Hacker News new | past | comments | ask | show | jobs | submit login
Hotel Wifi JavaScript Injection (justinsomnia.org)
249 points by phwd on April 5, 2012 | hide | past | favorite | 78 comments

I am a co-founder at a startup that does advertising on WiFi networks. We only run advertising before you connect (when you are in a captive portal), without the use of proxying.

Before anyone overreacts to this article, it would be beneficial to understand the hospitality space. The hotel you stayed at is most likely owned by a franchise group and operated by a GM. GMs are responsible for contracting their own networking services with Hotel WiFi Operators such as the one mentioned here. As such, a major hotel brand such as Marriott may use hundreds of WiFi operators. WiFi operators range in size, managing anywhere between one property to tens of thousands. The vast majority of these operators do not leverage javascript injection.

The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.

As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.

This is spot on for how the hotels operate. Everything is a cost on top of already slim margins and if it doesn't contribute to an extra dollar in the till, they won't pay for it. I used to work for a company that internet access at a large number of hospitality locations (never did ad injection, but we talked about the possibility regularly) and the typical billing model was for us to get a percentage of the cost to purchase access, or charge the location more to provide free access. The normal model was that the brand owner would sign a deal that x% of the franchise operators would use our service and then the operators would fight tooth and nail to keep it from going into place. We did full PMS integration, 1-800 support lines, were a top provider and operators would still fight it on the basis that they thought that the fact it wasn't free would impact their people staying there, but were unwilling to pay extra for it to be free. The plus-side is that we worked extraordinarily hard to make sure that once service was provided (after clicking through the terms of use or paying) that no traffic was discriminated and what the each user received was the best that could be provided and was just as secure as any random computer on the internet. Use of subnetting, vlans and disallowing communication between switchports was common, though nothing can be done to protect against someone connecting to the same wireless network because it's impossible because even if encrypted, the keys would need to be publicly available (negating the protection of the encryption) and not nearly enough devices support 802.11x or client certificate authentication.

I sometimes reminisce about the things we did, but even if you refuse to race to the bottom, you get dragged down by a Linksys router and consumer grade internet connection even if the experiences for guests is markedly lower. I'm much happier to now be working in and industry where our customers, and our customers' customers, value the work that is done and pay accordingly.

The margins for a hotel aren't that slim in my experience. I worked IT at a hotel for 11 years, and the standard rate for a room ($169 at the time) was well above the break-even cost for a room (around $30-40 for all related labor and services). We never did charge for internet access for the simple reason that the required support load for a paid service is far lower than the support load of a free service (the executive managers were easily talked out of it the couple times it did come up).

"Beds are considered a cost center but are tolerated because they are the number one amenity requested by guests."

WiFi is just as much part of the service a modern hotel provides as a clean bed, nice breakfast and whatever else they might advertise. Why isn't it treated like that? Why aren't they putting ads on my pillow?

There was actually a piece on this on Watchdog (a BBC Uk consumer issues programme) just last night. One hotel owner (which provides free Wifi) said it cost them £300 to provide the Wifi, he had 150 rooms so £1.50 a month/5p a day. The cost of the Wifi equipment that needed to be installed? His reply was "it's like fitting toilets, it's a one off cost which you just need to pay". They were specifically looking at the cost of wifi when staying at top hotels, some costing up to £20 a night. Your argument was one they also raised :)

The reason for the extortionate costs? Probably to make up for the lost revenue streams from people not using the in-room phones any more. I hope at that at least in this instance the guy wasn't paying for the internet access, that would be taking the p*ss!

For those of you in the UK then the show is here: http://www.bbc.co.uk/iplayer/episode/b01fhfw8/Watchdog_05_04...

in-room movie providers are also suffering.

Why watch expensive in-room pr0n from Lodgenet (and have to explain the charge on your bill) when a browser will serve up similar at a lower cost?

During a recent hotel stay, there was a placard on the nightstand advertising the fact that bed had a Serta mattresses.

At a recent resort stay, they provided a catalogue that allowed one to purchase the same linens and toiletries provided in the suite.

Not on your pillow but definitely on your TV, on your desk, on your room key, ...

Thought exercise: If you took away the WiFi, you would still have a hotel. If you took away the bed, you would have ____.

