Ethernet connections in a hotel room are not secure

I could write a whole blog about correcting computer articles in newspapers, pointing out mistakes and omissions. Many times I have corrected and expanded on articles in the Wall Street Journal by Walter Mossberg, but I've also griped about mistakes in the other newspaper I read regularly, my hometown New York Times. Back in May, on my previous blog, my comments on an article that David Pogue wrote in the Times about data cartridges for backing up computer files prompted a surprising rebuttal from Mr. Pogue.

Beats me why major newspapers don't hire computer techies to write about computer topics. Even worse, neither newspaper has the computer nerds on staff review articles for technical mistakes. Puzzling.

With that in mind, todays topic is an article about Wi-Fi security by Joseph De Avila that appeared on page D1 of the Wall Street Journal on Wednesday January 16th. See Wi-Fi Users, Beware: Hot Spots Are Weak Spots.

The vast majority of the article is well done, but not the last paragraph. It offers the following advice from someone named John King, who "... avoids Wi-Fi at hotels in favor of high-speed connections that plug into his laptop. He says he uses Wi-Fi to check email and stock listings if that's the only means available, but only if he's sure of the signal. 'I won't go on a wireless access point that I'm not confident in,' he says."

Who can argue with the main point being made here, that wired Internet connections are safer than wireless?

I can. Or, perhaps more to the point, Steve Gibson of GRC, SpinRite and the Security Now podcast would if he were writing this blog.

Before going into the technical aspects, let's start with the people. The Wall Street Journal describes Mr. King as "... a 46-year-old engineer from Livermore, Calif., [who] works for a company that mines computers for evidence in legal cases. He travels a lot for business..." Nothing about this description makes me think Mr. King is a networking security expert.

As for Steve Gibson, I have enough of a technical background in the subject and have listened to enough of his Security Now podcasts, to confidently state that he is a networking security expert. I doubt that any of my fellow nerds would disagree.

The Important Part

The critical point here is that a wired Ethernet connection is not necessarily a safe haven from the insecurity of Wi-Fi wireless networks.

Exhibit A supporting this claim is Episode #29, Ethernet Insecurity, of Steve Gibson's Security Now podcast. (transcript, 64K audio, 16K audio). This podcast, which explains the security problems inherent in a wired Ethernet network, was a huge eye-opener to me when I first heard it.

By way of background, Ethernet is a set of hardware and software rules/standards/protocols that computers on a Local Area Network (LAN) use to communicate. Ethernet used to have competition in the marketplace, but those days are over.

While the term LAN may invoke a small network, such as that in a house or apartment, a LAN can encompass an entire building, such as a hotel. When you plug a computer into an Ethernet jack in a hotel room, you are on the same network as all the other guest rooms. And that can be dangerous.

As Steve Gibson explained in the podcast, the Ethernet protocol was designed long ago. Before the Internet. Before security was on anyone's radar screen. "Essentially, there is absolutely no security with Ethernet. The assumption always was that it would be used in a LAN setting where you knew and trusted everybody on the network. You were one big happy company..." he said.

The explanation of the vulnerabilities gets somewhat technical and includes terms such as ARP, MAC addresses, IP addresses, malicious ARP replies, NICs, man-in-the-middle attacks, ARP Poison Routing, ARP spoofing, sniffing and promiscuous mode. In simple terms, a bad guy can get in the middle of all Internet conversations (us nerds call this "traffic"). Web pages, email messages and everything else coming and going to the Internet can be intercepted and logged.

As Steve put it "... one bad person in a hotel could arrange to, without much work, literally intercept all the traffic going to and from the hotel's gateway so that all of the email conversations, all of the traffic of any sort that is being transacted by every other hotel guest, they're able to monitor and intercept."

I don't think the danger can be overstated. Wired connections to the Internet in a hotel are not, by their very nature, more secure than wireless connections.

And Ethernet is not the only weak link in the security chain. The podcast describes software that can decrypt some normally encrypted data. "And in some cases, where you have weakly authenticator protocols, like Windows Remote Desktop that really doesn't provide any kind of authentication, man-in-the-middle and complete decryption attacks are easily performed. I mean, it is really bad." said Steve Gibson.

I first listened to this podcast episode while traveling to another city where I was planning on using a wired Ethernet connection in my hotel room. The podcast scared me to the point that I installed a VPN on my laptop. VPNs, while typically used by large corporations, are available to anyone and are the best protection from this sort of thing.

If anyone you know, ever intends to use a wired Ethernet connection at a hotel, then tell them to read this posting. And get a VPN.

You don't read PC magazine for mutual fund advice, and you shouldn't read the Wall Street Journal for computer advice.

Update. February 18, 2008: For more on this see Defending against insecure hotel networks with a VPN.

See a summary of all my Defensive Computing postings.