
The Real Dangers of Hotel Wi-Fi
Hotel Wi-Fi is the convenience we love to hate. I've watched attackers set up bogus portals in Barcelona, sniff unencrypted traffic in Manila, and hijack DNS in Cape Town. Here's a breakdown of the threats I've actually faced (not just theoretical scare tactics) and the countermeasures I rely on now.
Threat 1: Evil Twin Access Points
What happened: At a conference hotel in Berlin, an attacker cloned the SSID “HotelNet_Conference” with stronger signal strength. Attendees unknowingly connected. The fake AP proxied traffic to the real network, harvesting credentials along the way.
Countermeasures:
- Use Wi-Fi scanners (WiFi Explorer, NetSpot) to compare BSSIDs and signal strengths. If one is significantly stronger, verify with staff.
- Stick to your travel router. My GL.iNet connects to the legitimate network once; all my devices stay on my private SSID.
- Enable WPA3/WPA2 on your router to encrypt traffic even if upstream is compromised.
Threat 2: Captive Portal Credential Theft
What happened: In Buenos Aires, a fake captive portal prompted guests for email, password, and room number. Data fed into a credential stuffing script targeting bank logins.
Countermeasures:
- Use burner credentials for portals. I maintain a
portal@secureroamer.com
alias and a dedicated password. - Never reuse real account credentials. If a portal demands more than email/room number, refuse.
- Check SSL certificate on the portal page. If it’s invalid or self-signed, bail.
Threat 3: DNS Hijacking & Injection
What happened: Cape Town hotel ISP intercepted DNS requests, redirecting Facebook.com to a phishing page promoting “faster Wi-Fi.”
Countermeasures:
- Run DNS over HTTPS via
cloudflared
on your router (proxy-dns: true
). - Verify DNS using
dnsleaktest.com
. If you see ISP servers, your DNS override failed. - Maintain a hosts file for critical services (
/etc/hosts
entries for bank domains pointing to known IPs). Use sparingly.
Threat 4: ARP Spoofing
What happened: In Manila, an attacker used Ettercap to poison ARP tables, positioning themselves between guests and the gateway. They injected JavaScript into plaintext sites to display fake update prompts.
Countermeasures:
- Enable “Block LAN Access” on GL.iNet. This isolates client-to-client traffic.
- Use
arp -a
occasionally; if the gateway MAC address changes unexpectedly, reconnect through a different network. - Force HTTPS everywhere using browser extensions and HSTS preload lists.
Threat 5: Outdated Router Firmware
What happened: A boutique hotel in Lisbon ran a ten-year-old router with WPS enabled. Attackers could brute-force WPS PINs and login to admin panel.
Countermeasures:
- Ask for Ethernet access. Wired connections bypass the vulnerable Wi-Fi.
- Deploy your own router in bridge mode.
- For long stays, offer to help IT update firmware (yes, I’ve done this in exchange for free breakfast).
Threat 6: Bandwidth Throttling & Logging
What happened: Dubai hotel throttled VPN traffic to 1 Mbps while logging URLs for “quality assurance.”
Countermeasures:
- Use VPN obfuscation (OpenVPN over TCP 443, Outline VPN, Cloudflare WARP). These look like regular HTTPS.
- Schedule heavy downloads overnight when throttling eases.
- Assume logs exist; don’t access sensitive accounts without a VPN tunnel.
Rapid Response Checklist
[ ] Connect via travel router
[ ] Launch VPN (WireGuard preferred)
[ ] Override DNS with DoH
[ ] Enable firewall + block LAN access
[ ] Monitor traffic with Little Snitch / NetLimiter
Advanced Defensive Moves
- TLS fingerprints: Use tools like
ja3er.com
to ensure your TLS fingerprints don’t stand out when proxied. - Tor as backup: If VPNs are blocked, I route sensitive browsing through Tor Browser for short sessions.
- MAC randomization: Before connecting, randomize MAC addresses to avoid being tracked across sessions.
When to Abandon Ship
If you see any of the following, switch to LTE or a coworking space immediately:
- Portal asks for credit card details to unlock “premium security.”
- You receive repeated Microsoft 365 or Google security prompts despite correct passwords.
- TLS warnings persist across multiple trusted sites.
- Packet captures show injected JavaScript or suspicious DNS answers.
Safer Alternatives to Hotel Wi-Fi
- Local eSIM (Airalo, Nomad) + travel router.
- Portable 5G hotspot (Netgear M6) with regional SIM.
- Coworking day passes—often $10–15 with reliable networks.
- Cafés with documented good security (I maintain a shared map with other nomads).
Final Thoughts
Hotel Wi-Fi isn’t inherently evil, but it’s rarely monitored by security professionals. Plan as if an attacker already owns the network. Bring your own router, tunnel everything, verify DNS, and keep an eye on anomalies. With a healthy dose of paranoia, you can enjoy room service while your data stays locked down.