Actually if you take away the WiFi you have a hotel I no longer go to. The last few years I have traveled to the same places (mostly toronto area) enough that if I find a hotel with no wifi or a real bad connection I simply never go there again. There are always other hotels I can go to.

Fine, how about air conditioning?

A personal WiFi connected quiet space that rents by the hour?

To be fair, beds are what the hotel sells. ("Heads on beds" in hotel parlance.)

I'd be more than willing to pay a fair price for good network service at hotels.

By "fair price", I mean a similar cost per megabyte transferred to what I could reasonably expect to pay for home or business internet service in that area. They can meter it and add it to my bill. So I can go nuts on bittorrent, but at a fair price. If I don't go nuts on bittorrent, I'd expect that the total should be very cheap for a typical hotel visit, especially compared to the rest of the bill.

By "good network service" I mean comparable in bandwidth and latency to residential or business service offered by ISPs in the area (e.g. cable or DSL), with good wifi coverage, and no port blocking or any other kind of filtering or traffic shaping beyond what's necessary to fight spam and provide good service to all the guests using the network.

Also, please don't restrict the number of devices. I've had hotels insist on one device to a room, or demand unreasonable feeds for extra devices. If each person has a phone, a tablet and a laptop, that's pretty inconvenient. Please bill for total bytes transferred instead.

wow... where do I begin?

I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.

You get many details about the hospitality space dead wrong.

First, in direct réponse to "GMs are responsible for contracting their own networking services"...

GMs are managed across several MBOs, including occupancy and REVPAR (revenue per available room).

There are 3 major players in the hotel space:

1) People who own hotels, 2) People who manage hotels, and People who brand hotels. Two or even three of these may be a single party. From this you quickly learn that "Hilton" is a brand, and that, while Hilton owns some of the hotels with it's brand on top, it also owns hotels without a Hilton brand, and manages hotels on behalf of 'ownership groups' with a mixed set of brands.

At the end of the day, it is the owner, not the GM, who decides which vendor gets a particular contract. Sometimes the owner will defer to the management team (which may, remember, be a separate entity).

Yes, WiFi (with Internet access) is the single-most requested amenity. I come from the bad old days, before the dot.com bust, when hotels were full, and the GM would look at me and explain, "My hotel is full, you should pay me to install this, and give a split of the revenue to me."

Ad injection is bullshit, pure and simple. It's XSS by another name.

> wow... where do I begin?

> I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.

> You get many details about the hospitality space dead wrong.

Surely you meant to say "Wow it's interesting to see how different your experiences are from mine, working in that same industry".

Because, you know, I don't think either of you is making stuff up or is "dead wrong". And in such quite a large industry, with several different quality segments it's very possible that there's more than one way to do it.

No, I mean wrong. The GM is responsible for a single property, and is the employee of the management group (or the owner).

Gonzo, seems like we are in agreement and you are just arguing very nuanced semantics with me. Hotel brands do indeed own their own hotels, but franchise groups will own the majority of the hotels for low to mid tier brands (Accor being a major exception).

Like you said, the GM, the owner, and the franchise group is a fuzzy designation at best. The contract is always with the owning entity, but management will most likely select the provider.

Wyndham, who owns the largest percentage of the hotels it manages, also owns (and operates) Hiltons, Marriotts, and Sheritons. Starwood owns hotels with franchised brands, as does Marriott. They (nearly) all do.

It's not a fuzzy designation, it's what happens when the backroom guys are literally playing Monopoly with real world objects.

I was with Wayport (now AT&T). Who are you with?

> it is important to note that public WiFi is never safe unless you are using a VPN

I would like to use the article and this statement to beat very hard the nitwits who advocate javascript-only websites.

Some here are dismissing js-alternatives to their products (e.g. html only) with the rhetorical question "who surfs without js nowadays anyway?".

How do you take care of aforementioned problem?

VPN/SSH Tunnel.

But seriously, you're just as screwed if they inject HTML that changes the form submit URL for your password to an attacker-controlled site. The real answer to this problem is HTTPS, everywhere.

Given the spread of mobile browsing in the wider sense it's unreasonable to assume that the majority of users surf through a vpn. So which alternative do you provide to the users of a js-only site?

