Security

What We Found Scanning Hotel Networks: A Security Wake-Up Call for Hospitality

Network Security Hospitality Penetration Testing IoT WiFi Security

What We Found Scanning Hotel Networks: A Security Wake-Up Call for Hospitality

Hotels are a unique intersection of high-value personal data, transient users, and complex IT infrastructure. Every day, thousands of guests hand over passport numbers, credit card details, and home addresses to properties that often treat cybersecurity as an afterthought. When we were invited to assess the network security posture of two hotel properties, the contrast between them told a story that every hospitality operator needs to hear.

All testing described in this article was performed with explicit written authorization from the respective property owners as part of contracted security assessment engagements.

Why Hotel Networks Are Interesting Targets

Hotels present an unusually attractive target surface for attackers. Consider what a typical hotel network connects: a Property Management System (PMS) containing guest personal data, payment processing terminals, IoT devices controlling room climate and door locks, IPTV entertainment systems, and guest WiFi, all potentially sharing the same physical or logical network infrastructure.

An attacker does not need to break through a firewall from the internet. They simply book a room, connect to the guest WiFi, and begin exploring what is reachable from within. The barrier to entry is a credit card and a laptop.

Our Methodology

Our assessment methodology follows a structured approach designed to evaluate the network from a guest’s perspective.

Phase 1: Passive Reconnaissance. Before sending a single packet, we listen. Passive scanning captures broadcast traffic, ARP announcements, mDNS/SSDP discovery messages, and DHCP responses. This reveals the network topology, IP ranges, and often the presence of networked devices that announce themselves freely.

Phase 2: Active Network Discovery. We perform controlled network scans to map live hosts, identify open ports, and fingerprint operating systems and services. This is where network segmentation, or the lack of it, becomes immediately apparent.

Phase 3: Service Enumeration. For each discovered service, we identify the software, version, and configuration. Hotel-specific systems like PMS platforms, IPTV controllers, and building management systems are of particular interest.

Phase 4: Data Exposure Assessment. Where services are accessible, we evaluate what data can be retrieved without authentication or with default credentials.

Phase 5: IoT Device Assessment. We catalog all reachable IoT devices and evaluate whether they can be accessed, reconfigured, or used as pivot points into other network segments.

Property A: A Cautionary Tale

Property A is a luxury five-star property. From the guest’s perspective, everything conveyed professionalism and attention to detail. The network security posture told a different story.

No Network Segmentation

The first and most critical finding was the complete absence of network segmentation. Upon connecting to the guest WiFi, it became clear that the guest wireless network and the hotel’s operational infrastructure shared the same flat network. There was no VLAN separation, no firewall rules restricting lateral movement, and no access control lists.

This single architectural failure made every subsequent finding possible.

Property Management System Exposed

The hotel’s PMS was directly accessible from the guest WiFi network. Through the exposed interfaces, we were able to identify guest personal data including full names, room assignments, check-in and check-out dates, and booking reference numbers. This data was accessible without exploiting any software vulnerability. The system was simply reachable from a network where it should not have been.

The implications are severe. An attacker with this information could conduct highly targeted social engineering attacks, impersonate hotel staff, or sell bulk guest data. For high-profile guests, the exposure of their location, room number, and travel dates creates genuine physical security risks.

IPTV System on Shared Network

The hotel’s in-room entertainment system was deployed on the same network segment. IPTV systems in hotels often integrate with the PMS for guest messaging, billing, and room service orders. An accessible IPTV system could be leveraged to push content to guest room televisions or serve as a lateral movement path into deeper network infrastructure.

IoT Devices Within Reach

Multiple IoT devices were discoverable and reachable from the guest WiFi. Smart thermostats and electronic door lock controllers responded to network probes. Networked door lock controllers accessible from the guest WiFi represent a direct physical security risk.

Property B: How It Should Be Done

Property B is a four-star business hotel. The infrastructure was less glamorous, but the network architecture reflected genuine security thinking.

Proper VLAN Segmentation

From the moment we connected to the guest WiFi, the contrast was stark. Active scanning from the guest network revealed exactly what it should: nothing. No PMS interfaces, no IPTV management consoles, no IoT devices, no operational infrastructure.

Guest WiFi Isolation

The guest WiFi provided internet access and nothing else. Client isolation was enabled, preventing guest devices from communicating with each other. DNS and DHCP were provided through the guest VLAN, and all other traffic was restricted to internet-bound routes only.

No Reportable Findings

Despite thorough scanning, we could not identify any path from the guest network to the hotel’s operational systems. The network was designed with the assumption that the guest WiFi is a hostile environment, which is exactly the correct assumption.

Common Vulnerabilities in Hospitality

Based on our assessments and broader industry knowledge:

  • Flat network architecture. When guest WiFi shares a segment with operational systems, every internal service becomes an attack surface.
  • Default credentials on management interfaces. PMS platforms and network equipment frequently retain factory-default passwords.
  • Unpatched hospitality software. PMS and booking platforms often run outdated versions.
  • IoT devices with no security controls. Smart room devices are deployed for convenience with minimal security consideration.
  • No monitoring or logging. Many properties lack the capability to detect scanning or data exfiltration.
  • Vendor-managed blind spots. Hotel IT staff often have limited visibility into third-party managed systems.

Recommendations for Hotel Operators

  1. Implement VLAN segmentation immediately. Create separate VLANs for guest WiFi, hotel operations/PMS, IoT/building management, IPTV/entertainment, and staff networks.

  2. Enable client isolation on guest WiFi. Prevent guest devices from communicating with each other.

  3. Audit all default credentials. Change every default password on every networked system.

  4. Conduct regular penetration testing. Engage security professionals at least annually.

  5. Establish a patch management process. Work with vendors to establish regular update cycles.

  6. Deploy network monitoring. Implement intrusion detection at minimum on VLAN boundaries.

  7. Develop an incident response plan. Define roles, communication procedures, and containment strategies.

How Guests Can Protect Themselves

  • Use a VPN. A reputable VPN encrypts all traffic, rendering network-level interception ineffective.
  • Avoid sensitive transactions on hotel WiFi. Minimize banking and shopping on hotel networks.
  • Disable automatic WiFi connections. Configure devices to ask before joining networks.
  • Disable file sharing and AirDrop. Turn off network discovery while on hotel WiFi.
  • Keep your devices updated. Many network-based attacks exploit known vulnerabilities.
  • Use mobile data for sensitive tasks. Your cellular connection is significantly more secure than hotel WiFi.

Conclusion

The gap between Property A and Property B was not a matter of budget. VLAN segmentation is a standard feature available on virtually every managed switch sold in the last two decades. The difference was awareness and priority.

Property A invested heavily in the guest-facing experience while neglecting the infrastructure protecting guest data. Property B made network security a foundational design decision.

The hospitality industry processes enormous volumes of personal data daily. Guests trust hotels with their names, payment details, travel schedules, and physical safety. That trust carries a corresponding obligation to protect the infrastructure handling that data.

If you have not had your hotel network assessed by qualified security professionals, the findings described in this article should motivate you to schedule one. The question is not whether vulnerabilities exist, it is whether you discover them before someone else does.

D2 Solutions provides network security assessments and infrastructure consulting. All security testing is performed exclusively under written authorization. Contact us to discuss your security assessment needs.

← Back to blog