerous site and will protect your devices against malware and other viruses.
- Use a password manager to save your credentials. Aura’s secure password manager can also alert you if you’re trying to enter your password on a lookalike site.
How To Tell If a Hotel Wi-Fi Network Is Safe
A recent study revealed that one in four people has been hacked on public Wi-Fi while traveling [*].
Ultimately, you should assume that any public Wi-Fi network is unsafe. Whether at an airport, coffee shop, gym, or hotel room, the best way to stay safe is to skip the Wi-Fi connection and use your mobile data.
However, some wireless networks are safer than others. The more of these signs you can recognize, the more secure you are.
- You’ve confirmed you’re connected to the official network.
- The network requires a password (and the password isn’t posted publicly).
- You’re using a VPN to encrypt your data.
- Your computer’s operating system is up to date.
- Your antivirus software is running in the background.
- Your computer is acting normally without lags, unfamiliar software, or pop-ups.
- You’re only using sites with HTTPS, often represented by a padlock symbol.
- Your connection is stable, and you haven’t needed to log in more than once.
Were You Hacked Over Wi-Fi? Do This
If you’ve been using an unsecured Wi-Fi network and think you might have been hacked, take action as fast as possible to protect yourself.
- Disconnect from any unsecured Wi-Fi connections.
- Look for signs that your device has been hacked.
- Run a full antivirus scan to isolate and remove malware.
- Inform the hotel staff that your device was compromised over their network.
- Report the fraud to any impacted institutions, like banks or credit card companies.
- Update any passwords that may have been compromised.
- Freeze your credit and monitor for unrecognized credit inquiries, accounts, or other activity.
- Consider signing up for Aura’s all-in-one digital security solution.
- If you believe your identity has been stolen, file a report with the Federal Trade Commission (FTC) at IdentityTheft.gov.
The Bottom Line: Secure Your Data From Hotel Hackers
Hotel Wi-Fi should never be your first choice. It’s a popular target for hackers; and even with the best protections, you’re still vulnerable.
But protecting your activity online doesn’t end once you get home. Safeguarding your identity requires constant vigilance, and Aura can help.
Aura protects you online when you’re at home or away, and monitors your identity 24/7 so that you don’t have to worry about trying to monitor it yourself.