My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user". I'm sure that there are better answers than three letter acronyms.

Mobile phones have VPN clients now built into the system. It was much easier to get Android (old one, 2.x but it was possible even in 1.6) to connect to L2TP/IPSec VPN than Ubuntu.

It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.

In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.

deSSLify the connection on the fly

How is this possible?

Intercept HTTP requests that the target site tries to redirect to HTTPS. Then proxy the HTTPS connection. If the user doesn't notice that the lock icon is missing from the URL bar, then they're being effectively MITM'd (and anyone on the WiFi can see all their traffic).


  1. Alice enters "paypal.com" into her browser.
  2. Alice's browser issues a request to http://paypal.com/
  3. Mallory intercepts this request, and replays it.
  4. http://paypal.com redirects to https://www.paypal.com/
  5. Mallory's proxy fetches the Paypal content and returns it to Alice
  6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
  7. Alice enters her password.
  8. Mallory steals all her money.
A response to this attack is the "HTTP Strict Transport Security" extension implemented by modern browsers, which, for sites that enable it, prevents the browser from ever even attempting a non-encrypted connection to the site, and also prohibits bypassing the SSL certificate warning page if an unknown/invalid certificate is presented by a MITM attacker.

I guess I'm one of the few people who always enter complete URLs, e.g. I would enter https://www.paypal.com, when I go to a site that I want SSL on.

I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.

Do you want a cookie or something?

Run your site on https. Can't inject into that.

Not to mention that with open unencrypted WiFi any attacker can do things like this anyway.

Same problem @ court houses offing WiFi to juror's. They express that you should take advantage of access to the local free/UNENCRYPTED WiFi for "JUROR's ONLY" to access.

Thought, the network is open which is a danger within itself, the network asks you to accept an invalid security certificate(which means their MiTM everything from the get-go), and then they took the time to make your read/accept an agreement stating in bold that this is an insecure network, and that everything you do over it will be audited, and monitored(SsL-STRIPING). As a juror, you must then sign-in using your badge#.

It defeats the purpose of any of these post associated protections, if an attacker simple injected his own certificate, or java-script frame. Even creating a Honeypot-Rouge-AP using any number of wireless capable devices such as, smartphones, and mobile routers, even wristwatches &sunglasses.

Compromising a jury from an attackers stand-point would be too, sit in the cafeteria, and literally eat-cake.


Maybe I am very naive, but how does unencrypted WiFi mean that anyone can do anything they like to me? Can they mess with my https, ssh or VPN connections? Can they inject content into regular HTTP pages?

Have a read up on ARP spoofing/poisoning: http://en.wikipedia.org/wiki/ARP_spoofing

Receiving spam ads is the least of your worries.

Could A startup use this ad serving mechanism to also calculate and sell/publish the speed, uptime, etc of each hotel wifi network? Many won't care, but personally, I would like to see those figures next to advertised hotel wifi.

The hotel wifi service provider business is (and has been for 5+ years) a really crummy race to the bottom. Hotels don't want to do it themselves. They can't really; they don't have the talent in-house. It's fairly expensive to do correctly. Most hotels weren't built with cat-5 installed, so you have to pay someone to go do that. Then you have to install a bunch of networking gear which isn't cheap. Then you have to pay someone to monitor it all and come out and fix it when it goes down. You probably also want some 1-800 number your guests can call when they can't get on-line. The costs add up pretty quickly.

So how do you pay for it all? You're in a hotels.com price war with all your competitors, so you can't just raise room rates. Your customers will get pissed off if you tell them they have to pay extra for wifi. So eventually some genius comes along and gives you this brilliant idea that will make wifi pay for itself, and this is what you get.

Note however this is happening at a Marriott hotel.

See excellent comment from henryl on the hotel business. He's spot on.

Marriott is a franchise business. That is, they don't own the hotels. They license the brand to hotel owners or operating groups. Most hotel brands work this way. Some hotel brands require their owners to use a specific wifi provider or choose from a list of approved providers. Other brands let their owners do whatever they want.

In this case you can see that the owner opted for a presumably low-cost provider that hoped to recoup its costs by displaying ads this way.

Henryl is incorrect in places (places that matter).

