Focue Provides the Latest and Most Up-to-Date News, What You Focus On is What You Get.
⎯ 《 Focue • Com 》

Having a One-Network Stand in a Short-Term Rental? Use Protection!

2023-10-07 20:48
They may or may not come with bedbugs, but even the worst motels offer free
Having a One-Network Stand in a Short-Term Rental? Use Protection!

They may or may not come with bedbugs, but even the worst motels offer free Wi-Fi. Likewise, if you stay at an Airbnb or other sharing-economy rental, you expect free (and trouble-free) Wi-Fi. Same thing, right? It turns out that using Wi-Fi in a short-term rental is vastly riskier than in other locations. We're here to explain why and what you can do.

Note that this article was inspired by a presentation at the Black Hat conference in Las Vegas more than five years ago, but the concepts are still fresh. The only difference is that the sharing economy is booming even more now. You can view Jeremy Galloway’s original presentation, complete with cameos by Pikachu, Homer Simpson, and Lana Kane—it was a lively talk.

Beware the Snoops

Airbnb reports it has over four million hosts and over six million listings. Its 150 million users worldwide have booked over a billion and a half stays. Vantage Market Research estimates the global short-term rental market at over $100 billion for 2022.

Using Wi-Fi in a short-term rental is vastly riskier than in other locations

The business overall is vast, but the experience is personal—maybe too personal. In most cases, you’re renting a house where someone else lives. Do you snoop around? Galloway’s presentation quoted a survey saying that 40% of visitors admit to snooping. And the snooping goes both ways: Many guests report finding hidden cameras in the rentals they visit.

It’s a matter of trust. When you stay at a hotel with a national (or international) reputation, you presume they won’t risk that reputation by meddling with your Wi-Fi security. But if Wi-Fi comes from some random short-term rental host, all bets are off, even if the host is a paragon of virtue.

One-Network Stands

You can be reasonably sure your home Wi-Fi router is secure, especially if you’ve taken steps like customizing the SSID, using the strongest encryption available, and creating a password other than the default. Using institutional Wi-Fi in a library, an airport, or similar public space, well, you don’t have control of the security. But you can bet the IT department handles that security. Even the small-scale network in your local coffee shop is likely safe enough unless the owner (or a fellow patron) is a mad hacker.

The Top VPNs We've Tested

Proton VPN Review

5.0 Exemplary

NordVPN Review

4.5 Outstanding

Surfshark VPN Review

4.0 Excellent

TunnelBear VPN Review

4.0 Excellent

IVPN Review

4.0 Excellent

Mullvad VPN Review

4.5 Outstanding See all (6 items)

The problem with short-term rentals is that each guest has access to the router. Access isn’t limited to the coffee shop owner or the IT department. Galloway illustrated the concept with a Sexual Exposure Calculator. When you hook up with a new partner, you’re not just exposed to them; you’re exposed to all their previous partners. And in a short-term rental, you’re exposed to all the previous renters. He characterized this as the risk of having a one-network stand.

Who Actually Owns That Wi-Fi Router?

Over the years, hackers and malware researchers have devised sinister techniques for remotely taking control of a router. From the ancient Moon Worm to more modern attacks such as Mirai and Mēris, hackers find new ways to remotely compromise routers, and router makers find ways to defend against those attacks.

In a short-term rental situation, those elaborate machinations are unnecessary. When the attacker has physical access, as in a short-term rental, that changes everything. All they need to do is reset the router to its default configuration and consult a readily available list to find the default username and password for the brand of router. Or flip the router over—many models put the default credentials on a sticker. If all else fails, they can just start guessing. Out of 20 popular router brands, 80% default to “admin” for the username, and half use “admin” for the password.

Out of 20 popular router brands, 80% default to “admin” for the username, and half use “admin” for the password.

As for how to reset the router, it's ridiculously easy. At Black Hat, Galloway demonstrated his never-fail APT. That’s not an Advanced Persistent Threat but rather an Average Paperclip threat. To reset most routers, just find the tiny hole concealing the reset button, poke at the end of a bent paperclip, and hold it there for a count of 30. Sometimes, the button isn’t even concealed. With the router reset to its default configuration, the hacker can now log in and take total control.

