SBN

Hotel Room Security and Privacy with Special Guest Patrick McNeil – WB39

This is your Shared Security Weekly Blaze for October 22nd 2018 with your host, Tom Eston. In this week’s episode: Hotel Room Security and Privacy with Special Guest Patrick McNeil.

Silent Pocket is a proud sponsor of the Shared Security Podcast! Silent Pocket offers a patented Faraday cage product line of phone cases, wallets and bags that can block all wireless signals, which will make your devices instantly untrackable, unhackable and undetectable. Use discount code “sharedsecurity” to receive 15% off of your order. Visit silent-pocket.com to take advantage of this exclusive offer.

Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this episode I want to share with you some helpful tips and advice to increase your security and privacy while staying in a hotel room.

Tom Eston: Joining me to discuss hotel room security and privacy is physical security expert, Patrick McNeil. Patrick has a background ranging from software development, networking, operations, and product security and currently works for an application security company. He has travelled extensively for work over the last nine years, staying in hotels, ranging from five star hotels, to hotels with blood stains on the carpet. I think I want to hear more about that. And Patrick is also a lifelong martial arts practitioner, runs Oak City Locksport and does physical security consulting for Stern Security when time permits. Welcome to the show, Patrick.

Patrick McNeil: Thank you very much, Tom, appreciate the opportunity to be on.

Tom Eston: So tell me a little bit about these hotels you’re staying in. Blood stains on the carpet, what’s that all about?

Patrick McNeil: Yeah, that was an unfortunate situation where I went to a conference and the conference coordinator had some hotels nearby that were recommended, and this was in downtown Chicago. And let’s just say, while she thought it was a safe neighborhood, it really wasn’t. And the hotel of course, is completely booked up. I check into my room and do my normal walk around and there’s literally blood stains on the carpet probably the size of a dinner plate and some blood spray on one of the [chuckle] walls.

Tom Eston: Oh no.

Patrick McNeil: It wasn’t a whole lot, but it was enough to freak me out, and I know I’m asking for a new room and it’s completely booked up. So I ended up staying there but it was like put the towel over it so I didn’t have to look at it. And just stay away from that area. It was obviously old.

Tom Eston: Obviously [chuckle] old. Yeah, that’s scary, but… Hopefully you’re not staying in hotels like that anymore.

Patrick McNeil: I try to avoid that. [chuckle]

Tom Eston: But you wrote a really great blog post recently about safety in and around your hotel room. And I think you wrote this because of the controversy that happened at Caesars Palace back during DEF CON in August in Las Vegas, with the conference attendees of the conference. Could you give us just a brief overview of what happened at DEF CON for our listeners that may not be familiar with the controversy?

Patrick McNeil: Sure. And you’re right, I did write the first post and it turned into a follow-on as well, but it all was because of the mass shooting that happened last year in October in Las Vegas. Basically the big casino hotels decided that they wanted to ensure the safety of their guests and the public at large by inspecting the rooms of guests when they hadn’t been seen for a while, they had refused service, or maybe they were seen with large pelican cases or something when they were traveling in. You get an event like DEF CON, between the DEF CON shoot and all the electronics equipment that people bring in [chuckle], there’s gonna be a lot of pelican cases. Those are all similar things, that the shooter had actually done.

Patrick McNeil: And unfortunately they had a policy that allowed people to opt out of room service as an environmental or green initiative. So they were setting themselves up for rooms that had refused room service. So when they decided to start investigating what was up in some of these rooms just doing what they were calling a wellness check, it would appear that their policy either was implemented inconsistently or maybe some employees weren’t trained appropriately because they ended up having issues with employees walking in on partially clothed guests after the pre-visitive knock or even pounding on their doors, demanding to be let in and not necessarily even providing appropriate identification or allowing the guests to check with the front desk or someone to see if they were legitimate.

Tom Eston: Would you consider that a common practice in most hotels?

Patrick McNeil: I would say no. I think this is a little bit of an over-correction. And maybe it’s necessary, based on their threat model but it’s definitely not something that I would consider normal, no.

Tom Eston: I think a lot of us think about when we go to a hotel, we are paying for our privacy. There is this expectation of privacy because we are paying money to stay in a room that is supposed to be ours. And we don’t expect anyone to barge in and look through our stuff. So is there any truth to this statement that hotels are really private?

Patrick McNeil: There’s only a little bit of truth in that. Hotels do have the right to enter your room at any time if they believe there’s a safety issue, if you’re involved in something illegal, to keep you from destroying property or even to perform maintenance. And of course, the regular cleaning that they do. Where you do pay for privacy is as part of that contract with the hotel. They have to respect your Fourth Amendment rights against illegal search and seizure. If a law enforcement agency wants to enter your room, they do need a warrant. But that protection expires as soon as you hit checkout time, whether you’ve actually gone to the front desk or not. But really the hotel employees don’t necessarily have to respect your privacy if there’s any reason they can manufacture.

Tom Eston: Is there anywhere that people can view hotels’ policies?

Patrick McNeil: Yeah, I know that some hotels do actually have that in their agreement that you sign when you make the reservation or that you pretty much ignore when you make the reservation [chuckle] But I have not done the research to see does each individual brand post their policy or anything, no.

Edgewise Networks is the first zero trust platform that stops data breaches by allowing only verified software to communicate in your cloud and data center.

