SHIELD

Travel

Hotels: what can be compromised in 4 hours

The real compromise vectors in a hotel: Wi-Fi, safes, locks, staff, a room left alone.

Published 15 min read Exposed

Last reviewed:

Hotel corridor with a row of doors

A senior executive puts his laptop in the safe of his room in Beijing and leaves for a meeting. Six hours. On return, everything is in place: the machine is exactly where he left it, the lock screen awaits him, the safe is closed. He sleeps soundly. Three weeks later, the competitor negotiating the same asset produces, out of nowhere, an offer calibrated to within a million of the financial model that was sleeping on that disk. Nobody will ever be able to prove the link. That’s exactly the problem: the compromise of a hotel room leaves no trace, and that’s why people keep believing it doesn’t happen.

Angle de lecture

The usual trap

“The hotel is safe, I put the laptop in the safe.” I hear it at every travel audit, from intelligent people who are otherwise careful. The line rests on a confusion between two threats that have nothing to do with each other: opportunistic theft — a guest who got the wrong floor, a cleaning crew pinching a watch — and organised malicious access, that is, an adversary who wants precisely what’s on your device and who has legitimate access to the room. Against the first, the safe is a reasonable barrier. Against the second, it’s a sheet of paper with “private” written on it.

The second trap is cultural. We’ve internalised the hotel as an extension of home: a private place, locked, where we lower our guard. It’s the opposite. A hotel room is a space whose walls, lock, network and equipment you don’t control, and to which a surprising number of people have perfectly legal access. The floor staff, maintenance, the establishment’s security, management, and in some jurisdictions the state services on simple request. You’re not at home. You’re the tenant of a shared volume, managed by a third party whose interests are not yours.

The third trap is believing the threat boils down to “getting your Wi-Fi hacked.” Wi-Fi is the best-known vector and the easiest to close — a VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. and an eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles., done. The vectors that hurt are physical: the door lock, the safe, access in your absence, the room’s equipment. They’re also the ones nobody talks about, because they’re invisible and they contradict the reassuring idea that we control something. This article inverts the hierarchy: we start with what counts, not with what gets talked about.

The real threat model: what can fall in four hours

Four hours is the length of a meeting. It’s also, comfortably, the time it takes a prepared person to do what follows in an empty room. Let’s list the vectors in order of their real impact, not their notoriety.

The door lock is not the obstacle you imagine. In 2024, the research dubbed UnsaflokDiscipline analyzing digital traces after an incident to reconstruct what happened. — let me rephrase: the Unsaflok team published a chain of flaws affecting the Saflok RFID locks from manufacturer dormakaba, deployed on more than three million doors in around 13,000 establishments across 166 countries. With a single hotel card — including an expired card, picked out of a bin or recovered at reception — and a reader-encoder costing a few dozen euros, an attacker forges in seconds a master card that opens any door in the establishment. The fix requires updating every lock and often a change of encoding system; in 2025, a portion of the global fleet was still not patched. Hold on to the principle, not the single name: a hotel lock is a convenience product designed for the hotelier’s operational comfort, not to resist a motivated adversary.

The room safe is theatre. The models installed in rooms — Saflok, Ilco, Phoenix, and the like — share characteristics that disqualify them from protecting data. First, a master reset code exists, provided by the manufacturer to reopen the safe when a guest forgets their code; this code is often identical across a whole model, documented in locksmith forums and security-conference talks, and known to staff. Second, many low-end models accept a never-changed default code (000000, 999999, 123456) that was never reconfigured at installation. Finally, the box itself can be forced mechanically in a few minutes on many models. The safe stops the distracted guest and the honest housekeeper. It stops no one who wants to get in.

Access in your absence is the rule, not the exception. A room is cleaned, restocked, maintained. Staff legally enter it every day, sometimes several times. In that window, the so-called evil maid attack — formalised by Joanna Rutkowska as early as 2009 — becomes trivial: a brief physical access to an unattended device is enough. If the disk isn’t encrypted, it’s cloned in full in fifteen to forty-five minutes with a kit that fits in a pocket. If the machine is asleep rather than powered off, the encryption key is in memory and the attack on an encrypted diskDisk encryption integrated into macOS since OS X Lion. becomes possible again. On return, nothing has moved. That’s the very definition of a successful compromise: invisible.

