on a recent trip, i stayed at a hotel that had a 1-hour free wifi trial per device. after it expired, i toggled mac randomisation and reconnected. worked again. did it four times, no issues. never paid.
later checked the captive portal domain. it was hosted by a third-party vendor. not the hotel. same pattern as cruises. backend didn’t care who i was, just tracked mac and time.
this blog just confirmed what i suspected: enforcement is surface-level. they want friction low enough to upsell, but not tight enough to annoy casual users. the systems are optimised for conversion, not for plugging leaks. most abuse is silent and tolerated. these aren't security flaws. they're tradeoffs
When dealing with security issues, organisation typically lost likelihood of occurrence and impact. The impact for these is negligible, so they don’t invent in fixing them. There’s absolutely nothing to be lost if this gets explotes by the ocasional tinkerer.
later checked the captive portal domain. it was hosted by a third-party vendor. not the hotel. same pattern as cruises. backend didn’t care who i was, just tracked mac and time.
this blog just confirmed what i suspected: enforcement is surface-level. they want friction low enough to upsell, but not tight enough to annoy casual users. the systems are optimised for conversion, not for plugging leaks. most abuse is silent and tolerated. these aren't security flaws. they're tradeoffs