Safety In & Around Your Hotel

In my last blog post entitled, “Leaving Las Vegas” I covered the poorly and inconsistently implemented security or “wellness” checks conducted by the Las Vegas casino hotels during Black Hat and DEF CON. That post got me talking with some readers about hotel security in general, and some of the safety and security measures that that I’ve been known to follow in and around my hotel during my frequent travels. Now, to be honest I don’t always follow all of my own advice (who ever does?), and there will be certain things I’ll adjust based on my environment. Staying in a not-so-great part of town, travelling internationally, or even being at a security conference may necessitate some of the more extreme measures. I’ll let you decide what you feel comfortable with and how paranoid you want to be. That said, if you’re not in the security industry, you might not be paranoid enough, and I think this blog entry might open your eyes a bit.

What follows is a bit of a “brain dump” that I’ve tried to logically group into three areas:

  • Physical Security – ensuring your physical safety in case of fire or weather emergency, and how to prevent yourself from being robbed
  • Surveillance Prevention – keeping yourself from being spied on or recorded. This starts to get into more “extreme” measures, but consider the stories you’ve heard about hidden cameras at AirBnB locations.
  • Counter Surveillance – covering a few methods to determine whether someone has been in your room while you are out

I should point out that I vetted these tips with a couple of federal law enforcement agents and a female friend who was a private investigator for fourteen years. I wanted to not only get the “what the pros do” perspective, but also the perspective of a female traveler.

You’ll find this entry is interspersed with lots of links. Make sure to check them out for more information!

Ok, so here we go…

Physical Security

  • When you first get to your room be sure to verify operation of locks on the door, adjoining doors, windows, or sliding glass doors. If there is something broken – get a new room.
  • Always bolt your door and use any additional security swing bar or “flipper” provided when in your room. It won’t keep intruders or hotel staff out for too long, but it can increase the time it takes for them to enter. Yes, there are tools to bypass various styles of swing bars, and the hotels have them for valid security purposes.
  • If there is an additional security bar on a sliding glass door, make sure it’s engaged when you leave your room.
  • Consider a traveler door stop to keep the door from opening or to alert you when you are in your room. Even a simple rubber door stop would be unexpected by an intruder and will slow them down or cause them to make noise. There are metal ones that screw into the carpet that prevent the door from being opened and cheap ones with an alarm that will alert you of an entry (but that don’t physically stop the door from opening).
  • The lever style Americans with Disabilities Act (ADA) compliant lever-style door handles unfortunately have a known vulnerability. If there is enough space below the door, an Under Door Tool (UDT) can reach under the door and pull down on the handle, opening the door.  An “Over Door” attack using film to hook the door handle is even possible too. To prevent these attacks, roll up a hand towel and put it behind the lever style handle to prevent the wire on the UDT or the film from hooking the handle. Sometimes you can even wedge the towel well enough to stay in place while you are out.
  • Getting a room near a stairwell exit may be convenient in case of a fire or for easy access to your room, especially if you’re just on the second floor. This is a double-edged sword however since it may also make it easier for a thief to make a fast getaway. Try a room in the middle of a hallway to prevent this.
  • Assume that anything in your hotel room can be accessed either by a thief or by hotel security. Hotel safes are OK perhaps for when you’ll be out of your room for a short duration, but keep in mind these are not high-security, and hotel security will have a reset combo to your safe out of necessity.
  • A Pelican case with a GOOD lock on it may keep a thief or security out of your possessions, but keep in mind that security (especially in Las Vegas) may either lock you out of your room or confiscate the case if they think it contains anything dangerous, and a thief can take it for later.
  • If you have the Do Not Disturb sign on the door, leave the TV on at a volume that can be lightly heard through the door to make an intruder think you could still be in the room.dnd
  • While you may never need or use it, verify that your room phone at least has a dial tone and that the number for the front desk and/or hotel security is on it or programmed in.
  • Prep your daily carry bag for the next day before you go to bed. Having it packed with wallet or purse, keys, laptop, phone, and portable battery will not only save you time in the morning, but if there’s a fire alarm you can grab your valuables as you go out the door. If you’re charging your devices you can even put them into the bag with cables attached so a quick unplug is all you need to do.
  • Know your exit routes in case of fire or if you have to flee a dangerous situation. Many hotels are required by law to post a fire exit route, or do so anyways for safety or liability reasons.
  • Avoid staying on the first floor because it’s easier to break in. Conversely, don’t stay too high due to the limited reach of fire rescue ladders which typically only go up to the 9th or 12th floor depending on the model. This rule I’ve been known to ignore at times when the view is just too good to pass up!
  • If someone knocks at your door claiming to be hotel staff you don’t have to let them in immediately. It is not rude to ask them to give you their name and to hold some identification up to the peephole. At that point you may want to call the front desk to confirm who they are (and you should let them know what you are doing).
  • If you are traveling alone, tell a partner, relative, co-worker or close friend what your travel plans are. This may even include where you are staying and what room number you are in.
  • Use the main entrance to the hotel as opposed to the side entrances to ensure a safer environment with more people and better lighting.
  • When parking, good lighting and visibility of the main entrance are key. If you can’t find either, consider taking advantage of hotel valet service if provided. You won’t be wandering into dark parking lot corners, and your car will probably be kept in a more secure area.

