Diana Lavery’s Airbnb house guest was a fan of Game of Thrones. So much so that he used her HBO subscription to pirate the entire series.
“I got a slap on the wrist from HBO and my cable provider because of it,” says Lavery, an Airbnb host in Mammoth Lakes, Calif. “But that was the only problem I’ve had.”
With the advent of the so-called sharing economy, more than 60 million people have stayed with Airbnb hosts in 191 nations. And security experts worry that the popularity of short-term rentals will attract more attention from casual hackers looking to exploit poor security practices to steal credentials, infect machines, or even spy on browsing patterns.
Intruders mimicking Airbnb can also dupe hosts and guests into unknowingly revealing account passwords in response to phishing emails or text messages. At that point, they can use the compromised account to set up phony listings and get unwary guests to pay by bank wire transfer outside the Airbnb payment system.
“Consider the following analogy,” says security researcher Jeremy Galloway. “You should not really worry about bank robbers, but you should worry about casual thieves checking your car door to see if it’s unlocked. Attacks on short-term rentals are most likely crimes of convenience rather than elaborate, coordinated operations.”
Galloway says people who rent out their properties on Airbnb are not always aware of the magnitude of the cyberthreats and thus fail to take necessary precautions. He warns that most short-term rentals are probably less secure than the run-of-the-mill coffee shop or airport network.
“If anything, Airbnb and [other rental providers] should recommend that hosts never share their personal Wi-Fi connection,” he advises.
An Airbnb representative was not immediately available for comment. But the company has previously issued statements making clear that guests ought to understand that they may not be accessing a secure network.
No need for paranoia
Still, hosts can take steps to protect their network security by adopting common-sense measures.
Noelle Bounds, an Airbnb host who rents out a sofa in her Bay Area apartment, doesn’t leave her work laptop unguarded and also takes it with her when she’s away from her home.
“I’m working at home nearly all the time that a guest is using the apartment,” she says, adding that “the worst problem so far is that somebody didn’t clean up the stove after using it.”
As a matter of practice, hosts should keep temptation at a distance and remove physical access to networking hardware by storing units in a locked room, or at least lock the device away in a hardware enclosure. They should also keep their network hardware up-to-date and change the default password for all networking gear.
Instead of sharing a personal Wi-Fi connection with guests, set up a seperate, cheap line, and occasionally back up the router firmware. And to help put guests in a security state of mind, add a note about online safety in the guest welcome guide.
Galloway, who delivered a Black Hat presentation about short-term rental security challenges, offers a checklist for hosts to follow:
- Use a VPN on your computer and mobile device
- Be aware and skeptical when using new or untrusted networks
- Disable WPAD in your browser
- Use the EFF’s HTTPS Everywhere plug-in
- Encourage service providers to use HSTS
- Check to see if guests have physical access to networking hardware
- If you cannot trust the network, Use 4G/LTE
- Use plain-text protocols such as POP3, FTP, and HTTP
- Blindly trust unknown networks
- Enter credentials unless you’re 100 percent sure that the request is authentic
- Assume that you’re not important enough to be a target
- Assume that attacks will be sophisticated. Most are simple.
And when all else fails, a host can always take an old-school approach.
“I did have one guest once who was asking me pointed questions about my security and whether I was afraid to be there by myself with strangers,” Lavery recalled. “He looked a little aggressive. But after I explained to him that my dogs are protective, and that I have a rifle, he quieted down and behaved himself.”