Physical Security Threat from Hotel Wi-Fi
by R. Stevens and A. Blum
Most hotels offer in-room wireless Internet service through unprotected, unencrypted access points.
Connecting to these access points places your wireless devices and unencrypted traffic at risk of exposure to malicious users on the network. The purpose of this article is to make users aware that their physical security is also at risk when staying at hotels that utilize pay-as-you-go Internet services.
This article is not meant to be a "how-to," but is meant to inform consumers about a potential threat and ways to better protect themselves when traveling. The steps detailed below reflect the authors' experience with what appears to be a common hotel paywall application.
Guests attempting to log into the hotel Wi-Fi are presented with a splash pay-page that asks for hotel room number and last name. Once these credentials are verified, they select the preferred type of Internet service and the paywall adds the computer's MAC address to the access list.
Utilizing PortSwigger's Burp Proxy, an attacker can capture outbound web traffic and access paid Internet at a guest's expense.
This can be achieved by setting the Burp Proxy to intercept mode and the web browser proxy to Burp.
An arbitrary room, surname combination entered at the pay splash page will establish the base HTTP request. This request can then be viewed and sent to the Intruder tab. From Intruder, the attacker can utilize the sniper payload to isolate parameters to the room number and last name form fields.
Simple rules can be created for each form field to reduce the amount of network noise and time required to conduct a successful dictionary attack. Room number ranges can be easily gleaned from the placards near the elevators on each floor (e.g. 511 through 549).
A dictionary list of the ten most common last names would likely be sufficient for the name field. With this configuration complete, the attacker can launch Intruder against the splash page and the responses can be monitored.
A successful dictionary attack will usually be indicated by a vastly different response (in our tested case, it was approximately triple the length). The attacker now can "borrow" the guest's Internet access or take it one step further.
Given the guest's surname and room, it is now possible to obtain room keys using a little social engineering.
An attacker can claim a lost or misplaced key at the front desk and request a new key. If the hotel staff requests ID, the attacker can claim that they left their wallet in the room as well. The next responsible step for the hotel staff would be to escort the assumed guest to the room and request photo ID before departing. However, most hotels neither have the staffing available nor the trained employees to ensure the verification happens. Personally, the authors were never asked for identification or personal information verification when attempting to gain physical room access.
We recommend that hotels abandon the simple splash pay-page for an encrypted site that requires a little more personal information verification or a valid credit card number. Hotels should provide better education and enforcement of security policies to help mitigate a majority of the physical risk to hotel patrons.
As of right now, there are no measures in place to protect guests against fraudulent Wi-Fi charges caused by this dictionary attack methodology. Guests should inspect their check-out receipt for any charges that they do not recognize. Normally the staffers at the front desk will remove the charge with no questions asked. We recommend that guests assume an active role in their own protection by informing the hotel front desk not to issue any additional room keys without valid identification. They should also utilize the door deadbolt when inside their room and store high-value items in the room's safe.
Safe travels.
Burp Proxy is available for download at: www.portswigger.net/burp/proxy.html