It's Surprisingly Easy to Be More Secure Online

Hackers Can Compromise the Network

If you’re a hacker, gaining full access to the router’s configuration lets you compromise the network in a dizzying number of ways. It’s a snap to troll future renters by doing things like banning access to popular sites, turning on parental control limitations, or throttling the network speed, for example. But those pranks are just the beginning.

You could set up one of your own devices as a remote administrator, meaning you can monitor and tweak the router from afar long after you’ve left the rental. You could configure a log server to capture all traffic from the router to peruse at your leisure. The router isn’t visibly compromised, and the effect of these hacks lasts until the next reset.

Even more deviously, you could configure the router’s DNS (domain name system) requests to go through one of your own servers. DNS takes a human-friendly domain like pcmag.com and translates it into a machine-friendly IP address like 104.16.123.17. By controlling DNS for the compromised router, you can steal private information going to any site, falsify data coming from any site, inject malware on connected devices, and generally gaslight the unsuspecting user.

Rentals that advertise as equipped for business travel can be juicy targets, potentially allowing capture of corporate secrets.

It’s true that hackers can’t target an individual with these attacks. They have no way of knowing who’s going to rent the place next, after all. But it would be easy enough to go trawling for secrets by compromising rentals near a technology center or a military base. Rentals that advertise as equipped for business travel can be juicy targets, potentially allowing the capture of corporate secrets and leading to a full-on corporate data breach.

How You Can Protect Yourself in an Airbnb

By now, you may be wondering if you ever dare use a short-term rental again. Don’t worry; there are protective steps you can take. Install a VPN on all the devices you travel with and use it religiously. Turn off Wi-Fi entirely and rely on cellular data if your plan and the local connectivity permit. Tether your other devices to your phone as a personal hotspot (just keep track of mobile data usage). If you travel a lot, consider investing in a personal mobile hotspot device.

Many travelers now routinely check for hidden cameras when they enter a short-term rental. You can also do your own check for router security. Can you even find the Wi-Fi router? Is it sitting out in the open? Does it have a visible reset button? Are the default credentials printed on a sticker? If there’s no router visible, you can relax a bit.

Our Top-Rated Password Managers

Bitwarden Review

5.0 Exemplary

Dashlane Review

4.5 Outstanding

Zoho Vault Review

4.5 Outstanding

Keeper Password Manager & Digital Vault Review

4.0 Excellent See all (4 items)

Of course, all the usual security advice applies. Be sure you’ve protected all your devices with an antivirus app and that it’s active and up to date. If you haven’t already enlisted the help of a password manager to remember strong, unique passwords for all your websites, take care of that task before traveling. But do bear in mind that even the strongest password may be vulnerable when you’re connected through a compromised network. To head off that worry, turn on multi-factor authentication for every site that offers it.

What Rental Hosts Can Do

If visitors to your rental bring home malware, they won't give you a good review. Does the network you offer to guests also power your own smart home? A hack attack through the rental could expose all your devices. Having your Wi-Fi compromised is bad for everyone.

The biggest thing you can do to protect yourself and your renters is to deny physical access to the router. Keep it in a locked room that’s not accessible to guests, if possible. Put it in a locked closet. If that’s not an option, you can purchase a security lockbox that secures the router itself without interfering with the Wi-Fi signal.

Even when the physical router is locked away, it’s conceivable that a determined hacker who’s renting your property could use a standard remote attack to compromise it. These attacks are easier when perpetrated from inside the network. If you have (or can learn) the technical skills, consider backing up your router settings and restoring them after each guest visit.

Is your rental in a beautiful, natural setting? Perhaps you can omit Wi-Fi entirely, touting its absence as a virtue. You might also invest in a separate internet account that only supplies the rental, with no cross-connection to your personal network. Once you’re aware of the potential for hacking, you have options.

Stay Sharp

Every time you connect your devices to a network that you don’t control, you take a risk. In most cases, it’s a small risk because remotely hacking a Wi-Fi network is difficult and not terribly rewarding. Even so, smart users engage the VPN when using any public network. As for Wi-Fi in your short-term rental, again, the problem is that any previous renter might have compromised the router using physical access. If you can swing it, don’t use the Wi-Fi. If not, make sure to equip all your devices with up-to-date antivirus and VPN utilities, and stay alert for any network oddities.

Tags security