The rest of the room is hostile too. The hotel’s Wi-Fi is a network shared between hundreds of strangers, often managed by a “hospitality” provider whose security standards don’t match an enterprise network’s, with absent or sloppy segmentation between rooms — an ideal terrain for a MITMAttack where an actor interposes between two parties believing they're communicating directly.. The connected television is a microphone and a camera whose configuration you don’t control. USB charging stations, the HDMI ports on meeting-room screens, the business-centre printer that keeps the last documents in memory: all surfaces you haven’t audited and never will.

Let’s put durations on these vectors, because it’s the only way to calibrate the risk correctly. Forging a master card on a vulnerable Saflok fleet: a few seconds once the hardware is in hand. Opening a room safe by master code or default code: one to three minutes; forcing it mechanically: five to ten. Cloning an unencrypted disk or waking a sleeping machine to extract its keys: fifteen to forty-five minutes. Implanting a discreet listening device or reconfiguring a connected television: under five minutes for someone equipped. Add it up: the entire scenario — enter, open, copy, leave without a trace — fits within the window of a working meeting. Four hours is not a tight deadline for the attacker. It’s comfortable.

One clarification that changes everything: none of these vectors requires a state intelligence service. The competitor who wants your financial model, the opposing firm that wants your conclusions, the private investigator hired for a divorce or a commercial dispute — all have access to the same equipment for a few dozen euros and the same publicly documented techniques. The barrier to entry has collapsed. What once demanded rare expertise is now ordered online and learned from conference videos. That’s precisely why hotel security, long reserved for “sensitive” profiles, now concerns any executive carrying information that’s worth money to someone.

The right approach: assume access, reduce what there is to take

The mental switch fits in a single sentence: you don’t secure a hotel room, you reduce what a compromised room can yield. You have no reliable way to guarantee no one will enter, nor to know whether someone did. So start from the opposite assumption — access happened — and organise yourself so that this access yields nothing exploitable. It’s exactly the logic of the threat modelMapping of actors, motivations, capabilities and potential impacts against a target.: you don’t fight the attacker on his ground (the door, the safe), you move the fight to yours (what the device contains and how it communicates).

In concrete terms, this translates into three principles. First principle: what isn’t in the room can’t be taken from the room. The device you bring should contain only what the mission needs, and nothing of the organisation’s operational memory. Sync on demand rather than a full local copy, a “Downloads” folder emptied, messaging histories purged. A laptop containing nothing sensitive turns a successful cloning into a non-event. It’s the most powerful lever, and the cheapest: it requires no hardware, just discipline before departure.

Second principle: a left device is a powered-off, encrypted device, never asleep. The attack on an encrypted diskDisk encryption integrated into macOS since OS X Lion. doesn’t work against a powered-off machine whose full encryption is active, because the key is nowhere in memory. You leave the room, you power off — really, not “close the lid.” The cable lock won’t stop a professional with ten minutes, but it eliminates opportunistic access and signals that you’re not an easy target, which is enough to redirect an attacker towards the room next door. For trips with real stakes, the device doesn’t stay in the room: it goes with you.

Third principle: the communication channel never goes through the hotel for what matters. The establishment’s Wi-Fi is reserved for uses you could expose without consequence — reading the news, watching a film. Anything touching the company’s systems goes through a local eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. or the phone’s tethering, with a VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. activated before touching any network. The reflex to reverse is the “I’ll connect first, launch the VPN after”: between the two, your clear-text traffic has already transited the hotel’s network, and that’s precisely the moment a MITMAttack where an actor interposes between two parties believing they're communicating directly. waits for. The correct order is inviolable: VPN first, network after.

