Solved

Advice on using wifi connection in Hotel with our iPhone

Posted on 2017-04-10
18
142 Views
1 Endorsement
Last Modified: 2017-04-21
We noticed in a hotel we stood at that, the iPhone wifi setting after connecting to the hotels wifi has a warning of "Security  Recommendation" (see below).  

iPhone wifi
It seems it's a open network since when connecting there is no password, but a web page asking for last name and room number.

That all said, how secure are these hotel connection?

When login thru their web page, does it sets up a secure connection or is it still open, insecure?

Finally, wen connecting, we didn't use the hotels wifi to connect to our banks or other sensitive connection, just to search the city's location.  But what happens when our emails that are being download automatically in our iPhone, are they unprotected also?
1
Comment
Question by:rayluvs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +4
18 Comments
 
LVL 16

Assisted Solution

by:Ramin
Ramin earned 80 total points
ID: 42087232
My guess is they are using WPA2-PSK (TKIP)  Protocol.

how secure are these hotel connection?

it depends on the security protocols that they use, but it is obvious they are not using WPA2 Personal EAS security ( latest Wi-Fi encryption standard).

When login thru their web page, does it sets up a secure connection or is it still open, insecure?
it is secure, but not quite secure for Banking or email.

But what happens when our emails that are being download automatically in our iPhone, are they unprotected also?


It wasn't a good idea to check your email with that, but I'm quite sure it is not completely Insecure too.

the best choice was to ask hotel to change their router security to WPA2 Personal EAS security.

helpful link:
https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/
0
 
LVL 17

Assisted Solution

by:Lucas Bishop
Lucas Bishop earned 80 total points
ID: 42087300
Even if the network was password protected, that doesn't mean that your connection is secure. The network is still shared amongst anyone who is logged into it, password or not. All unencrypted traffic can be sniffed.

You might want to consider setting up a secure vpn on your phone, so you won't have to be as concerned with "shared wifi" networks.
2
 
LVL 5

Assisted Solution

by:fred hakim
fred hakim earned 180 total points
ID: 42087418
The network password represents one layer of security, (albeit a strong layer) that either hides (with password) or exposes (without password)  data traffic on your local network between your devices.  Hiding is done by encrypting the network data using the password.  If the network is public, like a hotel or restaurant with a password then everyone there is using the same password and could snoop the data packets in the clear, but others without the password are blocked.   Unlike your home wifi network where only you (and those you allow) would have the password and access to the data packets on the network.  

That said, there are other layers of security. For example, when you sign in to your bank, online mail (or other secure website) another layer of security is added (usually SSL and indicted in your browser with a padlock or https:// prefix) becomes active between your device and the bank.  

The inherent trap folks fall into is thinking that your local password protected network data (home or public) protects beyond the local network --it does not!  Once data leaves your home network going out on the Internet, its no longer encrypted by your local password.  That is where the SSL encryption comes into play.    

VPN connections only encrypt between your device and the VPN server on the remote side.  they are usually used for traffic between private networks (where the server creates a second VPN connections to your remote network).   If you are connecting to websites like your bank, then the encryption ends at the remote VPN server and your data (with any included SSL protection) is sent to the website outside that VPN envelope.   In addition, it looks to the website like the data is coming from the remote VPN server and not your hotel or local network.   A handy feature for many folks for reasons other than data protection.  

So, bottom line, you are not much less exposed on a hotel network than on your home network for data destined to an Internet website like your bank.  In both cases your data on the Internet is solely protected by the bank website security (as is true from a VPN server to your bank).   The only place it can be decrypted (without hacking tools) is from your browser window or tab that created the protected SSL session -- regardless of any local/public network protection.    I'll stipulate the traffic on a local network is less congested and easier to hack than on the Internet, but so too the number of hackers on the local network is nothing compared to the Internet either.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 80 total points
ID: 42087420
When connecting to a network that you don't own, always assume that it is insecure.  Lucas is correct.  The use of a WPA key on a hotel network does not make it secure.  Tunnel through it with an encrypted VPN based in your home country.

What I've read over the last several years indicates that when traveling in APNIC areas ("the far East"), all hotel networks should be considered under the control of the government.
0
 

Author Comment

by:rayluvs
ID: 42087433
Let's if we got it:

- even though in, open network (as the on we point to in this question), if the our browser connected to its destination using SSL (https://), that the connection is secured?

