Cantillon: Hotel wifi issue is nothing to shout about

Would you shout the details of your company’s tax return to a Revenue Commissioner sitting across a hotel lobby? Would you stick a company credit card in the post with a note attached giving the PIN number?

A press release issued by technology security company Smarttech.ie yesterday, which got widespread coverage, suggested that most of us are doing the digital equivalent of this every time we use the free wifi in an Irish hotel.

Citing its discovery of "shocking cyber security breaches," Smarttech.ie said it had discovered an unspecified "fundamental security flaw" in the wireless networks of 10 hotels. As a result it was able to eavesdrop on the network traffic and pick up valuable data such as online banking log-ins, corporate network credentials and usernames and passwords for sites such as Facebook and Paypal.

It remains unclear how the engineers got this information but they say the process was trivial. All the services mentioned use secure log-ins based on the SSL protocol. When you visit them you will notice the address changes to one beginning https rather than http and a closed padlock appears beside it. This means traffic between the browser on the laptop and the website such as Facebook or Paypal is encrypted.

Smarttech says says the exercise was about showing how dangerous using unencrypted logins and passwords on a public network can be. But why does this place a duty of care on hotels to fix the problem as the company has claimed?

Clearly users, particularly of corporate devices, such as smartphones, tablets and laptops, need to be aware of the risks of using a network where anyone can view their traffic. But as anyone in information security will tell you, users are always the weakest link in corporate defences and convincing people not to take advantage of free wifi while they have a spare 10 minutes in a hotel is going to be tough.

Fear, uncertainty and doubt is a long- established sales tactic in the technology sector that has entered business and politics. Issuing a press release proclaiming that Irish hotels are a hackers’ paradise but which itself begs more questions than it answers, seems to fall into that category. The risks are real but making them sound worse doesn’t serve anyone.