Hacker News new | comments | ask | show | jobs | submit login
A Map of Wireless Passwords from Airports and Lounges (foxnomad.com)
316 points by tzury 6 months ago | hide | past | web | favorite | 120 comments



I needed to connect an Apple TV to a blocked wifi at a hotel, Just sharing, here are the instructions using a macbook to get past hotspot auth, since there isn't a browser on an Apple TV

1. Disconnect from ap by option+click status bar wifi icon

2. Write down your current wifi mac address

  ifconfig en0 | grep ether
3. Switch macbook to Apple TV mac address

  sudo ifconfig en0 ether [apple tv mac address]
4. Connect to wifi, authenticate, then disconnect from ap with option+click again

5. Switch back to original mac address

  sudo ifconfig en0 ether [original macbook mac address]
6. Connect apple tv to wifi ap normally


> ... blocked wifi ...

I use Hootoos when travelling. They combine a powerbank with a tiny MIPS device creating a wifi hotspot. Then upstream it can either connect to a wifi network or ethernet. It does NAT etc between the two.

The massive advantage is that my devices all know about the hootoo wifi network. I then just have to connect the hootoo to the upstream network which is easy, and you can do browser logins etc from behind it.

This is the model I like: https://www.hootoo.com/hootoo-tripmate-ht-tm05-wireless-rout...


Thank You! I have been trying to figure this out to connect to xfinity hotspots


Cheers. It was a ceremony before of hacks/ethernet before. This just works and no extra gear.


I'm not sure this is a good thing to do, but airports that don't have free open wifi annoy me. It's so useful to have internet access when you arrive in a foreign country, for figuring out how to get into the city, or to communicate with a hotel etc, and sometimes its unfeasible to use your own sim abroad. It just seems a petty thing for airports to do, to try and make a few dollars or euros or pounds that way.


I also hate people who put an open wifi requiring an SMS token in an Airport... You know, the only place where you have a good chance of your SIM Card not working for being abroad...


Exactly! I'm looking at you, Delhi Airport! The f'n morons advertise "free wifi! free wifi!!" everywhere, but when you actually want to use it, they demand a phone number to send an SMS message. Are the people in charge there really that clueless??


I got burned by this exactly a couple of years ago. Flight into Delhi was delayed, desperately needed wifi to communicate with my ride upon arrival, but no wifi without an active SIM card. Infuriating.


The admin login for the panel where you can turn off SMS auth for delhi airport wifi is “admin:admin” or something very similar IIRC.


Knowing India, it's probably Government mandated for what they call 'security reasons'. It's hard to get free WiFi or internet without providing a phone number in India.


Yeah sounds pretty typical of India in my experience. Can’t get WiFi unless you have a sim


That’s just the law in a lot of countries. I’d have to eat the 50 cents a lot and just receive an international SMS.


Some won't even allow an international phone number. They demand a local phone number...

Have fun with that...


Internet over DNS it is.


> It just seems a petty thing for airports to do, to try and make a few dollars or euros or pounds that way.

Doesn't the party on the other side of the transaction – i.e. you and I who do not want to pay for an Internet connection – have the same attitude?


Often you can't even easily pay for it. If they would just put an "ATM" where you insert your card/cash and get a WPA2 password in exchange it would be so much better.


Almost every item I see on here is using private WiFi connections intended for paying or premium customers, and precisely zero ones that are intended to be free.

This would seem to constitute "piggybacking", which is of questionable legality in many places:

https://en.wikipedia.org/wiki/Legality_of_piggybacking

Given the dubious legality, seems odd to see this on HN.


No you got it wrong, WiFi is controlled by greedy monopolies and he’s just being disruptive ;)


This answer, with the due edits, would describe Uber and AirBnB pretty well, too. ;)


Content on HN has to be interesting. There’s no problem with it referencing illegal activity.


The author claims to be a computer security engineer, yet is deliberately setting up a tool to defeat security -- not an abstract tool, useful in surveying and thus improving your own security and incidentally capable of being used for mischief, but nothing more than a list of identifiers and passwords. The only indicator you can gain from this is that someone betrayed your trust.