- also, if we have various emails account in our iPhone, the only emails with using SSL in their setup, the email received/sent is secured?
0
 
LVL 28

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 80 total points
ID: 42087455
IMO, it would not be prudent to rely on SSL alone when using an open network in a foreign country.  Every method of encryption has eventually been broken, and the break-in occurs long before it becomes publicly known.
0
 
LVL 16

Assisted Solution

by:Ramin
Ramin earned 80 total points
ID: 42087471
The answer is probably Yes, you are secure, but "every method of encryption has eventually been broken".
in a public network they can see your data pockets until you connect to SSL secure protocol.
Assume that any information you send across a public network connection can be read. If you are looking at information from a website, and you are not getting to it via an encrypted connection (https), everybody else on the network may be able to read that information. If you are sending information to a website that is not encrypted, everybody else may be able to read that information.

If you want to be able to do private things on a public network, the best idea is to use a virtual private network (VPN).
0
 
LVL 5

Accepted Solution

by:
fred hakim earned 180 total points
ID: 42087586
Encryption, be it VPN, SSL/HTTPS, or local Wifi network encryption is the ONLY method of protection available on open networks and on the Internet itself.  If you are concerned that encryption is not enough, then your only safe communication between computers would be on a local wired network with no outside connection, no Internet and no WiFi connections that can be intercepted.  

All data sent from any computer is accessible to anyone connected on the network or on any network over which the data travels. That's a BIG PATH with a lot of exposure.   Encryption scrambles data.  It involves some exchange of credentials (usually a user ID and password) to establish a key that can unscramble the data.  Only computers that have access and know the key can see the data.

Https (padlock visible on your web browser) is the indicator that your browser (tab/window) and the target website/portal (bank, airline, doctor etc.) have created a key for the scrambled data they exchange.  As noted by others, websites you visit using http (no padlock icon) send clear data.  All data is visible to anyone on the path.  

Https/SSL encrypts between the browser window/tab and the bank website.  It can be encrypted again by VPN,  and again by the wifi network.   Http does not encrypt.  It can be encrypted by VPN,  and again by the wifi network.

The VPN key is shared by your VPN gateway (web browser or entire computer) and a VPN server (usually somewhere on the Internet).  VPN encrypts all data from your computer/device to/from the network, on to the Internet and up to the VPN server.  But once it leaves the VPN server to reach the bank website, that level of encryption is removed and the data reverts again to its previous state.  

The Local Wifi key is shared with anybody connected (in your home, office, or hotel),  who used the same password.  The wifi protection keeps anyone outside the home or hotel network from seeing your data, but everyone inside those networks can see it (http) unless its already encrypted (https and or VPN).  If the data leaves the wifi network (on its way to the bank), that encryption level is removed and the data reverts to its earlier state.  

The difference in security between your home network and a hotel network is just the exposure to others also on the hotel network.  They are no more capable of breaking Https/SSL or VPN encryption than the millions of computers lurking on the Internet.  

One issue, not related to browser traffic:  Make sure shared data on your computer is protected!  Set the hotel(or restaurant etc.) network setting to public or untrusted network.
2
 

Author Comment

by:rayluvs
ID: 42087988
In the above "VPN encrypts all data from your computer/device to/from the network, on to the Internet and up to the VPN server.  But once it leaves the VPN server to reach the bank website, that level of encryption is removed and the data reverts again to its previous state.",

 
- based in the above, VPN only is secured if used from both point origin and destination? (Not only from VPN server to origin, that is, from our only from our PC and the VPN)

Also in "The wifi protection keeps anyone outside the home or hotel network from seeing your data...",

- if a malicious person is also a WPA2 wifi, they can see everything being transmitted?
0
 

Author Comment

by:rayluvs
ID: 42088071
Couldn't edit our last entry, so this is continual of it:

Just to make sure, our emails which download periodically in our iPhone, are not protected when in a Hotel wifi (WP2 or Open)?  

And if so much concern of our emails while in a hotel or in a wifi hotspot, then the best thing to do is disable the emails within the iPhone while in the hotel?
0
 
LVL 5

Assisted Solution

by:fred hakim
fred hakim earned 180 total points
ID: 42088335
Email is usually exchanged with encrypting servers -- you or the email app on your phone at some point had to login with a password to get the decode keys.   All data on a wifi channel is accessible to all  devices on the channel.    Secured wifi networks adds a layer of encryption, against other channel devices not logged into the secured network.  Your home wifi is the same,  but the logged in audience is under your control (secured private network).  Wifi level protection is removed when the data leaves the wifi network.  