Surveillance Prevention

  • If there isn’t a flipper cover over your peephole, plug it with a bit of tissue or toilet paper to prevent someone from looking through it. You may remember the case of door-peepholes-sneak-a-peek-into-your-hotel-room-no-way-smart-women-travelersErin Andrews, where a stalker surreptitiously filmed her through the peephole. Reverse peephole viewers can be acquired for less than $50.
  • Traffic interception of WiFi and mobile data is real. You may not be targeted (most of us aren’t that important), but someone may just be intercepting everything to see if anything of value can be detected. If the websites you’re going to don’t support proper encryption (even “HTTPS” can be poorly implemented) your traffic can still be snooped on. To prevent WiFi interception some hotels are slowly updating to more secure systems that provide segmentation or isolation of your connection to the Internet.  It’s also possible to set up a rogue (fake) access point that looks like the hotel WiFi but isn’t. Even mobile data can be intercepted using a fake cell tower. Both of these intercept your traffic and forward it to the Internet, collecting your data and potentially injecting malware. To help protect against both scenarios and prevent your personal devices from becoming infected:
    • It’s always a good idea to use a VPN service that forces all your traffic through it to wrap it in another layer of encryption.
    • Update and patch all electronics before travelling and don’t accept new “push” updates. Turn off auto-update of apps too.
    • Don’t download new applications while travelling, or if you do, make sure it’s on the VPN and away from your hotel, preferably while moving which would make interception more difficult.
    • Don’t access your more sensitive accounts such as banking or health care unless you really have to, and then only do so on your VPN
  • Some high-end tourist hotels are starting to test or install digital home assistants such as Amazon Alexa in guest rooms. Depending on your threat model you may want to unplug these until you end your stay. I don’t know how or if the hotels are performing a factory default wipe on them between guests. I don’t see a reason why a previous guest can’t just install a rogue app that listens to the room 24×7.
  • Turn all your lights off and use the flashlight on your phone to pan around looking for lens glint where there shouldn’t be something electronic. Include electronics, vents, smoke alarms, etc.
  • Look at the devices in the room and determine if they make logical sense. Are there two smoke detectors, or other electronics that stand out as unusual such as a “motion detector” when there isn’t an alarm system? Do any of the devices have an odd hole where one normally wouldn’t be?