These three principles share a common virtue: they don’t depend on the quality of the hotel. A five-star palace with impeccable physical security and a chain establishment with no night staff pose the same fundamental problem, because the problem isn’t the category but the nature of the relationship. You’re the temporary tenant of a space managed by a third party, full stop. To stop assessing the risk by the standing of the establishment — “it’s a good hotel, it’ll be fine” — is half the way there. The other half is accepting that these gestures become a routine and not a decision to remake on each trip. Security that depends on a repeated judgement always ends up giving way to fatigue; the kind that has become an automatism holds.

Conversations and meeting rooms

The most neglected aspect of hotel security isn’t the device, it’s what comes out of your mouth. In a Western country, for a profile not specifically targeted, the risk of a microphone in a room is low — not zero, but not the priority threat. In a jurisdiction with mature interception, it’s another story: rooms and suites frequented by foreign business delegations are known targets of interest, and documented cases of capture exist. The cost of a misplaced sensitive conversation is asymmetric: what you say out loud isn’t encrypted, isn’t backed up, can’t be undone.

The connected television deserves a special mention, because it’s in every room and nobody looks at it as a threat. Smart TV manufacturers have a documented record of audio capture — the 2015 Samsung affair, where the privacy policy literally warned against holding a sensitive conversation in front of the set, is only the most famous. In a hotel room, you have no control over the firmware, the configuration or any modifications to the device. The minimal reflex: physically unplug the television when you work on a sensitive subject, or at the very least treat it as a potential microphone.

Hotel meeting rooms concentrate both risks. The integrated audiovisual systems — table microphones, videoconferencing — are managed by staff or a provider, and in a high-risk context they can be configured for discreet capture without your being able to detect it. The presentation equipment is just as treacherous: plugging your laptop into a room screen’s HDMI port connects it to a chain of trust you haven’t audited, and modified HDMI adapters capable of exfiltrating data have been observed in targeted economic-espionage contexts. The rule for a meeting that matters: present from your own screen, shared on your own access point, plugging nothing into the room’s systems. For truly confidential exchanges, go outside — a café terrace, a park, a walk. An open public space offers better protection than a closed room whose equipment you control none of, because the ambient noise and the unpredictability of the place complicate targeted capture.

What this means in practice

For you, as an individual

Three gestures, applicable from your next trip, under 200 euros total.

  1. Power the device off, don’t put it to sleep — and forget the safe. Before leaving the room, fully shut down the laptop whose disk is encrypted (FileVault, BitLocker or LUKS, to be verified, not assumed). The safe protects nothing worth protecting: if data is truly sensitive, it shouldn’t be in the room at all. Ideally, the device goes with you. Otherwise, cable lock and powered-off machine. Cost: 0 to 25 euros for a cable.

  2. Hotel Wi-Fi forbidden for anything that matters, eSIM + VPN for the rest. Buy a local eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. (Airalo, Holafly, or your carrier’s international plan) and activate your VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. before connecting to anything. The establishment’s Wi-Fi serves only uses you’d accept seeing published. Cost: 5 to 30 euros for the eSIM, the VPN is often already included in your subscriptions.

  3. Disconnect accounts, slip your cards into an anti-RFID sleeve. Disconnect from the travel device the cloud accounts you won’t use (family photos, secondary mail, useless work folders). An anti-RFID sleeve or wallet (15 to 30 euros) protects your bank cards and biometric passport from a remote read in a crowded lobby — and incidentally, never leave your room access card lying around, it’s cloned in two seconds.

For you, the CISO / IT director / executive

Hotel security is structurally weak, and the 2024 UnsaflokDiscipline analyzing digital traces after an incident to reconstruct what happened. vulnerability demonstrated it at the scale of millions of doors. This isn’t a conference anecdote: it’s the confirmation that you can’t outsource trust to the hotelier. Your travel policy must code that explicitly.

1. The travel policy must treat the hotel as an untrusted environment by default. As long as the room is implicitly considered “safe,” your employees will leave equipment in it and hold sensitive conversations there. The rule must be written: no device containing critical data stays unattended, no confidential meeting in a room in a high-risk jurisdiction. Direct consequence: you bring the hotel into the scope of your ISO 27001International standard for information security management systems. on the same footing as the workstation, with measures auditable by country level.

