What the FBI didn’t tell us about the hotel malware threat

Internet access in hotel room. Image from ShutterstockIf you follow the field of computer security chances are that you saw the warning issued by the FBI’s Internet Crime Complaint Center (IC3) this week about using hotel internet connections.

Here’s the full text of the advisory, with some responses sprinkled throughout from yours truly:

Malware Installed on Travelers' Laptops Through Software Updates on Hotel Internet Connections

Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms.

Sign up to our free newsletter.
Security news, advice, and tips.

“Malicious actors”? Are we talking cybercriminal gangs and fraudsters or state-sponsored bad guys from an enemy nation?

“Travelers abroad”? So, you mean that this can’t possibly happen within the United States?

Why the coyness about naming countries? Is it because the FBI doesn’t know which countries this pertains to (other than it’s definitely not happening in the USA)? Is it because they have a list of countries, but they’re not sure if it’s a complete, exhaustive list? Or is it because the authorities don’t want to say which countries?

Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections.

“Malicious software”? Can you tell us what malicious software? Is it a particular malware family? Can you at least tell us what the malware is attempting to do?

In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product.

“A widely-used software product”? Why not name it? The FBI isn’t saying a variety of popular products, it’s saying “a widely-used software product”. Should it really be up to us to place bets as to whether it’s likely to be Adobe Flash or not?

If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

Which operating system are we talking about here? Windows? Mac OS X? Linux? iOS? Might have been handy to mention..

The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products on their hotel Internet connection.

“Government, private industry, and academic personnel..take extra caution”? Hang on. What about the rest of us? Shouldn’t we also be careful if we’re taking our computers overseas, perhaps on vacation? Or is the un-named country where this is happening not the kind of place people go on holiday to?

Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack.

But is likely to be beyond the ken of the vast majority of users..

The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor’s Web site if updates are necessary while abroad.

Sensible. No complaints with that. But the idea of business people travelling for weeks on end without installing security updates while they’re on the road sounds like it could backfire.

Anyone who believes they have been a target of this type of attack should immediately contact their local FBI office, and promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration. The complaint information is also used to identify emerging trends and patterns.

What’s fascinating about the advisory is what it doesn’t say. And without more information it’s hard to know how computer users are supposed to take meaningful action to protect themselves other than follow the normal advice of running security software, being careful what you install, running a VPN to hide your browsing from snoopers, etc.

It’s certainly very peculiar that the FBI didn’t share more information in its warning, or mention where in the world it believes it has seen these attacks taking place.

By coincidence, earlier this week, for the first time in almost ten years, a Chinese defense minister visited the United States.

The day before the FBI’s warning was issued, US Defence Secretary Leon Panetta met his Chinese counterpart Liang Guanglie in Washington DC, and told the world’s press that the two countries must work together to avoid cyber war, and emphasised the importance of the relationship between China and the USA.

US and Chinese military chiefs met in Washington this week, to discuss cyber attacks

Maybe there was more that the authorities could have said about this hotel malware threat, but thought it undiplomatic to publicise.

Laptop in hotel room image, courtesy of Shutterstock.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.