Earlier this year, Jeremy Galloway was in Breckenridge, Colorado, on a ski trip with a bunch of friends. One day, he got back early to the Airbnb apartment where they were staying, and was a little bored.
Being a hacker, he thought of a fun way to pass the time: hacking the local Wi-Fi network to prank his friends. Initially, he says he thought it'd take him an hour or so, but it was much easier than that.
In just a few minutes, he says he gained complete control over the network, and was able to force his friends to visit cat gifs and memes websites whenever they tried to access Google, Facebook or any other site. That was just a benign prank, but if he had wanted, he could have easily redirected his friends to fake login pages to steal their passwords, force them to visit a malicious website hosting a virus or other kinds or malware, or even push a malicious update to their apps.
"You don't use the Airbnb toothbrush, and you should probably think twice before just jumping on their network and putting your bank credentials in there."
At that point Galloway, who works as a security engineer for Atlassian, realized that both Airbnb hosts and guests are underestimating the dangers of leaving routers exposed to countless strangers.
"The router you have in your house is the weakest link," Galloway tells me over the phone. "As soon as you can control the local network router, security is basically completely gone."
The crux of the issue is that if someone has physical access to the router, they can easily access its configuration and mess with it. Normally, credentials to log into routers are printed on the routers themselves, and if they aren't, most devices have a reset button that allows whoever presses it with a paperclip to gain access to it—Galloway calls this the Average Paperclip Threat, a play on the overused industry term APT or (Advanced Persistent Threat).
Pranks aren't the only danger. Someone with more evil intent, be it the host or a guest, could change the settings on the router, and then wait for the next guests to carelessly input their passwords into fake banking or social media websites, where the guests are automatically redirected.
"If you get onto an unprotected network, you're not just exposed to that network," Galloway explains. "You're potentially exposed to any other person that's connected to it before you."
In two weeks, Galloway is going to talk about these dangers at Black Hat, the annual security conference in Las Vegas. Tod Beardlsey, the research manager at the security firm Rapid7, reviewed Galloway's presentation for Motherboard and said that while the potential attacks he will detail are generally well known in the industry, "they are also pretty much impossible to defend against, once you give the attacker physical access to your router."
We need to be careful when connecting to Wi-Fi networks in Airbnbs, and just treat them like we treat airport or Starbucks connections.
The problem is that, thanks to the rise of home-sharing services such as Airbnb and HomeAway, thousands of people are letting strangers into their houses and apartments, and, potentially, into their networks and routers.
That's why, Galloway argues, we need to be careful when connecting to Wi-Fi networks in Airbnbs, and just treat them like we treat airport or Starbucks connections.
"When you're traveling and you're on an unfamiliar network, you should behave like it and not behave like when you're at home," Galloway says. "You don't use the Airbnb toothbrush, and you should probably think twice before just jumping on their network and putting your bank credentials in there."
If you're a renter, Galloway says the first thing to do to stay safe is using a virtual private network, or VPN, that will encrypt and protect all your connections. (There's a lot of easy to use options out there, such as Freedome or TunnelBear.) Another, slightly more complex precaution, is to hardcode DNS settings into their devices, switching to Google Public DNS, for example.
If you rent out your apartment or house and you're worried your next guest might mess with the router, Galloway suggests removing physical access to it, by either locking it into a room where guests don't have access, or in a locked closet. Alternatively, another solution is to put in a small lockbox.
In any case, Galloway doesn't want people to be paranoid, just a bit careful and aware. Oftentimes, then it comes to cybersecurity, that's all you need.
The Hacks We Can't See is Motherboard's theme week dedicated to the future of security and the hacks no one's talking about. Follow along here.