Marriott owns hotels, but they don't own every hotel with a Marriott brand on top.

Hotel "brands" can NOT dictate providers AT ALL. To do so runs afoul of anti-trust law. They CAN issue a "brand standard" that you have to have WiFi, and it has to be at least "this good" (insert specification).

Now, where the hotels are OWNED (by any party) the OWNER can dictate whatever the hell she wants.

And Marriott most certainly does own a large percentage of the hotels that sport their brand.

Funny when I stay at higher-end hotels like Marriott they want $10/day for internet. When I stay at a Super-8 it's generally free.

There is nothing related to WiFi in this system. The hotel is running the traffic through a transparent proxy which is performing MITM "attacks" to disable ads from providers and show their own ads.

It is icky for all sorts of reasons. I suppose an individual website could consider it theft of ad revenue, and an end-user could consider their privacy invaded.

Now if these MITM attacks became a bit more clever, it would be very hard to catch: rather than what they are doing now (and making everyone aware of the fact that they MITM), they could as easily change the Google AdSense Client ID's, or the Doubleclick publisher ID's etc. The creatives would still be perfectly integrated on the page, and it would take a lot of luck for someone to find that out.

transparent proxy?

no, they just need to intercept all the port 80 traffic.

Intercepting port 80 traffic is exactly what a transparent proxy does. http://en.wikipedia.org/wiki/Proxy_server#Transparent_proxy

They call it transparent because the client does not need to support using a proxy server or even be aware that it is happening.

Transparent proxies are common at corporations that filter web browsing. It is harder to circumvent than DNS blocking.

I suppose that it is no longer a transparent proxy once it starts modifying the requests or responses. But even transparent proxies generally serve an error message in some cases, like when a domain name doesn't exist or a server does not respond on port 80. So they are rarely, if ever, fully transparent.

My ISP also does this. Once in a while I get a pop-over ad in the bottom right corner of HN. As a matter of fact, I just got a pop-up to this ad:

Which ISP are you using?

Some Chinese ISP, I think it's called China Telecom.

China Telecom does this routinely.

Looks like some chinese isp? Possible datadragon its hard to say.

same for me. That's where VPN comes in to the rescue.

This is yet another reason I'm glad that SPDY is manditory TLS encryption. Shenanigans like this get a lot harder.

I'm hoping we see a lot more SPDY (or plain https) rollouts in the near future.

It's enough that I'm going to try now to https-ify all of my web properties, including adding HTTP Strict Transport Security headers where they aren't.

My personal site, for various reasons including this one, is entirely HTTPS. If you try to access any part of my site by HTTP, you're just redirected to HTTPS.

(this is mostly because I'm too lazy to maintain separate site configurations for HTTPS and HTTP)

Make sure you also set the Strict-Transport-Security header to prevent attacks against the HTTP-to-HTTPS redirect.

This is one of the many reasons to use an extension that forces SSL on every website that supports it.

It's possible to MITM SSL, but it would throw all kinds of security warnings on the client and prevent this kind of tampering.

Note: I'd recommend SSH tunneling, or using a VPN, but there's quite a bit more work involved here, so for the install-and-forget crowd, SSL is already a huge improvement.

Also: https://code.google.com/p/https-finder/

HTTPS Finder automatically detects and enforces valid HTTPS connections as you browse, as well as automating the rule creation process for HTTPS-Everywhere

Wow, that is very gnarly. I love that "Web experience manipulation" is listed as a feature on this page:


The original "web experience manipulation": http://www.ex-parrot.com/~pete/upside-down-ternet.html

That is the creepiest webpage I've read in a long, long time. I'm a bit surprised that this is the first time I'm hearing about these kinds of shenanigans, unless it's extremely new or it's not rolled out across all Marriott hotels. That's outrageous.

I was part of a startup 5 years ago that built something identical to this for hotels. We used privoxy and a regex of doom targeting the <title> tag to inject javascript that would add flash toolbar on the bottom of the page you were viewing. It would show local ads and allow access to some hotel services.

Worked surprisingly well but I'm glad it never took off. I don't think I could have forgiven myself for being responsible for what would come of that.

It's likely that the issue is due to that specific hotel / ISP instead of blaming the entire Marriott chain. In fact, you could contact Marriott for them to investigate.