Micro segmentation projects can be costly and difficult, but Edgewise offers a new approach: zero trust segmentation. Without any changes to your network environment, Edgewise puts your data at the heart of your security strategy, giving you:

  • Visibility into workload communication pathways;
  • Security policies built on the cryptographic fingerprint of the software;
  • The ability to apply policies and segment your networks in one click; and
  • A way to continuously monitor and assess risk.

Edgewise recommends policies based on the identity of your software, and stops attackers’ lateral movements by requiring authentication and authorization with every workload communication. Visit edgewise.net to learn how Edgewise can eliminate network attack surface, stop lateral movement, and protect your applications.

Tom Eston: What are your top three or four things that you recommend everyone always do when staying at a hotel?

Patrick McNeil: The things that I think are really common, the top basics, I always inspect a room with my bag just right inside the door and don’t unpack or anything before I get comfortable. I’m walking around like anybody would to see, is the place clean? But I’m looking at the physical security items first. Maybe even before I get to the room, on my way there, I’m just checking out to see where is my room in relation to any exit stairs or elevators, in case of a fire or other emergency situation. And then once I get into the room, the first thing I check, of course, is the locks on any doors, windows, sliding glass doors, anything adjoining, and that any additional security devices like the little flipper that you can use to reinforce your door or the dead bolt, that those actually align correctly. And that they actually work. And then I’ll go and check my phone, which seems a little crazy given that most of us are gonna travel with mobile phones but I do that just because it’s got that direct line right to the hotel front desk or security, to make sure that you have it in an emergency or if somebody does wanna inspect the room, you can just hit one button and then you’re on the phone with somebody. And then the last thing I’ll typically do is [chuckle], and it sounds silly I’ll pop some toilet paper in the peephole and put a hand towel right behind the handle. So nobody’s peeping in and you can’t use an under door tool to open that door.

Tom Eston: So what are a few things that listeners can do from a counter-surveillance perspective?

Patrick McNeil: In my opinion, the easiest thing to do is just be tidy. I know you’re gonna relax when you’re in a hotel and things may get spread out. But if you’re really concerned about snooping, just clean things up and organize your stuff. Put stuff back into your suitcase, put things on shelves, put things in drawers, basically keep everything away from where one could reasonably expect the cleaning staff to be. They’re not gonna be rearranging things that you’ve left all over the desk or dresser, what have you. You’re not giving them an excuse, essentially, then you can lay a suitcase strap a certain way or put a certain fold in your clothes or a hair or thread in a zipper that will fall out or get destroyed when the zip is opened. Then that way you can take a photo of how you left things and compare versus later. While it’s not absolute because they could bump into something, or what have you, it at least gives you an indication. And if you’re super paranoid, you could do stuff like the UV detective dust that you can put on things. Just do a light dusting in one place and shine with a UV light and then if that dust is spread all over the room, you know that they went in that one spot where you put the UV dust. As far as the recording… Yeah, this is definitely what I would consider more of an extreme measure. And I’d reserve it for situations where you’re reasonably sure that your stuff is being gone through, or there’s a significant chance of it.

Patrick McNeil: You’ve got something expensive that maybe you can’t secure. [chuckle] I’ll do the standard, I’m not a lawyer. This is not legal advice [chuckle], but you have to be careful with where you’re recording. Certainly pretty much every state has a law that says people have a reasonable expectation of privacy. So you should never ever record in the bathroom in particular because the cleaning staff could use the bathroom. There’s nothing wrong with that. We get into the whole gray area of whether this is legally your home or somebody else’s place. So while it is legal to record inside your home, with hidden cameras, without notice, trespassers do waive the rights to be recorded. You do have to be careful and know local laws ’cause they may apply. So watch the state that you’re traveling to, to determine whether they’re called what’s called a one-party state versus a two-party state. And what that means is if you’re a one-party state, only one party has to consent to the recording, I.e., you, the person making the recording. And in two-party states, both have to consent. So that would rule out some of your recording.

Patrick McNeil: And though that may also be different for audio versus video. So it may be one or two-party state for audio but video may be completely different and covered under separate laws. And of course, you’re gonna run into the county and state laws. So [chuckle] basically use this with caution, understand where you’re recording. If you do get a recording and it shows evidence of a crime, the first thing you do is not march down to the front desk and show it to them. The first step is consult with an attorney before deciding how to use it, and definitely like a lot of things, it comes down to how you decide to actually use the recording. If you get a recording and you see that something’s going on, maybe you can take other steps to secure your stuff that doesn’t involve showing somebody the recording. Like a lot of things, once you start using that and publicizing it, that’s when you can get into hot water.

Tom Eston: So, any last advice you’d like to give our listeners?

Patrick McNeil: I think really from a travel perspective, it’s all about awareness. We tend to get wrapped up in finding the restaurant or the workout facility, or looking at our phone or what have you, and we just really don’t notice what’s going on in the parking lot on the way to our room. And just having that situational awareness, ’cause you are a little bit more susceptible when you’re traveling alone.

Tom Eston: Well, great advice, Patrick. Thanks for coming on the show.

Patrick McNeil: Thank you, Tom.

That’s a wrap for this week’s show. Be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on your favorite podcast listening app such as Apple Podcasts or on our YouTube channel.  Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

*** This is a Security Bloggers Network syndicated blog from Shared Security authored by Tom Eston. Read the original post at: https://sharedsecurity.net/2018/10/22/hotel-room-security-and-privacy-with-special-guest-patrick-mcneil-wb39/