Unwired Anxiety

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

June 02, 2003
Security | Wireless
Mark Haley - MHaley@ThePrismPartnership.com

View Magazine Version of This Article

© 2003 Hospitality Upgrade. No reproduction without written permission.

Wireless is clearly crossing the chasm from a novelty to mainstream hotel amenity, but the security risks of wireless networking are real and tangible, not just perceived. Wireless data communications are not private and people should not expect them to be.

Early movers in the marketplace have been trying to sell wireless data concepts to hotels and airports since at least 1997. Remember MobileStar Network? They were just a little too far in front of the curve.

Since then, wireless data networks have become commonplace. In addition to countless homes, thousands of wireless access points were installed in hotels from sea to shining sea. Look for 118,000 public access “hotspots” installed worldwide by 2005, according to IDC, but even that number could be low.

The actual security issues generally fall into two categories, packet interception and inappropriate use. Readily available software enables any laptop with a WiFi card to intercept and record the data transmitted over any open wireless network. Inappropriate use problems involve an intruder using an open network to send spam, serve up pornography, launch cyber-attacks on other networks or download copyright-protected materials, typically music. Inappropriate use risks come with any open network, although wireless makes it easier.

For example, someone trying to sell you a wireless access point will tell you, “WiFi is secure! You just have to turn it on.” The salesman is referring to WEP, wireless equivalency privacy, which does in fact provide a measure of security for wireless communications. WEP is known to be “hackable,” but does put a useful roadblock up, and exactly what you should do at home if you have a residential wireless network.

WEP relies on inputting the same alphanumeric code into the access points and the laptops. Transmissions are encrypted using the code. Knowing the code and being able and willing to enter it make WEP an inappropriate security solution for a visitor-facing network, as in your hotel. The only really effective means to prevent packet-sniffing given today’s standards are virtual private networks (VPNs).

David Bankers, CTO of LodgeNet Entertainment, sees VPN support as crucial for wired and wireless networks in hotels. Bankers said, “LodgeNet’s HSIA platform provides the guest with a choice at sign on between a public routeable IP address that supports 100 percent of VPNs , or a private IP address that is hidden behind NAT (network address translation), which offers some level of protection from uninitiated inbound connections to the guest’s laptop.”

Inappropriate use problems can arise if your network becomes identified as a source of spam or pornography. Most Internet service providers (ISPs) try to avoid supporting either class of content, and could cut off service to your location. E-mail black commercial, newspaper or magazine article touting the wonders of wireless data networking and extolling the virtues of WiFi. Enticed by millions of co-marketing dollars from Intel, most of the major hotel chains have obediently lined up to install wireless hotspots to service the Centrino1 -armed road warrior.

The many virtues and benefits of WiFi come with a down side, however. The negative aspects of wireless networking include spotty coverage and connections, particularly if the property’s network of access points is “value-engineered” to minimize costs. Sometimes it has slower performance, but rarely noticeable for Internet browsing. And WiFi has significant perceived security risks. The security risks of wireless networking are real and tangible, not just perceived. Start off with the understanding that Internet-based communications are not secure in the first place, and wireless ones are less so.

Wireless data communications are not private and people should not expect them to be. The privacy issue creates an interesting dilemma for the hotelier. Guests expect and deserve privacy in their guestrooms. Wireless communications are not private. One approach to this dilemma is to not offer wireless services in guestroom areas, but only in public spaces. Mandarin Oriental Hotels employs this tactic. CIO Nick Price said, “We support 802.11 in general and anticipate the day when wireless access can be securely and easily provided. In the meantime, we will cover public areas only as we believe that guests have an expectation of privacy in their guestrooms, a private place. We cannot provide a service that weakens our absolute commitment to the guest’s right to privacy and security in the guestroom.”

In April of this year, a guest checked into a Boston hotel that offers an open wired and wireless network as a complimentary guest amenity. He then started downloading music from a file-sharing service using multiple computers. The download traffic consumed the vast majority of the bandwidth available on the guest network, making performance erratic at best for all of the other guests in the hotel. Needless to say, this led to a fire drill for the hotel’s IT department.

What can the hotelier do to remedy or minimize some of these risks?
• Don’t let the security concerns keep you out of the wireless space. Go on in, just know what to do about it.
• First, ensure that all users logging onto your network (whether a free amenity or a fee-based service) accept a strong Terms of Use statement that clearly states it is an unsecured environment and no expectation of privacy should hold. Stephen Barth professor of hospitality law at the Conrad Hilton School of Hotel Management and founder of HospitalityLaw.com said, “The law in this area is still evolving. Liability potential revolves around an expectation of privacy, and a clear Terms of Use statement that eliminates that expectation is essential.”
• Use a third-party service provider to source and support the service. This can perhaps insulate the hotel from liability as well. Barth recommended that the hotel’s agreement with the service provider include an indemnification and hold harmless clause.
• Ensure that your service provider’s platform supports most of the major VPNs in the market as well as the built-in firewall in current versions of Windows. Most VPNs require public routable IP addresses, so you need a connection to the public Internet that includes a range of addresses.
• Does the service provider have an active network monitoring program in place? This type of program proactively detects sources of spam, network attacks, virus distribution and other inappropriate uses. LodgeNet’s Bankers said, “Our Network Intrusion Detection System (NIDS) identifies and traps network abuse before it gets out on the public Internet, not when it is too late.”
• Use a VPN client for all administrative wireless applications, or at a minimum WEP. This is great for the hotelier but what about advice for the traveler? When you are traveling turn on the personal firewall feature for your wireless data connection. Travelers should also use some form of VPN, either on your corporate network or one provided by a subscription-based network. (See sidebar below.) And no one should venture onto another network without maintaining a self-updating virus protection subscription.