VPN would add an encryption layer on top of that.  VPN encrypts all the data exchanged from your phone hiding it from anyone with access to the hotel wifi network and any other network traversed on the way to the VPN server.  Since your eMail or banking https data was already encrypted, VPN doubly encrypts it.  

The VPN server decodes the data and sends it on its way.  If the destination from there has not established a protected VPN connection, its sent in the form it was provided from your device (any SSL and Https encryption remains).  If the destination is a VPN connected device, then the data is re-encrypted with the keys for that location.   This is the way many corporations provide remote access to work for people away from the office.   The corporation usually has its own VPN server, which decodes the data on its internal network.  Then SSL and Https encryption remains until it reaches their internal end points.  

Your eMail, banking data or any other data sent with encryption (SSL or Https) is just about as safe as it would be on your home network, assuming no spy with access to a supercomputer to crack encryption is also connected in the hotel.

Encryption is pretty safe, since each session negotiates a new key structure, when you login.   The session should end well before anyone could crack it from a phone or PC (we are talking days or even weeks or longer to crack).  A supercomputer or super computing array would be needed to cut the crack time to less than a day.   Few hotel or restaurant folks will have that sort of capability.  Government spies are unlikely to waste those resources on your eMail.  

In the future, things could change.  Computers could evolve to be fast enough (but the encryption methods also evolve).  Laws and the Internet will evolve too.   Governments could require backdoor master keys (but that could destroy the online economy, if someone leaked the master key).  Some super networks exist today like the ANX for corporations to more securely exchange data with each other.   They work by bypassing much of the Internet using advanced encryption and certified ISPs that connect directly to each other, significantly reducing access to the data exchanged.  See:  http://www.anx.com/secure-connectivity/anx-enx-network/

There is no need to shut off your phone in a hotel or restaurant unless you are concerned about someone with eavesdropping tools getting your casual browsing.  Email, banks, facebook, almost everything you sign in to is encrypted from your computer to the place you signed in.  I'd be more concerned about getting tricked to sign in to a bogus/knockoff site that steals your ID and password.
0
 
LVL 13

Expert Comment

by:Natty Greg
ID: 42094577
The same thing happen to my iPhone at Walmart the reason being is that there is no network security setup at all on those public facing platform --- thank goodness your iPhone is warning you of that and that there could be people ease dropping on your online presents. Because i use VPN when I;m on public WiFi I ignore the warning but if you do not subscribe to a VPN service I would advice against connecting to any free WiFi without security.
0
 

Author Comment

by:rayluvs
ID: 42094902
Yes, but as websites here, using VPN services has to be at both points; that is, if we use VPN from our pint in Sears to the VPN sever, that is secure. But from the VPN server to the destination address, that thread of highway traffic is not secure.  

For instance, from sears open free wifi we want to connect to Empire State Building (http://www.esbnyc.com/).  Our connection from sears to VPN sever is secured, but from VPN sever to Empire State Building site, there is no security.

Are we correct?
(Please advice if not)
0
 
LVL 13

Assisted Solution

by:Natty Greg
Natty Greg earned 80 total points
ID: 42095183
true--- the idea is to prevent the immediate threat, you would need site to site vpn to every website you visit, however unless someone target you and know your exact exit through the vpn then it is secure------ cause your vpn changes ip of request and location of request so that person must know your exit to intercept your traffic
0
 

Author Comment

by:rayluvs
ID: 42095364
You mean that in order for the attacker to successfully access our info, he/she MUST know the actual VPN server we are using and also know the IP address THAT server is using to get to the destination address we are connected to?
0
 
LVL 13

Assisted Solution

by:Natty Greg
Natty Greg earned 80 total points
ID: 42095997
yes
0
 

Author Comment

by:rayluvs
ID: 42102722
Thanx!
0
 

Expert Comment

by:Hasnain sami
ID: 42103083
VPN would add an encryption layer on top of that.  VPN encrypts all the data exchanged from your phone hiding it from anyone with access to the hotel wifi network and any other network traversed on the way to the VPN server.  Since your eMail or banking https data was already encrypted, VPN doubly encrypts it.
"www.echnophile.com"
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PHP contact form that lets the user to contact the company through email contact form. A button is fixed at the bottom of site, on clicking a new window will open where a user can send the email.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question