Hotel WiFi Is Not the Threat. The Captive Portal Is.
Most hotel WiFi advice is stuck in 2013. The bigger problem now is the captive portal: identity collection, room number linking, device fingerprinting, DNS visibility, and sloppy portals that train travelers to click through anything.
Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.
The old hotel WiFi advice is stale
People still talk about hotel WiFi like it is 2013. Evil twin access points, open networks, packet sniffing, and somebody in the lobby reading your traffic.
Those attacks still exist. They are not the main issue for most travelers now.
The bigger problem is the captive portal. The page that asks for your room number, last name, email, loyalty account, conference code, or phone number before it lets you online.
That page links your device to your identity.
What the portal learns
A hotel portal can collect:
- name
- room number
- phone number
- loyalty account
- device MAC address or randomized MAC
- browser fingerprint
- arrival and departure window
- DNS queries
- device hostname
- conference affiliation
Some hotels run this through third party WiFi vendors. Some venues run it through conference contractors. Some portals are built well. Some look like they were assembled under a table five years ago and never touched again.
The risk is identity binding
HTTPS protects most page contents. That is good.
It does not stop the network from knowing that your device connected, when it connected, what domains it asked for, and which captive portal identity unlocked access.
If the portal asks for your room number and last name, the network can tie device activity to a person. If it asks for email, the broker trail gets cleaner. If it asks for a conference code, your professional affiliation is now part of the record.
Before you travel
Do this before the airport.
- Update your laptop and phone.
- Remove old WiFi networks you no longer use.
- Turn on randomized MAC addresses.
- Install a trusted VPN, but do not treat it as magic.
- Set secure DNS if your device supports it.
- Remove sensitive files you do not need for the trip.
- Sign out of accounts you will not use.
- Bring a charger you own.
- Bring a spare USB data blocker if you use public ports.
The boring prep matters more than clever hotel tricks.
At the hotel
Use your phone hotspot when you can. It is usually cleaner than hotel WiFi.
If you need hotel WiFi:
- Use the official network name from the front desk or room material.
- Avoid networks with similar names.
- Use a randomized MAC address.
- Give the minimum portal data.
- Do not install certificates or profiles.
- Do not install hotel apps just to get online.
- Turn off file sharing and AirDrop style discovery.
- Use the VPN after the portal completes.
If a portal asks you to install a certificate, leave. That is not normal for guest WiFi.
The VPN rule
A VPN hides traffic contents and DNS from the local network if configured correctly. It does not hide the fact that you connected to the hotel network. It does not stop the portal from collecting identity data before the VPN starts. It does not make a compromised device safe.
Use one anyway. Just understand what it does.
Conference WiFi
Conference networks are worse because the identity context is richer.
The network operator may know:
- attendee name
- badge email
- employer
- ticket type
- session location
- device count
- sponsor booth visits if the app is involved
If you are doing sensitive work, use a hotspot. If you are presenting, assume your device name and traffic timing are observable.
Border crossings
Do not carry data you do not need.
Before crossing a border:
- Back up at home.
- Travel with a clean device if your risk justifies it.
- Remove client data.
- Remove saved sessions you do not need.
- Turn off biometric unlock if compelled unlock is a concern in your jurisdiction.
- Know which accounts you can recover later.
This is not about being dramatic. It is about not carrying the breach with you.
The simple travel setup
For most business travel:
- phone hotspot first
- hotel WiFi only when needed
- randomized MAC on
- no hotel certificates
- no hotel apps
- VPN after portal login
- secure DNS
- file sharing off
- separate travel email for junk portals
That setup handles most of the actual risk without turning the trip into a spy novel.
Want a privacy exposure report?
We map exposed names, addresses, phone numbers, broker listings, leaked emails, and public records. You get the short list of what to remove first.