What Is a Hotel To Do?
How does the hotelier make sense of all of this? Here are our recommendations:
• First, don’t allow the standards churn to delay your adoption of this amazingly useful technology. Go ahead and invest now.
• Today, go with 802.11b access points that support future field upgrades (better downloadable) to 802.11g support.
• Don’t spend on 802.11a. Remember Betamax?
• When 802.11g becomes a proven standard, with true cross-vendor interoperability (i.e., my Orinoco card works on your Cisco access point), then upgrade your radios to g if you intend to use local administrative applications. If the only point of the wireless network is to give guests access to the Internet, there is little reason to upgrade to g because b already goes faster than your Internet connection.
• Hope that your field-upgradable radios will be field upgradeable to support 1x.
• Don’t hold your breath for Wi-Max. It is still way out there…at least next week.

Mark Haley is a member of The Prism Partnership, a consulting practice servicing the global hospitality and travel industries based in Boston, Mass. You can reach Mark at (978) 521-3600 or MHaley@ThePrismPartnership.com.

EVOLVING WIRELESS STANDARDS
Standards or Temporary Band-Aids?
Wireless data technology today looks a lot like a bowl of alphabet soup stirred up by an angry 3-year-old. First we saw the vicious conflict between frequency hopping and direct sequence spread-spectrum play out (DSSS won, by the way), and we thought we were in a good place with 802.11b. Investment in infrastructure took off, purchases accelerated and deployment proliferated. It was WiFi and it was good.

Then a funny thing happened. Before 802.11b became universally deployed we got 802.11a, promising much higher data throughput. Sometime this summer, expect to see 802.11g ratified as a standard, promising more throughput and backwards compatibility with b. Some vendors are promising multi-mode access points, supporting both a and g in the same unit. Then there is discussion of 802.1x, compatible with g, but adding new, enhanced security features.

Now we are seeing early announcements of a future Wi-Max service, promising much broader penetration and no backwards compatibility with anything that exists today.

I don’t even want to know what happened to c, d, e, f and all the rest. What if they are still coming?

Notes
1 Centrino – Intel’s product brand name for a mobile processor, paired chipsets and 802.11b equipment specifically engineered and optimized to work together, especially for wireless networking in a mobile environment. Most major laptop manufacturers now offer Centrinobased products.

 

SUBSCRIPTION-BASED NETWORKS
This May Be in Your Hotel, But Not Be Your Customer
Cendant and Choice have earned highly profitable positions in the pantheon of hotel companies by owning and marketing brands and the services supporting them, rather than owning and operating hotel properties. Likewise, firms like Boingo, T-Mobile, iPass and Surf & Sip are building out businesses based on marketing other people’s public hotspot assets and establishing their own brands as subscription-based WiFi network operators.

These network operators seek out relationships with hotspot owners, such as hotels, airports or HSIA providers selling into hotels on the supply side. On the demand side, they sell subscriptions that allow access to the hotspot network established above. When a Boingo or iPass subscriber is in your hotel, they have a choice of paying you $9.95 a day or using their subscription service, who pays the hotspot operator (probably not the hotelier) somewhere between $1 and $2. Don’t hold your breath waiting for a split of that revenue from your HSIA provider.

The primary benefit of the subscription-based networks is that they allow the mobile user to enjoy WiFi access in many and diverse venues while maintaining a single vendor account. Alison Richards is the director of wireless co-marketing for Intel. Richards said, “Wireless networking today is somewhat like the early days of cell phones. Roaming was difficult and expensive with erratic coverage. We want to see it become simple, transparent and inexpensive.” Another useful attribute comes into play regarding wireless data security: Boingo offers virtual private network (VPN) clients with their subscriptions. The downloadable VPN client software buries your packets in a secure tunnel protecting your data from packetsniffing. While it is probably “VPN-lite” by Department of Defense standards, a real road warrior would do well to use this kind of service and buy some peace of mind. VPN clients generally impose some overhead on the perceived performance, but that is probably a small price to pay for practicing safe computing. Thousands of wireless access points have been installed in hotels from sea to shining sea. Look for 118,000 public access “hotspots” installed worldwide by 2005, according to IDC, but even that number could be low.



want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.