Outnumbered And Outgunned, Marriott Sort Of Backs Off Stupid Plan To Ban Guest Device Wi-Fi
from the know-when-to-fold-'em dept
Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks to prevent customers from using tethered modems or mobile hotspots at the company’s Gaylord Opryland Hotel and Convention Center in Nashville. Marriott’s ingenious plan involved blocking visitors and convention attendees from using their own cellular connections so they’d be forced to use Marriott’s historically abysmal and incredibly expensive wireless services (in some cases running up to $1,000 per device).
When pressed by the FCC, Marriott pretended this was all to protect the safety and security of their customers. The company also tried to claim that what it was doing was technically legal under the anti-jamming provisions of section 333 of the Communications Act, since the deauth attacks being used (which confuse devices into thinking they’re connecting to bogus, friendly routers) weren’t technically jamming cellular signals. The FCC didn’t agree, and neither did industry giants like Microsoft, Google, AT&T and Verizon, who collectively filed opposition documents with the FCC arguing that Marriott was clearly violating the law.
After carefully surveying a battlefield scattered with millions of pissed off consumers, annoyed regulators, and angry, bottomless-pocketed technology giants, Marriott has apparently concluded that maybe its shallow ploy to make an extra buck isn’t worth fighting over. In a statement posted to the company’s website, Marriott states it’s going to stop acting like a nitwit, maybe:
“Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices.”
You’ll notice the selectively-worded statement doesn’t completely put the issue to rest, and clings fast to the argument that Marriott is just really concerned about visitor security, suggesting this may not be the last we hear of this.
Comments on “Outnumbered And Outgunned, Marriott Sort Of Backs Off Stupid Plan To Ban Guest Device Wi-Fi”
Once Again, Security On The Internet Is Implemented At The Endpoints
Look at the commonly-used security protocols, namely TLS/SSL and SSH, and you will see that it is the endpoints that handle all the encryption and verification, not any part of the intervening network. It doesn’t matter if somebody in the middle is listening to everything, because all they will see is data they cannot decrypt.
So all this idea of “rogue wi-fi access points” is nonsense. It makes no difference whether the access point you have connected to is “rogue” or not; so long as you have properly set up authentication with the other end, you will be fine.
Re: Once Again, Security On The Internet Is Implemented At The Endpoints
This is incorrect. A man-in-the-middle attack is done by impersonating an SSL connection. Basically, you try to get to an SSL site – like Google. The middleman intercepts the request and establishes an SSL connection with your client, then establishes another SSL connection with Google. IT takes information from you… and then passes it to Google… but it is able to see everything UNENCRYPTED.
Many places do this. My company does it. The only way to know for certain is to examine the certificates – which most people do’t do.
Re: Re: A man-in-the-middle attack is done by impersonating an SSL connection
You might like to read up on how MITM attacks on TLS/SSL are actually conducted.
Hint: it cannot be done without the collusion of the CA.
Re: Re: Once Again, Security On The Internet Is Implemented At The Endpoints
On the recent story about Chrome marking non-SSL sites as untrusted, beltorak made what I thought was an awfully good suggestion that I believe would make “trust” on the internet easier to understand for everyone (https://www.techdirt.com/articles/20141213/07112629425/chrome-security-team-considers-marking-all-http-pages-as-non-secure.shtml#c599)
Basically, separate the definitions of “secure” communication and “trusted” communication. Secure means only you and the endpoint you’re connected to (and anyone that endpoint wants to talk to) can see the content of your communications. Trusted means that you are definitely connected to the endpoint that you think you are connected to. Secure and trusted means that your communications are private, or at least as much as the internet can make them.
Protecting guests? They just be greedy.
Thats easy, wired to the rooms and pass-worded WI_FI for events. Whats the problem? I suspect the real motive is locking 3rd parties out, funny thing about RF, the FCC gets their panties all in a bunch when you mess with that.You can lease a dedicated frequency but WI-FI is meant to be OPEN to all.
