Signal Decay: Open Wireless Infrastructure in Medina Hospitality Zones

Passive signal mapping conducted across the northern sector of the medina in January 2026 identified forty-three distinct access points within a two-hundred-metre radius of the primary riad cluster. Of these, eleven presented with no authentication layer. Seven retained vendor-default SSIDs consistent with ISP-issued hardware distributed under Morocco's universal broadband expansion programme. Three broadcast guest networks whose traffic was inspectable without credential exchange.

The hospitality operators in this zone share a digital infrastructure baseline that was not designed for their current operational profile. Networks originally provisioned for residential or small retail use have been extended, bridged, and repurposed as properties changed hands or expanded. The result is a layered accumulation of configurations that no single operator fully controls or understands. Staff rotation compounds this: the person who originally provisioned access credentials is, in the majority of cases, no longer employed at the property.

What this creates in practice is a network environment where perimeter assumptions are structurally unsound. A guest device connecting to an open access point in a riad courtyard is, under some configurations, on the same broadcast domain as the property's management systems. Point-of-sale terminals and property management software, where networked, are sometimes reachable from that same segment. The exposure is not the result of negligence in any individual case; it is the accumulated outcome of infrastructure inherited at acquisition and never subjected to a formal review.

From a threat perspective, the relevant actors are not sophisticated state-level operators. The realistic risk population is opportunistic: skimming of credentials and payment data, account enumeration via exposed management interfaces, and the use of compromised property networks as infrastructure for downstream fraud. These are low-sophistication, high-volume operations that require nothing more than proximity and a basic toolkit. Detection is unlikely; remediation after the fact is difficult.

The operational implication for investors and acquiring entities is that network exposure of this type is discoverable before transaction close, through a combination of passive OSINT and a site visit of limited duration. The cost of discovery is low. The cost of inheriting undisclosed exposure through a portfolio acquisition, as the Marriott/Starwood case demonstrated at scale, is substantially higher. The post-close risk burden does not disappear because the acquirer did not understand the inherited technical environment.