2. Clean desk applies on the road too, and it’s technically verifiable upstream. A travel device containing only the strict minimum turns a cloning into a non-event. That assumes sync on demand, bounded messaging histories, and a provisioned travel workstation. Direct consequence: for high-level trips, you supply a dedicated travel image rather than the production machine, and you open a return incident-responseStructured process for managing a security incident: detection, containment, eradication, recovery. ticket before departure even happens.

3. The triggering of the measure must be automatic, not left to individual vigilance. Nobody spontaneously consults the procedure before booking. The signal must come from the booking or the expense report and alert IT for sensitive destinations. Direct consequence: you wire a trigger onto the corporate booking tool, with an alert to the SOCTeam and platform continuously monitoring an organization's security. the moment a mature-interception destination is detected, and a mandatory pre-departure briefing.

Mistakes we see all the time

  • Leaving the laptop asleep in the safe. A combination of two illusions: the safe opens in a few minutes, and sleep leaves the encryption key exploitable. A powered-off machine in the bag you carry beats a sleeping machine in the best safe in the world.
  • Believing a closed door guarantees privacy. The RFID lock is a convenience product, not a security device. Unsaflok proved it on millions of doors. You’ll never know whether someone got in.
  • Holding a confidential conversation in the room in a high-risk country. The connected television, the integrated equipment, and sometimes the walls are not on your side. Sensitive discussions are held outside, in a non-isolated public space where listening conditions are unfavourable.
  • Plugging your laptop into the meeting room’s HDMI port “just for the presentation.” You plug into a chain of trust you don’t control. Present from your own screen, shared on your own access point.
  • Using the hotel’s Wi-Fi to access corporate systems. Shared network, opaque provider, dubious segmentation: it’s a public Wi-FiOpen or shared Wi-Fi (hotel, cafe, conference) — specific threat model. with a classier logo. eSIM and VPN, without exception, for anything professional.
  • Printing a sensitive document on the hotel’s equipment. Printers and copiers keep the last files in memory, often in clear. In an establishment frequented by business delegations, that memory is a goldmine for whoever has access.

Actionable checklist

  • N1 Fully power off the laptop when leaving the room (never asleep)
  • N1 Leave nothing sensitive in the safe — it's not secure
  • N1 Cable lock on the laptop for low-stakes uses
  • N1 Access card never left unattended (clonable in seconds)
  • N1 Anti-RFID sleeve for bank cards and biometric passport
  • N2 Hotel Wi-Fi reserved for non-sensitive uses only
  • N2 Local eSIM + VPN activated before any connection for professional use
  • N2 Useless cloud accounts disconnected from the travel device
  • N2 Downloads folder and messaging histories purged before departure
  • N2 No printing of confidential documents on the hotel's equipment
  • N2 Nothing plugged into the room equipment's HDMI/USB ports
  • N3 Dedicated travel device (clean image) for high-risk destinations
  • N3 No confidential conversation in the room in a high-risk jurisdiction
  • N3 Presentations from your own screen, without plugging into the room
  • N3 Access hypothesis assumed on return: isolation and scan before network reconnection

Going further

The Unsaflok research (unsaflok.com) documents in detail the chain of flaws in Saflok RFID locks, its scale — more than three million doors in 166 countries — and the slow state of patch deployment; worth reading to grasp that the weakness isn’t theoretical. The associated DEF CON 32 talk shows the exploitation mechanics. On the individual-defence side, the EFF’s Surveillance Self-Defense guide (ssd.eff.org) remains the best free entry point on physical and network vectors, and the NCSC publishes short, factual mobile-device guidance for travellers, too often ignored. Joanna Rutkowska’s founding post on the evil maid attack (2009) explains why a sleeping machine is not a protected machine.

To connect the hotel to the rest of the travel cycle: the pre-departure preparation explains how to provision a device that yields nothing even when cloned; borders and customs deals with the moment confiscation becomes legal; and travelling to China details the case of mature-interception jurisdictions, where the assumption of room access stops being a precaution to become an operational certainty.

Sources and further reading

Related articles