If this profession had a board of ethics, this is the sort of thing that it would take action against.

If people want you to use their networks, they will offer you access via any one of several convenient mechanisms, including

not using encryption

putting a sign on the wall with a password

handing you a card with credentials

telling you a password


A password that has already been handed out to thousands or tens of thousands of customers isn't "security".


In the physical world social convention is used all the time instead of real security.

If my boss needs some peace and quiet he closes his door. It is not locked, but people know not to enter. If it is open I can walk in and have a chat.

A WIFI password is a social convention asking you to not share. Everyone knows that it is not secure. But it is much easier than having a captive portal login system. By respecting the social convention we make life easier for everyone. Respecting a social convention is far less onerous than over zealous security mechanisms that annoy the customer.


I think I understand the ethos behind pushing for traditional social norms to not be discarded in the digital age, to resist stratification of security and convention between us all.

Conversely, I also think I understand the rationale for distilling the digital network security flaws and laying them open with the goal of changing and updating the social conventions which can now be completely bypassed and still accomplish a successful intrusion.


There is no social convention on the Internet. If you live in a quiet safe neighborhood you can often get away with leaving your door unlocked at night. But when parking in a city of millions of strangers you always lock your door. On the Internet of billions of people, lock your doors.

I rotate my home WiFi passwords regularly. A business with revenue can’t afford to do this?


> Everyone knows that it is not secure.

This is the crucial part you're wrong about. Most people assume Wi-Fi with password is secure, only us nerds know better.


Door is closed but not locked. In terms of security it is more of theater, than actual security


he literally said instead of real security


At that point it is public information, and sharing it more widely is just journalism or publishing.


I would find something like this to be helpful. As a frequent traveler often you don’t have any sort of cell service when you land. Being able to quickly hop on WiFi is often a godsend for quick communication and navigation to final destinations in foreign countries.

As an example, in Copenhagen airport there is free WiFi but you have to go to wifi.cphairport.com to access it and if you don’t see one of the signs around the airport you won’t figure it out. Some handy guide that has URL, ID of the WiFi and password is super helpful in situations like this.


> I would find something like this to be helpful

I would find a scheme where I am simply allowed to help myself to any goods or services I wish to consume, for free and without permission, helpful, too.


Sometimes the resason that you don't get redirected to the wifi network's captive portal is that your browser is trying to access a page using HTTPS. Trying to connect to a HTTP-only site (like http://neverssl.com/) can solve this.


Yeah. And this is a complete shitshow as everyone on earth pushes https as hard as possible. How do people who haven't heard of neverssl manage to connect to these captive portals? Sooner or later, the drive toward secure http is just going to kill off anything with a captive portal for most internet users.


Just use example.com


Typing 1.1.1.1 or any other IP address usually helps, it automatically redirects to the main login page. If you type a name, your DNS query fails.


Funny you picked that particular IP -- out of all four billion, 1.1.1.1 is the only one (that I know of) that uses HTTPS!


There are a lot of city and town public records. But once they are online and searchable and cross reference able with databases and APIs they become a new kind of public. There’s a lot of data showing this. So maybe it’s public, but not everything that is public needs to be in machine readable format on the internet.

I didn’t explain that well, but maybe you get the point. There’s a balance to be struck.


That doesn't make it right to hand it out.

If a hotel room uses old fashioned keys, can one customer make a copy of the key and start handing it out on the street to anyone who wants to go into the room? Just because many other people have paid to use it before?

People pay for access to the lounge, at least in part, for the better, less congested, more reliable wifi.


I agree; I don't think it's right either.

To take your hotel analogy, I agree it's not right for customers to make copies of room keys. But if it were as easy to copy a hotel room key as it is to copy a wifi password, the hotel would not be in a position to describe those keys as adequate security.

Though the analogy is poor because a hotel room is intended to be a private and secure area where I can store valuable item, whereas wifi access is more like the soda dispenser at an American restaurant—other customers are equally inconvenienced whether you paid or not.


I'm less concerned with the security issues - WiFi you don't control should always be treated as possibly being compromised.

What is a problem is that the networks are password protected and not meant for use by the general public. Airline lounges are providing WiFi for customers who have paid for access (either through the type of ticket or by spending enough to have status to access the lounges). Depending on the location, unauthorized access to the networks can either be categorized as theft of service or unauthorized access to a network.

A "security engineer" who is promoting illegal activity isn't actually concerned with security.


It is controversial but there is something in publicly posting already compromised long-living static credentials.

I do not approve nor disapprove of this. It could be unethical, could be even illegal but still - it also may force to not rely on this security-through-obscurity approach and maybe actually start doing things right. Sadly, many people don't learn from theoretical implications - they just ignore those and don't implement any security. They only start reacting when their passwords are posted in the open.

E.g. if you want only paying customers to access your WiFi, generate unique passwords and print them on their receipts (or tickets or whatever) to look up.


There are degrees of everything. In an ideal world, they probably wouldn't have passwords at all and trust everyone who doesn't have explicit permission to just not use AIRLINE_CLUB or whatever. We don't live in that world.

On the other hand, they probably don't want to use some complicated individualized password scheme because that's a headache for everyone.

So they pick a happy medium that keeps out the casual web surfer out on the concourse and, if a few people get it, who cares? But if a static password ceases to be much of a deterrent, then they've got no choice but going to a system that places more burden on everyone.


I'm not sure. Your vision looks oddly alien to me. It is human to make accidental mistakes, be tempted to break rules and similar. Half of our folklore is about praising deception, playing around the rules, outsmarting or outright cheating. I don't mean those are good things (they're generally not), but those are part of the human nature. Please don't take this personally, but the ideal world of your description would be boring and... I think "sterile" is the word. Not like this is inherently good or bad (I can see both aspects I think) - just alien.

We had plaintext Internet once, but as it grew, it started to fail.So, now most of us cheer for TLS everywhere and believe it's a good idea. Don't see how this is any different.


There's been an irritating trend of malware authors and other digital miscreants self-identifying as 'security researchers' lately.

If they just want to hack other people's shit, they should own up to the antipathy that comes with that. Instead they act like extorting companies over undisclosed vulnerabilities, emptying *coin exchange accounts, posting credential dumps on the internet or exfiltrating gigabytes of data are somehow noble or academic endeavors.


> What is a problem is that the networks are password protected and not meant for use by the general public.

I agree but wanted to point out that what you are saying is exactly what parent commenter is saying too.


If you don't want your semi-public (ie payed for) WPA2 key to be compromised, use 802.1x. Then you can use whatever you want for authentication, including time based tokens.


> not using encryption

Not a viable option, this would allow anyone to intercept traffic.

(To be fair, a lot of wifi routers are broken and will forward you all decrypted traffic from other users anyway on request. Try running WireShark on public wifis.)

The big problem is that Wifi with no password provides no privacy. Ideally we would have a wifi mode that is encrypted, but does not require a password. Just like Https.


Actually WPA with pre-shared key doesn't provide any security if key is publicly known (as someone can setup mitm device).

For wifi without password you should look at WPS.


It's not that someone can set up a MitM device. Wifi with a shared password can be passively captured using a variety of tools and decrypted using WireShark.[1]

The "coffee shop" scenario, where a WPA2 Personal password is written where anyone can see it, is essentially as insecure as non-encrypted wireless.

WPA2 Personal is only secure if the password is very strong[2] and never given to untrusted parties.

The only wireless security I put any real trust in is WPA2 Enterprise with 802.1x certificate-based authentication specifically.[3]

[1] https://wiki.wireshark.org/HowToDecrypt802.11 [2] Otherwise it's possible to mount a hash-cracking attack after capturing the four-way handshake for clients that have the password. [3] WPA2 Enterprise with per-user password-based authentication is vulnerable to an "evil twin attack" unless the password is very strong, which is usually not the case, because organizations typically have it authenticate against Active Directory or another LDAP.


> The only wireless security I put any real trust in is WPA2 Enterprise with 802.1x certificate-based authentication specifically.