Hotel chains usually have brand standards relating to internet access, so this particular install may be in violation. For example, I know the Hilton chain requires its (newer) hotels to use AT&T, so it's unlikely there's tampering from the ISP/provider standpoint (though MITM attacks are still possible so always use a VPN).

Is it legal to manipulate web traffic like this? I would assume some companies who depend on ads (eg, NYTimes.com) would object, perhaps with a lawsuit, to ISPs or other imitation ISPs (ie, Hotels) to removing original NYTimes ads and replacing it with their own.

The same can then be said for using an ad-blocker - are you denying NYTimes.com revenue by blocking their ads?

This is BS in 2012. Hotels need to treat internet access like running water and make it at least as good as what people get at home. Especially when you consider many people in hotels are subject to international roaming fees if they resort to their mobiles.

Even in higher-end hotels, you get a shoddy experience, and not just this ad injection.Weird login dialogs every few hours and restricting access to one device. Outrageous fees. Lack of transparency on bookings websites about availability and pricing. And once you're online, good luck trying to watch a video or getting any work done, the connection's often too slow to do anything but check a few emails.

I really hope AirBNB puts pressure on the hotels to get their act together. You stay in someone's house for $40 and you get a much better experience than a $200 hotel room. The whole situation is why I recently made the decision to use AirBNB instead of hotels whenever practical.

funny, back in 1999 I predicted that "for pay" hotel wifi would be the new equivalent of pay toilets.

This is a slimy practice, but I what I wouldn't mind, at all, are ads when I first connect to the AP. Make me watch a video, or let me click through a few pages of ads for local services - if I'm at a hotel, I'm likely from out-of-town and are interested in nearby restaurants and tourist destinations. Show them to me! It's likely that I'm using the internet to look those up anyway.

Being sneaky about it and hiding local ads in the banners of other websites is:

a) Rude, and

b) Unlikely to work, since I ignore those banner ads anyway. Even if I saw those ads, I'd be highly suspicious of it (in a "10 local girls are interested in talking to you!" sort of way).

Talk about an opportunity lost. Look at Starbucks' free wifi sign-on page. It's nice to look at. Do the same thing, and it's alright, put some ads on there. I don't mind.

Yet another reason to run a VPN over any unknown network, such as hotel wifi. Aside from people sniffing your traffic it will also protect you from MITM attacks - be they benign like this or potentially more serious.

Who do you (anyone) suggest as a reputable VPN provider?

I found a list of VPN providers http://lifehacker.com/5759186/five-best-vpn-service-provider... It is kind of terrible though: all the cheaper ones are PPTP-only, and PPTP is insecure. Security is why I'd want a VPN!

Some of the comments on that article suggest running your own OpenVPN instance on Amazon EC2 or other VPS. If the EC2 suggestion works, it looks reasonably priced (at least as long as you don't use it all day every day).

My ISP, Sonic.Net, provides a free VPN to all customers.

If you are in the Bay Area you owe it to yourself to use Sonic.net, they really are one of the best ISPs (along with Web-Pass) in the US.

You made the mistake of staying at an expensive hotel. Expensive hotels generally have the most gouging internet setups, whether it's silly high prices, or MITM ad revenue takeovers like here.

I think $368 a night is pretty middle of the road for Manhattan.

Sure; the cost of your hotel is largely a function of where it is located.

Singapore Free WiFi Wireless@SG was doing this for a period of time! Serving all pages a a HTML Frame page and putting adverts in the bottom page frame.

I have yet to seen any for a while, but i guess is more due to the lack of advertisers.

Hrm... so they charge for wifi access and then inject ads on every page you visit?

My workaround, whenever I can't tether to my mobile phone and must use an untrusted hotspot, is to route all traffic over OpenVPN to the server running in my home.

I've also seen a hotel in Canada proxying all e-mail one sends unencrypted via port 25. One more reason to use a VPN in hotels.

One of but many reasons I don't connect to public anything without using openvpn to carry my traffic.

The real question is if the OP's blog was hacked by terrible designers. What a hard-to-read site.

Wow. This is a new low.

Hotel Wifi JavaScript Injection sounds like a prog rock act.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact