
Hotel Wifi JavaScript Injection - phwd
http://justinsomnia.org/2012/04/hotel-wifi-javascript-injection/
======
henryl
I am a co-founder at a startup that does advertising on WiFi networks. We only
run advertising before you connect (when you are in a captive portal), without
the use of proxying.

Before anyone overreacts to this article, it would be beneficial to understand
the hospitality space. The hotel you stayed at is most likely owned by a
franchise group and operated by a GM. GMs are responsible for contracting
their own networking services with Hotel WiFi Operators such as the one
mentioned here. As such, a major hotel brand such as Marriott may use
_hundreds_ of WiFi operators. WiFi operators range in size, managing anywhere
between one property to tens of thousands. The vast majority of these
operators do not leverage javascript injection.

The ones that resort to proxied ad injection do so because hotel IT is a thin-
margin business. WiFi is considered a cost center but is tolerated because it
is the number one amenity requested by guests. Operators will sometimes offer
a discounted service fee to the hotel GM in exchange for mid-stream ads,
although, in this case, it is just as likely that the hotel GM is unaware of
this. It is almost absolutely certain that Marriott is unaware of this. Even
if they were made aware, the power balance between the brand and the
franchisee is not clearly defined with regards to WiFi.

As much as I dislike ad injection, it is important to note that public WiFi is
_never safe_ unless you are using a VPN. It is offered as an amenity, one that
GMs would be more than happy to get rid of if they could. Unlike with your
broadband ISP, you have logged into a privately operated network. You are
probably not paying for it. You are subject to their rules. Furthermore, when
you signed onto the WiFi network, you most likely had to check a checkbox
indicating your agreement to the terms of their network (which no one ever
reads). As such, caveat emptor, etc.

~~~
lucianof
"Beds are considered a cost center but are tolerated because they are the
number one amenity requested by guests."

WiFi is just as much part of the service a modern hotel provides as a clean
bed, nice breakfast and whatever else they might advertise. Why isn't it
treated like that? Why aren't they putting ads on my pillow?

~~~
henryl
Not on your pillow but definitely on your TV, on your desk, on your room key,
...

Thought exercise: If you took away the WiFi, you would still have a hotel. If
you took away the bed, you would have ____.

~~~
derleth
A personal WiFi connected quiet space that rents by the hour?

------
minimax
The hotel wifi service provider business is (and has been for 5+ years) a
really crummy race to the bottom. Hotels don't want to do it themselves. They
can't really; they don't have the talent in-house. It's fairly expensive to do
correctly. Most hotels weren't built with cat-5 installed, so you have to pay
someone to go do that. Then you have to install a bunch of networking gear
which isn't cheap. Then you have to pay someone to monitor it all and come out
and fix it when it goes down. You probably also want some 1-800 number your
guests can call when they can't get on-line. The costs add up pretty quickly.

So how do you pay for it all? You're in a hotels.com price war with all your
competitors, so you can't just raise room rates. Your customers will get
pissed off if you tell them they have to pay extra for wifi. So eventually
some genius comes along and gives you this brilliant idea that will make wifi
pay for itself, and this is what you get.

~~~
yuhong
Note however this is happening at a Marriott hotel.

~~~
minimax
See excellent comment from henryl on the hotel business. He's spot on.

Marriott is a franchise business. That is, they don't own the hotels. They
license the brand to hotel owners or operating groups. Most hotel brands work
this way. Some hotel brands require their owners to use a specific wifi
provider or choose from a list of approved providers. Other brands let their
owners do whatever they want.

In this case you can see that the owner opted for a presumably low-cost
provider that hoped to recoup its costs by displaying ads this way.

~~~
gonzo
Henryl is incorrect in places (places that matter).

Marriott owns hotels, but they don't own every hotel with a Marriott brand on
top.

Hotel "brands" can NOT dictate providers AT ALL. To do so runs afoul of anti-
trust law. They _CAN_ issue a "brand standard" that you have to have WiFi, and
it has to be at least "this good" (insert specification).

Now, where the hotels are OWNED (by any party) the OWNER can dictate whatever
the hell she wants.