802.1x with a certificate for Radius server (TTLS mode, which simply layers the plaintext password via TLS) and plain passwords for users is also good enough.


WiFi passwords aren't about security for the people using the network, they're about blocking people who haven't paid for it. If, as an attacker, one of your targets is using JFK's airport WiFi, getting the password for that WiFi is the least of your problems.

Whether it's ethical to hand out passwords to people who haven't paid for WiFi is another question entirely, but wouldn't it be sweet if businesses just let anyone join their WiFi? Bike repair shops always leave a pump outside for anyone to use, not just customers.


> wouldn't it be sweet if businesses just let anyone join their WiFi? Bike repair shops always leave a pump outside for anyone to use, not just customers.

That's a flawed analogy. It'd be sweet if I could do any prohibited thing whenever I feel like it.

How frequently is the pump oversubscribed that it causes a queue and blocks the sidewalk? If this happened, the repair shop would soon stop leaving a pump outside.

With a WiFi network in an airport you have regular situations where demand outstrips capacity. This isn't something that is discovered later, it's common sense before you even operate the service. Users attempt to download movies at the last minute for their flights, and in many cases each person will attempt to connect multiple devices to the hotspot. The hotspot provider setup things to support their clientele. They'd have set it up differently if they wanted it available for use by all.


No, because wifi bandwidth is finite and shared.


I think this is a red herring. Not using encryption is unacceptable. Sharing public information is not unethical.


Not using encryption to hide your public service is perfectly acceptable. If you come to my house, you can access my wifi network. No password needed. It's my gift to you.

This information is not public. It is a set of shared secrets. And now it has been shared to everyone in the world, rather than those who the owners wanted it to be shared with.


This isn't public info in some cases though. Airline sky clubs charge a fee and one of the benefits is their wifi (note that on the map, these aren't just airports, but airline sky clubs).

That's like you coming to my house, I give you the password to the wifi, and then you go tell all the neighbors about it so they can get "free wifi".


What's the red herring here?


Sharing a wi-fi password with the world is a bit like sharing a party invitation with the world.

To use this you have to stand outside a restaurant / lounge and hope to acquire the weak signal (and hope the password hasn't changed). Why not just buy a coffee and you get to sit down and a have better signal.


Pretty much a case of "this is why we can't have nice things."

Everything becomes a bit more inconvenient for everyone if every establishment has to protect against this kind of thing.


This is already done here [0] and it's not limited to airports or lounges.

[0] https://play.google.com/store/apps/details?id=com.instabridg...


I am using Instabridge for a few years and it is really great! I wish more people knew about it and use it.


Is it possible to set up a trap where someone who inputs a leaked password will be automatically blocked or put on a naughty list?

If you owned a coffeeshop, you would want your Wi-Fi users to be for customers only.


Said trap would hit any former returning customer who saved the wifi password.


Not if you limit it to trap-only passwords you leaked yourself.

Perhaps would work better if you severely slow piggybackers down instead of outright blocking them. If they think your connection is just bad they won't know they need to escalate.


If you wanted your Wi-Fi to be for customers only then you'd use WPA2 Enterprise with unique per-user passwords, or at least change the static password every day.


You might want your WiFi to be for customers only, but not have any idea how or enough money to enforce it.


I might want a million dollars but have no idea how to earn it nor enough power to force everyone to give me their money.

Now give me my million dollars!

Let’s be real. You can’t have your cake and eat it too.


Requires a geek for a few hours and Ubiquiti network gear: https://cdn.arstechnica.net/wp-content/uploads/2018/06/1unif... (from https://arstechnica.com/information-technology/2018/07/enter...) Even integrates with Facebook WiFi to abstract away the auth systems (and further degrade privacy!)


I might want a pet unicorn too, then what?

Changing the password everyday is an acceptable compromise.


The password was changing everyday where I worked, with the daily password available on an intranet page, but then a few months ago a bunch of higher-ups were present in the office for a few days and wanted Wi-Fi access without having to type a new password each day, so the password rotation has been deactivated since


Well they chose convenience over security, which in this case is fair enough (it's public Wi-Fi to being with).