  • By setting “tells” you can determine if someone was in your room, or if they searched your possessions. A tell is just something seemingly innocuous that when moved will indicate something was tampered with. You can set these in your room or even inside your safe.
    • A small piece of toilet paper or a leaf on the floor about halfway through where your door would sweep open may go unnoticed. An observant intruder might assume they tracked it in on their shoes and pick it up to leave no trace.
    • Perfectly align books or papers against a desk or table edge and then very slightly misalign one of them by approx. a millimeter or so.
    • Balance a coin against the side of something
    • Place a thread, hair, or piece of paper at a specific height into a door as it closes
    • Open a drawer or cabinet door to a specific position and leave it as-is. Measure the distance it is open using another object as a guide.
  • Arrange your possessions in such a way that their position may go unnoticed but that is meaningful to you. This even goes for the things you put in your safe.
  • Take a picture of where you left things and compare the photos when you return to your room, looking for differences.
  • Any electronics that are left in your room should be encrypted and powered off. This makes it harder for forensics tools to pull data off the device by connecting to it to a USB port. Using the “glitter nail polish trick” can alert you to any internal tampering of your device. Just paint a thin layer of glitter nail polish over screw holes and/or along case seams and take a photo of them when dry. If your device has been opened, the nail polish will be cracked or missing. If painted over again, the glitter pattern will not match.
  • Travel with your own hidden camera OR use a cheap pay as you go (“burner”) phone connected to the hotel WiFi for motion sensitive recording. I tried out several motion detecting webcam apps for Android preparing for this article and was most impressed by IP Webcam. You can save photos and videos locally when motion is detected, and if you sign up for a free iVideon account you can even get free cloud recording. The Pro version of IP Webcam even supports Tasker integration so you can call a task that sends an SMS to you when motion is detected. Either that, or you can configure the iVideon mobile app to push motion detection alerts to you as frequently as every fifteen minutes.

Do you have any other tips that I’ve forgotten about? Please feel free to share in the comments!


3 thoughts on “Safety In & Around Your Hotel

  1. Another great post! Some of my thoughts on VPN and WiFi…

    VPN: Even if all browsing is to HTTPS secure sites, hotel can track and log every site you visit. And you have to sign onto their network at least once every 24 hours with your last name and room number, right? That is linked to your site visit log, how long you spent there, where you went next, etc. A VPN hides all of this in the encrypted channel.

    Corporate VPN: Do NOT rely on a corporate VPN to protect your non-work communications. Many companies employ split-VPNs where what they care about is in the encrypted channel to the company network, but anything to other domains (banks, search engines, this blog, your personal email, etc.) bypasses the encrypted channel making it more visible to the hotel. Your employer does this to conserve their bandwidth for work stuff. On the other hand, if the work PC uses a full-VPN, then your employer can track all of the sites you visit, just like the hotel can without the VPN.

    Personal VPN: Free VPN services are available. While these are better than nothing, a paid service is usually better. Choose one that doesn’t keep logs.

    Hotel WiFi: Since everyone else is using the hotel WiFi, if possible, use the wired network. I bring an Ethernet cable (a cheap, flimsy CAT5 that packs easily) and use the hotel’s wired network when available. I say “when available”, because while my DEF CON residence, the LYNQ Hotel, had a physical Ethernet connection in the room, the line was dead. VPN is still an excellent idea on the wired network.

    If you have unlimited data on your smartphone, using it as a local hot-spot is a great way to avoid hotel WiFi. (And sometimes that 4G LTE is faster than the hotel.) Yes, use the VPN here, too, to keep your cell carrier from tracking your browsing.

    Phones and WiFi: I almost never connect my cell phone to a non-home WiFi network. On the very rare occasion when I do, like when I can only get 3G or 1x with minimal bars in my hotel room, I always use my VPN service. Always.

    Foreign Travel: Different countries and the companies within them have different levels of respect for privacy. Adjust your operational security practices accordingly.

  2. Pingback: Hotel Room Security and Privacy with Special Guest Patrick McNeil – WB39 – Shared Security

  3. Pingback: Preparing for “Hacker Summer Camp” | the placebo effects

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s