Case study: Howard Johnson Hotel – how NOT to sell your Wifi

nessus-1Few things are more annoying than hotels, who think they need to earn some extra cash by charging people for wireless internet. Given the low to nonexistent cost of providing the service, they should also charge for warm water or fresh air, when following the same logic.

In the case of a local Howard-Johnson (HoJo) hotel, the wifi’s paywall was so badly implemented, it actually posed a threat to the rest of the hotel. Below, I will describe 4 options, anyone can use to get free internet at this particular hotel. Let’s start from the beginning:

Login page

When connecting for the first time, the user is redirected to a captive portal and asked to enter a username and password. Those can be obtained from the reception. This system causes extra work for hotel staff and simply annoys guests. I didn’t pay for the service, so I don’t know, whether they send someone to your room with a little slip of paper or tell you the password over the phone. Both ways are just plain user-unfriendly.

Now let’s switch from the usability-aspect to the security aspect. The Wifi is open and unencrypted. As a result everyone with a computer can record traffic within his reach. If a user were to enter his newly-obtained username and password, it would be quite easy for a hacker to steal the code or even kick a legitimate customer out of the network, before he can even hit enter. Or maybe use the same login-data later. A better way would be to use SSL-encryption for the login page.

Option 1: Sniff login from other guests.

Portal server

hojo3The next weakness, I discovered was the captive portal server. From numerous SMB/CIFS-shares it was easy to see that the hotel was using a Windows-machine for it’s portal and even DHCP. The shared folders were not password-protected and had some promotion material and pirated Adobe-software. Yes, you read that right. The hotel decided to charge guests for Wifi, but still gave them Photoshop for free…

Option 2: Forget anything you were about to do online and grab Photoshop and Microsoft Office instead.

Windows Patches

nessusAt that point, I decided to run a quick port-scan on the portal server to check the OS-version and open ports. There were many open ports and the machine seemed to be a Windows XP machine. With support for XP running out next year, it would be about time to replace it. Fortunately for the hotel, they don’t depend on Microsoft’s patching policy, as no updates were installed on this machine, ever. Every single security hole of the last 10 years was still present and unpatched. I felt like in an exploit workshop, where some targets are deliberately letft unpatched for students to try out new techniques.

Another vulnerability scan confirmed most security holes. I didn’t run any exploits against the machine, but if someone did, he might find even more security issues. Guest credit card data? Database to generate Wifi-codes? Reservation system?

Option 3: Exploit captive portal machine and generate your own login-data.

Unfiltered DNS traffic

For a captive portal to work, the client needs an IP address and the permission to send/receive DNS-requests. I never implemented such a setup myself, but if not done right, users can disguise their traffic as DNS request and circumvent the portal-restrictions altogether. Unsurprisingly this method also worked at HoJo.

Option 4: Hide your traffic in DNS-requests.

Conclusion

If you really feel the need to charge your guests extra for something everyone uses and which is virtually free for you, think about possible security- and usability implications. Getting this kind of access-restriction right is not easy. Chances are that the whole access-procedure will cost more then the money you pay for your DSL-subscription.