Anatomy of a Wi-Fi hole – take care in your hotel this Christmas!

I’m on the road at the moment, staying in a business hotel with three pleasant surprises.

There’s an inexpensive restaurant with fantastic pizzas, an amazing vista, and a generous free Wi-Fi allowance. (Perhaps that’s four surprises.)

None of those spongy, rubbery pseudopizzas with thick bases like stale loaves; no room view into the back of a haulage yard; and none of that “200MB for $20 network access” that you find in some parts of the world.


Fast, free Wi-Fi sounds handy, and it is, but we’ve written about the potential problems with open Wi-Fi hotspots several times before.

Some of the risks you face are:

  • The hotspot could be run by anyone, and there’s almost no way of telling who that might be.
  • Anyone in the vicinity, whether they’re on the network or not, can “sniff” (eavesdrop on) and record all your network traffic.
  • Your DNS requests, which turn server names into network numbers, are visible to anyone, so even if you subsequently use secure HTTPS connections only, the services you are using are nevertheless revealed.
  • The hotspot can send you bogus DNS replies, redirecting you to imposter servers, blocking your access to security updates, and more.


One handy countermeasure is to use a VPN, short for Virtual Private Network.

That’s where you get your computer to encrypt all your network data before it leaves your laptop or phone, and send the scrambled stream of data back to your own network.

When the scrambled data is safely back on home turf, it is decrypted and sent out onto the internet just as if you were at home, effectively sidestepping the hotspot and its numerous risks.

Of course, many free Wi-Fi networks make you jump through some sort of simple authentication process first, directing you to what’s called a captive portal – a special web page that pops up in place of the site you’re trying to visit.

Captive portals may ask you to accept various terms and conditions, show you a few ads, or ask you for some sort of identifier to track your usage.

The latter is common in hotels, often to differentiate between paying guests, day visitors attending a conference, and unentitled passers-by.

In other words, even if you want to use a VPN, you typically need to spend a short while online with your network shields down, until you can get past the captive portal.

Only then will the hotspot let your network traffic out into the real world so your VPN can call home.


Here’s what happened in my hotel during my brief “shields down” period:

I’m sure you can spot the problem here.

To activate my connection, the hotel wants to validate that I’m a guest, so it uses exactly the same information that it might do in the poolside bar or when signing the bill in the pizza restaurant: name and room number.

Room keys don’t have numbers on them, so this is a simple, customer-friendly and reasonably satisfactory way of regulating your room charges.

Except that in this case, the hotel’s hotspot service is run by an external company whose logon portal expects you to hand over your name and room number over an unencrypted HTTP connection.

As a result, any nearby computer running a network sniffer (I used Wireshark) can read those fields out of the ether:

You have to tell the truth, too, because making up an answer for safety’s sake won’t work:


When I checked in to the hotel, I wasn’t asked if I wanted to make use of the free Wi-Fi service, nor whether I consented to having the details of my stay shared in some way with the Wi-Fi portal company for Wi-Fi validation purposes.

If I’d known, I’d have declined, on the principle of “if in doubt, don’t give it out“.

In the end, I used my trusty fallback: a pre-paid mobile phone SIM with enough inexpensive data loaded on it to tide me over, with my phone acting as my very own hotspot.

At least in the USA, you’re always able to do that these days, following a court ruling that hotels aren’t allowed to use technological tricks to stop you using your own hotspot.