How to protect yourself against new DarkHotel type WiFi attacks

Dark Hotel hall Kaspersky recently announced the discovery of a new Advanced Persistent Threat (APT) that they are calling DarkHotel. This is in the fine tradition of giving all newly discovered hackers or vulnerabilities clever and evil sounding names. In this case they have found something quite interesting.

For the last 7 years a group has been systematically targeting executives and government officials staying at high end hotels. They hack their computers and grab their files, sniff their keyboards, and install virus that can then spread within the victim’s organization.

The attack is launched when a guest attempts to log into the hotel WiFi, and the targeting is very tight and clever. As part of the standard WiFi login process, the guests enter their last names and room numbers. The attackers know who is booked, so they can recognize their targets at this point, and only the targeted guests are then attacked.

The attack takes the form of a software update, generally for Flash. The update contains the malware and is signed by a forged signing certificate. That is another one of the interesting aspects of this attack. They have brute forced some 512 bit certificates, which allows them to create apparently valid signatures for their modified software. The problem here is that Windows still trusts any 512 bit certificates. At this point they are almost trivial to break. Even 1024 bit certificates should be considered suspect. 2048 bit is really the sweet spot, and I would use 4096 bit encryption for anything that really matters.

My suggestions to protect yourself are:

Don’t use the hotel WiFi and use cellular data instead, either built in or with a cellular modem that you brought with you.

Use a locked down device like an iPad. Because you can’t just install any software you want, these devices are actually much more resistant to many kinds of attacks.

If you need a full computer, use a disposable laptop for travel, which will get completely wiped when you get back, and use it to access temporary email and other account that don’t have access to your sensitive information or documents.

While this particular attack happens before you get full Internet access, a VPN provides protection against a very large fraction of WiFi based attacks, and should be used whenever possible.

Remember that in some countries the wireless provider may be as suspect as the hotel devices. When traveling to those countries you should treat all communications channels as suspect and hostile.

More articles from Arstechnica, Wired, Securelist


Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on FacebookTwitter, and Google+.