A free iPad in a hotel room and the string’s attached

Hotels offer not just free WiFi but occasionally even free use of devices such as iPads these days. While it is really nice, a misconfigured device like this may store just a bit too much personal data, easily retrievable by the next visitor…

Securelist ran a curious blog piece that dealt with personal data safety in hotels, written by our expert Dmitry Bestuzhev. In a nutshell the story goes like this: a person with security expertise took a look at the free iPad installed in a hotel room and found… well, a lot.

“To my surprise, it not only contained the event agenda and provided a free WiFi connection, but also included a lot of private personal information from previous guests who had stayed in the same room,” Bestuzhev wrote. “When I speak about private personal information, I mean accounts with pre-saved passwords, authorized sessions on social networks, search results from the browser (mostly pornographic content), full contacts automatically saved into the address book, iMessages and even a pregnancy calculator with real information.”

Scary, isn’t it? It didn’t take long for Bestuzhev to find out a lot of this data was personally identifiable, and moreover, some of it clearly belonged to some very public people, some even working for governmental entities. It doesn’t take a wild imagination to figure out that malicious people could use this information for (hint: blackmail, phishing, impersonation, profit).

It’s always nice to have extra services in hotels. Free WiFi is a common thing these days. Some hotels go as far as offering free-to-use devices, such as iPads, or even PCs (Macs included) to their guests.

But there are, unfortunately, some strings attached, albeit – probably – non-intentionally.

First of all, there are usually certain setbacks in security of the WiFi networks in public places (and here are some tips how to stay safe on them). But free devices pose a different kind of risk.

Remember public internet cafes or PCs in public libraries? It was a common mistake to log into a personal account (email or a blog service) and to forget to log out after the session ends. The next user would occasionally leave some “surprises” – ranging from a kind advice through obscenities left on the oblivious predecessor’s behalf.

The situation with a free iPad in this case is much more serious. The Apple iPad is a personal device, and its default settings suggest it’s used by a single person continuously – hence all the automatically saved passwords, addresses and iMessages – and not by a long sequence of the random people occupying the same room for a short time.

“Maybe I’m too suspicious, but having an unknown and untrusted device like a tablet in my room, which is equipped with an embedded camera and a mic, I just preferred to switch it off and store it inside a drawer. I had to do this every afternoon since the cleaning staff put it back on the desk every day I was at the hotel”, Mr. Bestuzhev wrote.

And that’s actually a proper security and self-protection practice – especially for businessmen or government officials, who are routinely in the crosshairs of hostile parties.

Occam’s razor suggests that the hotel workers just didn’t care about the possible ramifications of the personally-identifiable data cached on these iPads. It also suggests that the cleaning staff just followed instructions and there was no malice intended at all. Still, from the security point of view, something like this – a misconfigured device, “harvesting” personally identifiably data – is inacceptable at all.

This story also illustrates how useful BYOD occasionally may be for traveling businessmen, those who would want to keep their private and work information under their control everywhere – at work, on the plane, in the privacy of a hotel room, or wherever else. The best option is to avoid sharing any data – this includes login credentials of any kind, – with devices that will soon be out of your reach. Because, as Mr. Bestuzhev points out, even if a free device is properly configured and does not visibly store any private information, once a cyber-forensics expert accesses it, he or she would be able to take an image of the whole device and then recover that private data step by step. Even if it may sound far-fetched a bit, this is a possibility which just does exist. And such possibilities are better to be ruled out – just for caution’s sake.