Another solution would've been to implement WPA2 Enterprise, where employees could have their own, permanent credentials while visitors get temporary ones.


Also I don't think you can access anything in the intranet on that Wi-Fi, it's entirely public, as you said.


Then you probably won't know enough to setup that trap.


Well, if I was a cafe owner worried about non-customers going nefarious things I would not be happy until IBM deploy a decentralised blockchain solution that anyone with a HTC phone hardware wallet can seamlessly sign in to with the task only taking thirty minutes or so.

Or maybe make it as easy as possible, never changing the password and thereby getting repeat trade. I am sure a firewall can be opted into with the ISP to make sure nobody is downloading ISIS kiddie porn, Trump tweets etc.


Wlan is usually not that strong to be reachable outside said coffeeshop. If you live near enough, you'll know the key anyway. (for the chance it does)


Sites and tools like this simply encourage lounge operators, vendors and airports to add captive portals or SMS verification and make getting access to wifi harder.


Why? Why would an airport make connecting to the free WiFi they offer harder?


The WiFi isn't offered by the airports, it's offered by private lounges and restaurants, who offer it as a perk to their paying customers.


Well, in europe most airports have free wifi with no restrictions. They are usually offered by the Airport administration company.

In my home country, almost all airports administration companies offers time-restricted-but-free-wifi too.


I've travelled all over Europe and Asia and I don't think I've ever come across an airport without at least half decent, free, open wifi. Is this predominantly a US thing?


Yes. It's not limited to airports.

There are many reason why a hotspot provider in the US wouldn't want the liability of anyone other than a know user accessing their service. These issues are probably more limited elsewhere in the world, although it's probably the case that they are just lagging in coming up with better security practices/policy. Some home internet providers in the US like Comcast have a public WiFi service, but you have to authenticate to use it.


I am glad to hear that! However, the quick scan I did here of Thai and British airports showed almost every wifi point on _this list_ is a private one.


Lounges often have wifi meant for guests only, and the bandwidth can't cope with everybody in the airport using it.


I don’t think these sorts of lists are in widespread enough use to affect the AP operators one bit. This is just handwringing.


That you can abuse something only because other people don't is pretty weak justification.


I doubt they'll find out and even if they do I doubt they'll go to the effort and expense given the how few people will likely use a site like this vs the numbers of people traveling through an airport.

Even if they all do add some other security then it's just like going back to a time before this site so no great loss. The alternative is to not share the passwords on this site which is effectively the same to anyone trying to get on the wifi for free.


I think its Computer crime in germany if you login to a locked wifi for what you did not get password from the owner.


Could you link the § you are referring to? I don't think this qualifies for § 303b StGB. (IANAL)


How legal is this? If those places wanted to have open WiFi, they wouldn't have passwords in the first place. Or, at the very least, just write them on the wall. A detour via that app looks rather dubious.


"email me" is such an aggravating model. Can this be uploaded to gitlab?

I feel like this doesnt need an app. just give me a list of tuples and I can script a grep for the AP im looking for.


+1

This looks to me as the best use of having a public git wit info out there.


To everyone who says that this is dodgy or immoral:

It is not. The majority of the world doesn't function anymore without WiFi, which makes it more of a human necessity than a convenience to pay for. Not offering free WiFi is like not offering passengers free toilets at an airport. Unless you want everyone to piss in a corner you must offer a toilet, especially when you also require passengers to arrive at least two hours prior departure.

In India I wasn't allowed to enter airports without showing them my boarding ticket at the entrance. However I didn't have a boarding ticket because I needed to go to the counter inside, which I wasn't allowed (standard in India). So they demand from tourists to log in their email and show the booking confirmation but don't give you free WiFi. Fuck this shit!

Going to the taxi stand and they ask me for my reservation number. Same story again, no WiFi no luck.

In some countries there is no taxis or taxis are widely considered extremely dangerous (Johannesburg, etc.) and you MUST use Uber. How are you going to do it without WiFi?

