Get Your Free WiFi From Elvis

man dressed like Elvis in front of Welcome to Las Vegas sign
Want some free WiFi?
Ah, the lure of free open WiFi! Who can resist? Avoid flakey signal from your smartphone, get faster access and avoid data usage caps. But there is no such thing as a free lunch. When Elvis offers you free WiFi it’s best to think twice, because when someone offers free WiFi it comes with a cost, usually your privacy and security.

It might be a coffee shop who expects you to buy coffee, or a hotel who wants you to stay there instead of down the street. Or maybe the hotel has decided they can additionally sell advertising to you while you’re using the “free” WiFi to make a little extra money. Like the Elvis impersonator you should know what you’re really getting into. If think you’re getting your picture taken with the real Elvis, then perhaps you deserve what you get, especially in cases where the provider is taking the role of the huckster and offering something for “free” (as in puppy) when the hidden cost is your privacy.

With open or free WiFi the risks are always there in the form of unknown others on the network. I have found as I travel that hotel WiFi for example is a constant source of machine probes and attacks. Luckily my computer is well configured and I see the attempts. In spite of that I take the paranoid view and have avoided and free WiFi for over a year, until last week that is.

I was at the IQPC sponsored ISO 26262 Functional Safety conference in Berlin speaking on automotive cybersecurity. The WiFi performance in Berlin was no worse than others both at the hotel I was staying at and the conference hotel. By which I mean that it’s aggressively mediocre at about 1.5 Mbps. This would be reasonable performance for a 2G cellular network, but seems slow for WiFi. Now the reason I’m using it is that the cellular speed I get when roaming around the world is even slower – about 128kbps. So here I am making poor security decisions based on slow network performance. There’s a lesson to be learned there and perhaps a whole article about how we make poor security decisions.

And this is where this hotel stands out different than others, at least hotels in the USA. The attacks didn’t immediately start as I’ve seen at others, for example the Hilton in Long Beach, CA. (Yes, I’m purposely shaming their insecure public WiFi) But after working for a few minutes several of my web connections started failing when they refreshed. There were complaints about needing to re-login to Outlook, Google and other apps that require authentication.

Hotel MITM 1 of 3 So I started poking by clicking the little lock icon in the URL and as it turns out they were failing because the certificate for https was suspicious.

Hotel MITM 2 of 3As you do in these situations, I took a look at the certificate by pressing the “show certificate” button. In this case the certificate was supposed to be for Office 365,MITM safe office.com but instead it was signed by… wait for it… the hotel!!! Essentially they were doing a man-in-the-middle (MITM) attack. This means they were pretending to be Microsoft by self-signing a root certificate and saying “Microsoft is who we say it is”.

Hotel MITM 3 of 3

Probably this was for some silly injection of advertising or some other annoying but not necessarily evil purpose. Remember Lenovo doing this on their computers recently? In that case it was widely published and got a cute media name “Superfish“.

For Superfish the purpose was to put ads into your browser. Lenovo pre-installed it on a bunch of their computers, presumably for some additional revenue. The problem is that once you break down the certificate trust chain with this kind of attack, you leave the user at great risk. Someone can steal their credentials and really spy on any supposedly secure communication they have. This is to say nothing of having extra ads put onto your computer.

For the record, self-signing root certificates is only acceptable in a development or testing situation. Putting untrusted certificates in the wild is dangerous since no one can rely on them. Worse yet is pretending to be a certificate authority and jumping in the middle of a transaction or communication that the users think is secure. Not only is this unethical, but it really should be illegal.

Lesson learned again… Don’t use free WiFi and always pay attention to your URL lock icon.

Leave a Reply