Researcher sounds alarm about how attackers could ruin your stay this summer.

From the U.S. to Spain to Russia, you’ll find Wi-Fi in homes you rent through Airbnb and other vacation sites. It comes in handy—you can check out local sights and restaurants, double-check your account balances, and send e-mail home.

Now, a security researcher is warning that these vacation rental Wi-Fi routers are vulnerable to attack, and people who stay could end up losing personal information and the contents of those accounts they just checked.

“This attack is not sophisticated, which is why it’s so dangerous,” said Jeremy Galloway with cybersecurity company Atlassian. “A bored 16-year-old can do it.” 

The hacker would need to book a night—or more—at the rental, then simply use a tool like a paper clip to reset the router, Galloway said. Then, he or she could have control of the network.

“As long as you can physically put your hands on the router, and hard reset it, you can own the local network,” Galloway told Archer News. “Extremely easy.”

Owning the network

That means the next guests who stay at the rental and use the Wi-Fi are vulnerable, according to Galloway. While you use the Wi-Fi, the malicious hacker could be secretly pulling the strings from afar.

“Once an attacker gains control of the local network, it’s possible for them to redirect users to websites they control,” Galloway said. “For example, if you try to visit ‘mybank.com,’ the attacker can point ‘mybank.com’ to a server they own and collect your login info,” he added. If they have your login info, they can sign in as you and take your money. Or, they can sell your login information on the black market.

“It’s also possible to redirect users to a page that says something like ‘click here to continue,’ Galloway explained. “And when they click, malicious software is installed to their computer.”

The attacker could then gather your information as you type, send you fake messages and images to get you to give up the goods, turn your device into a zombie computer used to attack others and more.

How he found it

Galloway was a guest himself, on a snowboarding trip with friends, staying at what he called a “nice rental.”

“While everyone was out, I wanted to prank my friends by messing with the network,” he said. “I thought it might take some time and patience to hack the router, but I soon realized, as long as you have physical access to reset the router, gaining ‘admin’ over it is trivial.”

He was surprised that no one was talking about the problem, he said, so he decided to “start the convo.” Galloway is presenting a talk about this vulnerability at the Black Hat USA 2016 conference in Las Vegas on August 4. He calls his talk “Airbnbeware: short-term rentals, long-term pwnage”—using the hackers’ term for “owning” or “pwning” a system or a person.

Airbnb says it has more than 2,000,000 rental listings in almost 200 countries, and more than 6,000,000 members. HomeAway claims to have 1,200,000 listings around the world. 

“Airbnb and short-term rentals are hugely popular and they’re only getting more prevalent,” Galloway said.

Airbnb for work

More and more people are using home rentals for work, in place of hotels.

Airbnb said business travel on its site has tripled this year, and 50,000 companies have used their site to make a booking. Last month, the site launched a new feature that allows Airbnb users to make travel plans for employees and co-workers. And the site also features “Business Ready Travel” listings, featuring “all the essential amenities and services a business traveler needs like free Wi-Fi, laptop-friendly workspaces and 24-hour check-in.”

With one out of ten Airbnb travelers booking for business, Galloway’s vulnerability could put potentially companies at risk.

Airbnb also announced a jump in bookings for the national political conventions this year, with about 2,000 guests staying in Cleveland during the Republican National Convention, and about 5,000 staying in Philadelphia during the Democratic National Convention. Insecure routers could put political data at risk as well.

Solutions

One solution to the attack, according to Galloway—travelers can use a virtual private network, or VPN, to protect themselves while using Wi-Fi at a vacation rental.

But Galloway said that is not enough—he wants rental owners to lock up the routers in their vacation homes. Put it in a closet or cabinet with a locked door, or even in a locked safe box on a shelf.

“Some of this can be mitigated by using a properly configured VPN, but the very best option is for homeowners to remove physical access to the local network hardware,” he said.

The attack could affect rental owners, too.

“Although the homeowner is not legally liable for guests’ computer hardware, they may be liable for content downloaded from their IP address,” Galloway said, though he added, “Guests have much, much more risk.”

Trust

Hacking a rental home router to steal people’s information seems to run counter to Airbnb standards.

“We ask you to respect others’ property, information, and personal belongings,” the standards say online. You should not “take property that isn’t yours, use someone’s property without their permission, copy others’ keys or identity documents, damage others’ property, squat in listings after a stay is concluded, access others’ accounts without authorization, spy on other people, or otherwise violate others’ privacy, copyrights or trademarks,” according to the standards.

Some members and homeowners follow the rules, while others may not—for example, some Airbnb rental owners put theft controls tags on their towels to keep guests from stealing them.

For some cybersecurity experts, the next step for homeowners should be security control for their routers—to keep malicious visitors from taking digital control of their vacation homes.