Long story short, don't fucking build your entire infrastructure reliant on the internet and then don't give your customers an opportunity to connect to the internet.

WiFi is a necessity, it should be free of charge everywhere.


Any comments on the tech behind this?

(I've done a few projects crowd sourcing and distributing information like this and I'm currently thinking about some tools in this space, hence my curiosity.)


Its just a google map, I dont believe its dynamically updated from users, and doing that would be trivial anyway.


In most cases the tech tends to be trivial, sure. How you check accuracy of incoming information, make sure it's kept up to date in the future, and present it to people tends to throw up lots of very interesting usability problems.


Have a look at https://memberapp.github.io/#map

It allows messages tied to locations to be written to the Bitcoin Blockchain. The database is public, anyone can add information and it is uncensorable.


Is there an android solution to automate registering and accepting T&Cs for free wifi? The log in process and unreliable connection make them barely worth using.


I've seen an app for this in FDroid.


What's the name of it?


https://f-droid.org/en/packages/com.juliansparber.captivepor...

"It works by simply replacing the action URL from the login form on the web page to a local HTTP server which redirects the request to the original destination. The local HTTP server saves the request, so the app can reproduce the same call next time you connect to the same WiFi network."

Uhh... Time to move to iOS, I think.


Why would you move to iOS over that?


Without a rooted phone, there's no better way to "fix" Android's captive portal code, or to automate it.


How would root or iOS help you? The problem is that each captive portal is different, so you need the user to "teach" it once. Seems a reasonable approach to me.


Root would allow packet capture without the VPN framework that may not work before there's a network "up" (I should try tShark).

I guess I'm just a bit exasperated about how the lesser-used parts of Android have far less attention to detail (there's no reason this couldn't be a built in feature)


Why would you do this with packet capture? You'd have to install a root cert and MITM connections, it'd be much more messy and dangerous.


I haven't seen a portal with SSL (correctly) configured - are there any that don't work by capturing DNS/HTTP and redirecting to a login page?

You're already essentially doing MITM by redirecting form actions.


I haven't seen a portal with SSL (correctly) configured - are there any that don't work by capturing DNS/HTTP and redirecting to a login page?

The ones I've used recently all capture DNS/HTTP, but use it to redirect to an HTTPS page with the actual form - which you'd have to MITM.

You're already essentially doing MITM by redirecting form actions.

Yes, but inside a single webview, not system-wide!


How do you automate captive portals on iOS then?


Try neverssl.com


That's just a static HTTP site, built in the hope that it will get redirected to a captive portal. It doesn't help with the captive portal authentication in any way.


why would this be necessary in airports where, yes, maybe the Lounge has a password, but the airport in general as public wifi. I'm sure the public wifi is accessible inside the lounge.....

example Toronto Pearson


Any wifi other than yours, or your company's is huge security risk. I would not trust a second for a service like this.


Why would I trust my company's wi-fi?


Or your own, for that matter?


Would you care to elaborate what those risks are? The internet is rather bigger than the WiFi network you connect to.


Do I need to explain risks using foreign local networks in HN ? I see it quite unfair to get a downvote for this.


Yes. Having a properly secured laptop on public wifi is no different than having a server on the public internet. It's not difficult to reason about the threat model here, and operating systems are fully capable of rejecting potentially harmful traffic.


Rejecting harmful traffic is only one of the threats. There are many other attacks that can be conducted when you control the network and DNS. Only security-conscious users think of ways to counter those threats.


> Do I need to explain risks using foreign local networks in HN ?

Do I really need to explain how not everyone knows everything?

HN is made up of many people with many different skill sets. While you might put emphasis and assign an ideal to the "Hacker" in Hacker News, you are ignoring the large audience of people here that come here from different backgrounds and offer different view points. You also ignore what knowledge people may or may not have. Not everyone understands network security where such things are obvious.

> I see it quite unfair to get a downvote for this.

Do I need to explain why complaining about unfairness of downvotes will get you downvotes?

Rather than whine about how smarter people than you might not know something you do, you could take the time to share knowledge rather than come off as a member of "r/iamverysmart".


You do.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: