Monday, September 15th, 2008

Hostile Hotel Networks?!?!

Dark Reading recently had an interesting article related to the security of Hotel networks; you can find the article I’m talking about here.

As I read the article… I couldn’t help but smile… the article made it seem like Hotels have horribly insecure networks!  The truth is, THEY DO…along with airports, coffee shops, bookstores and pretty much ANY PLACE that offers up connectivity!

Some people fail to understand that when you join ANY network, you’re trusting that everyone on the network is playing nicely.  Many of the protocols that enable our network connectivity WERE NOT DESIGNED TO SECURELY SUPPORT THE SCENARIOS WE DEMAND TODAY.  Take for example, Address Resolution Protocol (ARP).  ARP is the one protocol that really makes me paranoid.  The details of how ARP works and how it can be used to do evil is way beyond the scope of this post, but you find some good information here, here, and here.

The ARP abuses I’m most interested in are ARP Poisoning attacks.  These attacks basically allow me to Man-in-the-Middle (MITM) network connections, typically from a victim’s machine to their gateway.  Now ARP poisoning attacks have one MAJOR drawback (from an attacker standpoint), they typically require the victim to be on the same network as the attacker (in layman’s terms).  Ask yourself this question…. why would I ever join an un-trusted network and possibly subject myself to such attacks? 

Surprisingly, people join un-trusted networks all time.  If you’ve ever associated to a wireless access point at a coffee shop, hotel, bookstore, or an airport…. you’ve joined an un-trusted network… IT’S THAT SIMPLE.  Just because the SSID and the welcome page has a familiar name/logo that you trust, THAT DOESNT MEAN THAT YOU CAN TRUST EVERYONE ELSE CONNECTED TO THAT NETWORK, and if you can’t trust everyone connected to the network, then you’ve got yourself an un-trusted network.  Now, MITM on “secure” connections (SSL aka HTTPS) usually causes a warning to appear (every major browser has this protection mechanism in place), and while I haven’t seen any studies on click through rate, I would guess that it’s pretty high.

Airports are a PRIME target for MITM, as they are typically filled with people using the available wireless access points to do business.  Many of these people are not technically savvy and more importantly, THEY ARE IN A HURRY, which brings them to push past warning message after warning message in order to “get this out before my plane leaves!”  If someone wanted to harvest a TON of sensitive information (creds to banking accounts, usernames, passwords, emails… everything you can possibly imagine), all they would have to do is connect to the airport wireless network, ARP poison every host they see… and let the creds roll in.  It’s that simple… trust me…  I’ve seen it firsthand…  I can guarantee that you’ll have someone’s creds within 5 minutes…

Security pros will argue, “you can use a VPN” and they are right.  If you are a corporate user, you shouldn’t even THINK about sending anything through an external, un-trusted network unless it’s through the VPN… but what about the home user?  What about mom and pop, traveling on vacation… where is their VPN?  Judging from the success of these attacks, even if a stern warning is presented, many users just ignore the warnings and continue on their merry way.  Scores of software will silently ignore certificate warnings, happily passing information onto a suspect host.  Besides, those warnings are only displayed when encryption is in play, so that unsuspecting user that is browsing their webmail over HTTP gets their session stolen without warning.  It’s truly amazing how noisy our computers have become, spitting out all sorts of info… trusting that everyone else on the network is playing nicely.

Let’s say you understand the risks of MITM and you have to email something out before your plane leaves.  You attempt to connect to your VPN server and you see a certificate warning.  You suspect that someone may have an MITM against you using ARP Poisoning… what can you do to protect yourself and still get the email out?

Posted by xssniper | Filed in Network Security

13 Responses to “Hostile Hotel Networks?!?!”

  1. September 15th, 2008 at 4:04 am

    Andre Gironda said:

    I think GARP has advantages over arp poisoning

    If you’re looking for something similar to airpwn, but for wired-ethernet, look no further than Ettercap filters

    If you want to defend yourself, use HotSpotVpn (or Tor if you can live with the high latency), but also realize that these are not safe on the egress either. If you have an endpoint that you trust (or you rent one from a cloud-computer vendor such as Amazon EC2), you could instead use client-cert based OpenVPN

    WEP is a sad thing; I’m sorry to say that it is going to get worse before it gets better for these networks. AirDefense and others may extend their pre-pwned lifetime somewhat. Scapy scripts using p.haslayer can check for reinjections, Dot11Deauth/Dot11Disas packets, and other factors.

    I prefer client-side cert based WPA-Enterprise (EAP-TLS), or possibly per-client/MAC keys using HostAP with WPA-Personal — this way everyone has their own traffic individually protected until their client-cert or key is stolen.

    What probably needs to happen is some sort of system that provides an SSL portal that allows setup of ad-hoc HostAP-style WPA-Personal PSK’s. I think WPA-Enterprise and OpenVPN are not good long-term, mass-market solutions to this problem. I have heard that some AP’s support something similar to per-client/MAC WPA PSK’s as found in HostAP, but someone should start populating a master list, bringing awareness to this issue, and engaging the right people to make the right changes.

  2. September 15th, 2008 at 3:59 pm

    Branden Williams said:

    Wireless has always been one of those fun areas to play in. The amount of trust that people have in networks is absolutely absurd.

    One of my favorite stories on wireless was watching someone pull salaries and SSNs of employees at a particular hotel. All picked up off of an open wireless network and open share.

  3. September 15th, 2008 at 7:35 pm

    Onur Yirmibesoglu said:

    Immediately a new product springs to mind. Client-to-Site VPN service for personal users. And of course, in the days of web 2.0 somebody has already thought of it:

    No information on technical specs of encryption or security. And a little vague in terms of privacy policy. I will not give my personal info for a trial without these requirements. Too bad, could have been a killer web 2.0 idea.

  4. September 16th, 2008 at 8:20 am

    John O'Neill said:

    I agree, public networks are a real danger. The question is, what do you do when you are out and about? If you absolutely have to connect and the only available connection is absolutely open is there anything you can do to enjoy the benefits of mobile web while remaining protected at local laptop level?
    the only realistic answer I can think of is to carry a mobile connect card and avoid public networks completely.
    This of course does not address the issue of being out and about with no laptop and using a public system…

  5. September 16th, 2008 at 10:29 am

    xssniper said:

    @Branden & @John,

    Agreed… people place WAY too much trust into wireless networks. I know a lot of people who are moving to mobile connect cards or use their cell phone as a tether, but if the phone supports (or applications on the phone support) the same protocols (ARP, HTTP, SMTP, FTP …etc) we’re still screwed :)

    Hmmm Cell Phone networks… what an interesting research topic :)

  6. September 16th, 2008 at 11:56 pm

    Dan said:


    I notice that they only support “Windows 2000, XP or Vista® OS (64bit OS not supported)”. That knocks out a lot of people. Not the majority, just a lot.

    And they require .Net – a bit of a sore spot…

  7. September 25th, 2008 at 10:44 pm

    Gunblad3 said:

    With regards to your ending question:

    Use PGP to encrypt the emaail before sending it out 😉

  8. October 28th, 2008 at 10:58 am

    personal vpn said:

    I’am using vpn account from another personal vpn service called VPN Privacy ( when work at public wi-fi zones. It’s more fast then hotspot for me.

  9. March 28th, 2009 at 4:58 am

    Penn Williams said:

    All Personal VPN’s are not created equal. PPTP based ones tend to go down without letting you know about it. Leaving you surfing wide open without notice. OpenVPN ( based Personal VPN’s are much better and faster since they use UDP instead of TCP. I suggest an OpenVPN based solution like Surfbouncer Personal VPN (

  10. April 16th, 2009 at 11:39 am

    Andre Gironda said:

    I just read Chapter 2 of “Beautiful Security” which was contributed to the book by Jim Stickley of TraceSecurity.

    The chapter, Wireless Networking: Fertile Ground for Social Engineering, discusses an approach to certify wireless hubs using our current CA infrastructures (just like S/MIME for email or SSL/TLS certs for websites).

    Curious to hear your thoughts on this or to hear who might be working on such an improvement?

  11. September 16th, 2009 at 2:14 am

    phuzz said:

    Q: So if you’re at an airport and you suspect someone is sniffing your traffic, what do you do?

    A: Visit, then look around for the bloke with a shocked/pained expression on his face, smash his laptop over his head, and go forth and browse in safety.


  12. July 19th, 2010 at 7:57 pm

    Super VPN Service said:

    I changed many providers for VPN…
    So far the best for me is and the best thing is that they offer option for free vpn account without any limits.

  13. December 21st, 2011 at 5:42 am

    N0F3@r snwl ita said:

    VPN … in some cases also the VPN can be compromised but is already a good step.
    a “route all” vpn that permit to use the internet ONLY going via the main personal firewall is one of the good solutions.
    SNWL provide is as per a lot of other vendors BUT the problem are people NOT understanding it …
    thanks for sharing culture !

Please leave a Comment