The Mariott is talking about the security of their guests because they claim to be blocking random third parties from entering the hotel, setting up their own wireless hotspots that claim to be the Marriot official hotspots, and doing terrible unspeakable* things to the data that hotel guests are sending via what they think is an official hotspot.
Which is true, as far as it goes… but there are (unfortunately?) better ways to handle that problem that doesn’t require blocking any and all hotspots that happen to interfere with an extremely lucrative opportunity for the hotel.
* No really, they can’t speak about what the rogue hotspot might do to the data. Maybe they don’t know?
Sometime back the FCC was raising cane at theaters and restaurants doing cell phone blocking. I can not for the life of me figure out why the Marriott chain thought this would be an ok scam to pull off. Only thing I can figure is they thought the FCC fine would be less than the income they got in.
I understand what brought it about was another gouge to the traveling public and businesses.
What the FCC was originally “raising cane” about was the actual use of signal jamming to prevent cellular bands from working properly (thus disabling all cell phones). The intentional introduction of signal interference is a big no-no.
The Marriott was not actually doing this. Their method – while it looked like a duck – did not actually violate the existing jamming rules.
Re: Re: Re:
“The Marriott was not actually doing this. Their method – while it looked like a duck – did not actually violate the existing jamming rules.”
No matter which way you slice it, the Marriott is in clear violation of Federal laws.
From the FCC:
Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi).
Re: Re: Re: Re:
“interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi)”
There is a lot of ambiguity there. By my reading, this implies that they are talking about actual jamming — that is, the disruption of radio signals. A deauth attack does not do that. If by “interfere” they mean something broader than “jamming”, then a deauth attack would qualify. But that’s not how the rule is written, and we have to assume intent beyond the wording of the rule to interpret it that way.
All that said, it’s a very good thing that Marriott backed off on this. They were doing a real disservice not only to their customers and other on their property, but to anyone within the range of their WiFi equipment.
Now, if only they’d drop the disingenuous excuse of security as their motivation for wanting this.
Liar, liar, pants on fire!
Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels.
Any company ‘committed to protecting the security of Wi-Fi access’ would be offering leaflets advising customers to use firewalls and other such basic essentials of online security, not anticipating how to get away with continuing to block the Wi-Fi of those customers’ devices. Simples!
Transparent Lying Liars
If Marriott were concerned for security, they would make sure their WiFi were free to all guests. Maybe to anyone in the area. Better to ‘protect’ everyone.
If Marriott tells the lie that it needs to make money in order to offer WiFi, then I would ask this. Why don’t you also charge a special fee for:
* Indoor Plumbing
* Air Conditioning / Heating
* Television channels
* Use of in-room phone
Each of the things I listed have a huge up front cost to install, along with an ongoing cost to operate. How is WiFi different?
I will be anxiously awaiting your lies.
Nitpicking: not MITM
> Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks
The deauth attack is not a MITM. A MITM is where the attacker is in the middle: it intercepts the original packets (so the destination doesn’t receive it) and sends new packets (or the original packets, depending on the attack) to the destination.
In the deauth attack, the attacker doesn’t drop or modify any traffic, nor can the attacker do that since it’s not actually in the middle. Instead, the attacker sends a newly-created forged packet. Unless the target is using 802.11w to authenticate control packets, it’s treated as legitimate and the target breaks the connection (as instructed by the forged packet).
Re: the attacker sends a newly-created forged packet.
And that is different from “MITM is where the attacker … sends new packets” how, exactly?
Re: Re: the attacker sends a newly-created forged packet.
Because a deauth attack does not involve intercepting another person’s datastream. A man-in-the-middle attack does.
Re: Re: Re: the attacker sends a newly-created forged packet.
I stated that poorly. Let me try again:
A man-in-the-middle attack involves a “man in the middle”. In other words, Alice sends a message to Bob. Carol, the man in the middle, intercepts Alice’s message before Bob gets it, then inspects and/or alters it, then sends it on to Bob.
A deauth attack is not that. It’s more like if Carol hangs out by a telephone and waits for it to ring. When it does, Carol hangs it up before anyone else can answer.