And Marriott most certainly does own a large percentage of the hotels that
sport their brand.

------
MiguelHudnandez
There is nothing related to WiFi in this system. The hotel is running the
traffic through a _transparent proxy_ which is performing MITM "attacks" to
disable ads from providers and show their own ads.

It is icky for all sorts of reasons. I suppose an individual website could
consider it theft of ad revenue, and an end-user could consider their privacy
invaded.

~~~
gonzo
transparent proxy?

no, they just need to intercept all the port 80 traffic.

~~~
MiguelHudnandez
Intercepting port 80 traffic is exactly what a transparent proxy does.
<http://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy>

They call it transparent because the client does not need to support using a
proxy server or even be aware that it is happening.

Transparent proxies are common at corporations that filter web browsing. It is
harder to circumvent than DNS blocking.

I suppose that it is no longer a _transparent_ proxy once it starts modifying
the requests or responses. But even transparent proxies generally serve an
error message in some cases, like when a domain name doesn't exist or a server
does not respond on port 80. So they are rarely, if ever, fully transparent.

------
olalonde
My ISP also does this. Once in a while I get a pop-over ad in the bottom right
corner of HN. As a matter of fact, I just got a pop-up to this ad:
<http://219.238.235.221/shenzhenyocc/swf.html>

~~~
ceol
Which ISP are you using?

~~~
olalonde
Some Chinese ISP, I think it's called China Telecom.

~~~
briandear
China Telecom does this routinely.

------
mcpherrinm
This is yet another reason I'm glad that SPDY is manditory TLS encryption.
Shenanigans like this get a lot harder.

I'm hoping we see a lot more SPDY (or plain https) rollouts in the near
future.

It's enough that I'm going to try now to https-ify all of my web properties,
including adding HTTP Strict Transport Security headers where they aren't.

~~~
TazeTSchnitzel
My personal site, for various reasons including this one, is entirely HTTPS.
If you try to access any part of my site by HTTP, you're just redirected to
HTTPS.

(this is mostly because I'm too lazy to maintain separate site configurations
for HTTPS and HTTP)

~~~
trapexit
Make sure you also set the Strict-Transport-Security header to prevent attacks
against the HTTP-to-HTTPS redirect.

------
SeoxyS
This is one of the many reasons to use an extension that forces SSL on every
website that supports it.

It's possible to MITM SSL, but it would throw all kinds of security warnings
on the client and prevent this kind of tampering.

Note: I'd recommend SSH tunneling, or using a VPN, but there's quite a bit
more work involved here, so for the install-and-forget crowd, SSL is already a
huge improvement.

~~~
Steko
relevant:

<https://www.eff.org/https-everywhere>

~~~
Genmutant
Also: <https://code.google.com/p/https-finder/>

HTTPS Finder automatically detects and enforces valid HTTPS connections as you
browse, as well as automating the rule creation process for HTTPS-Everywhere

------
aaronharnly
Wow, that is very gnarly. I love that "Web experience manipulation" is listed
as a _feature_ on this page:

<http://rgnets.com/index.php?page=features>

~~~
gresrun
The original "web experience manipulation": <http://www.ex-
parrot.com/~pete/upside-down-ternet.html>

------
epochwolf
I was part of a startup 5 years ago that built something identical to this for
hotels. We used privoxy and a regex of doom targeting the <title> tag to
inject javascript that would add flash toolbar on the bottom of the page you
were viewing. It would show local ads and allow access to some hotel services.

Worked surprisingly well but I'm glad it never took off. I don't think I could
have forgiven myself for being responsible for what would come of that.

------
blo
It's likely that the issue is due to that specific hotel / ISP instead of
blaming the entire Marriott chain. In fact, you could contact Marriott for
them to investigate.

Hotel chains usually have brand standards relating to internet access, so this
particular install may be in violation. For example, I know the Hilton chain
requires its (newer) hotels to use AT&T, so it's unlikely there's tampering
from the ISP/provider standpoint (though MITM attacks are still possible so
always use a VPN).

------
blakeperdue
Is it legal to manipulate web traffic like this? I would assume some companies
who depend on ads (eg, NYTimes.com) would object, perhaps with a lawsuit, to
ISPs or other imitation ISPs (ie, Hotels) to removing original NYTimes ads and
replacing it with their own.

~~~
elliottcarlson
The same can then be said for using an ad-blocker - are you denying
NYTimes.com revenue by blocking their ads?

------
mmahemoff
This is BS in 2012. Hotels need to treat internet access like running water
and make it at least as good as what people get at home. Especially when you
consider many people in hotels are subject to international roaming fees if
they resort to their mobiles.

Even in higher-end hotels, you get a shoddy experience, and not just this ad
injection.Weird login dialogs every few hours and restricting access to one
device. Outrageous fees. Lack of transparency on bookings websites about
availability and pricing. And once you're online, good luck trying to watch a
video or getting any work done, the connection's often too slow to do anything
but check a few emails.

I really hope AirBNB puts pressure on the hotels to get their act together.
You stay in someone's house for $40 and you get a much better experience than
a $200 hotel room. The whole situation is why I recently made the decision to
use AirBNB instead of hotels whenever practical.

~~~
gonzo
funny, back in 1999 I predicted that "for pay" hotel wifi would be the new
equivalent of pay toilets.

------
Splines
This is a slimy practice, but I what I wouldn't mind, _at all_ , are ads when
I first connect to the AP. Make me watch a video, or let me click through a
few pages of ads for local services - if I'm at a hotel, I'm likely from out-
of-town and are interested in nearby restaurants and tourist destinations.
Show them to me! It's likely that I'm using the internet to look those up
anyway.

Being sneaky about it and hiding local ads in the banners of other websites
is:

a) Rude, and

b) Unlikely to work, since I ignore those banner ads anyway. Even if I saw
those ads, I'd be highly suspicious of it (in a "10 local girls are interested
in talking to you!" sort of way).

Talk about an opportunity lost. Look at Starbucks' free wifi sign-on page.
It's nice to look at. Do the same thing, and it's alright, put some ads on
there. I don't mind.

------
dotBen
Yet another reason to run a VPN over any unknown network, such as hotel wifi.
Aside from people sniffing your traffic it will also protect you from MITM
attacks - be they benign like this or potentially more serious.

~~~
idupree
Who do you (anyone) suggest as a reputable VPN provider?

~~~
idupree
I found a list of VPN providers [http://lifehacker.com/5759186/five-best-vpn-
service-provider...](http://lifehacker.com/5759186/five-best-vpn-service-
providers) It is kind of terrible though: all the cheaper ones are PPTP-only,
and PPTP is insecure. Security is why I'd want a VPN!

Some of the comments on that article suggest running your own OpenVPN instance
on Amazon EC2 or other VPS. If the EC2 suggestion works, it looks reasonably
priced (at least as long as you don't use it all day every day).

------
barrkel
You made the mistake of staying at an expensive hotel. Expensive hotels
generally have the most gouging internet setups, whether it's silly high
prices, or MITM ad revenue takeovers like here.

~~~
Steko
I think $368 a night is pretty middle of the road for Manhattan.

~~~
barrkel
Sure; the cost of your hotel is largely a function of where it is located.

------
stevenys
Singapore Free WiFi Wireless@SG was doing this for a period of time! Serving
all pages a a HTML Frame page and putting adverts in the bottom page frame.

I have yet to seen any for a while, but i guess is more due to the lack of
advertisers.

------
wangarific
Hrm... so they charge for wifi access and then inject ads on every page you
visit?

------
mcgwiz
My workaround, whenever I can't tether to my mobile phone and must use an
untrusted hotspot, is to route all traffic over OpenVPN to the server running
in my home.

------
raphman
I've also seen a hotel in Canada proxying all e-mail one sends unencrypted via
port 25. One more reason to use a VPN in hotels.

------
noonespecial
One of but many reasons I don't connect to public _anything_ without using
openvpn to carry my traffic.

------
briandear
The real question is if the OP's blog was hacked by terrible designers. What a
hard-to-read site.

------
zenlikethat
Wow. This is a new low.

------
joejohnson
Hotel Wifi JavaScript Injection sounds like a prog rock act.

