Hacking a commercial airport WLAN
Posted on 30/8/06 by Felix Geisendörfer
Welcome lifehacker.com & hackszine.com visitors. Read this follow up post if you care about the story of this article.
Update 06:20pm: My luggage just arrived - I'm happy ; ).
Yesterday I left Atlanta, GA after having spent 6 weeks of my summer there to visit my host family that I was staying with the year before as a foreign exchange student. The flight back wasn't all that great, it had 4 hours of delay, I missed my connection flight, had a long waiting time at the Düsseldorf aiport and when I finally got back into Dresden my 2 big suit cases were missing - and still are. But oh well ... they'll show up, eventually.
Meanwhile I want to share a little hack I did when I was waiting at the Atlanta airport. As most airports do these days, they have a wireless network there. Unfortunatly, they try to make you pay $7 for 24h, no matter how long you actually get on there. Since I didn't want to get ripped off, I started playing around with the network. Using LiveHTTPHeaders for firefox, I was able to see that they were redirecting me to their portal via a 302 whenever I tried to access a public site. So the first thing I tried was to deactivate redirects in the about:config, and hoped they would send me the site I wanted after their redirection header. This might sounds stupid, but checkout the post on cakebaker talking about it if you are unfamiliar with the problem. Anyway, it didn't help, I wouldn't see any page at all, and instead get a firefox error message. So back to the beginning.
I continued to try a couple other things, like checking if they eventually forgot some ports like 21 (ftp) or 110 (pop3). But no, all of them were properly blocked. After a lot of unsuccesfull attempts, I had some intuition telling me to check how they handle pictures. Without any hope of success I typed http://www.google.com/.jpg into my browser's adress bar, and to my big surprise I saw the page you see when you follow the link right now. The next thing I typed in was: http://www.google.com/?.jpg but that didn't work. But I went on, and found that url's like http://www.google.com/search?.jpg worked like a charm. I found that I could easily visit sites like slashdot, google, or even this weblog, when adding a ?.jpg at the end of the url. The next logical step was to automate that. I downloaded greasemonkey.xpi?.jpg (*g*) and wrote a 4 line js script that would add ?.jpg to every link in a document. That way I was able to browse most sites without a hassle. Unfortunatly, I didn't get to explore this vulnerbility much more, because I had to board the airplane, were I waited another 3 hours due to a mechanical failure - without wlan : /.
So, anyway, wish me good luck with getting my luggage back and if you are ever stuck at an aiport with commercial rip-off wlan only, you might want to give this little method a try ; ).
--Felix Geisendörfer aka the_undefined
Update: Read this follow up post if you care about the story of this article.
You can skip to the end and add a comment.
Great way to keep yourself entertained. Begs the question though, how exactly does this get around the otherwise secure WLAN. How they handle pictures??? Please elaborate.
was there anything you particularly loved in your luggage. Assuming you are inline for some compensation, should your bags not turn up. Couldn't you take that compensation and get a whole new wardrobe! ;-)
Ian Huet: I don't think I would make a good deal with a compensation at all since my luggage in fact *already contained* a whole new wardrobe! I just spent several hundred bucks on clothing in the usa because it's cheaper there then it is here in Germany. And I don't think they would compensate me high enough for that. But I think I'll get the stuff back ... hm.
Regarding the wlan thing: I'm not sure why this get's around their commercial authorization page. Maybe they have pictures on those sites lay outside the restricted access areas and one smart programmer came up with a regex to allow all url's ending in .jpg (/^.+\.jpg$/) or something like that. However, I didn't have enough time to confirm that thought.
Nice, I'll have to try that! :D
Cool tip. I was at the Atlanta airport 2 weeks ago and had that problem. They make you pay, where as the airport near my home, Pittsburgh, is free. I'll try it on my return flight if I have a layover.
[...] I should have had this tip in the SLC airport earlier this month:ThinkingPHP and beyond » Hacking a commercial airport WLAN feel good tech wifi [...]
hi all,
i'm in the cincinatti airport and just started trying common id and pwd combinations at random. the one that worked? "wifi" and "wifi". hahahhahhahahha!!!!
will use this trick the next time tho.
danke felix.
Hi Felix,
Any idea on how do the airport manages to intercept every request to make the redirection. This is just what I need in my wlan. Not to block users from navigating but to return the solicited page inside a frame (and place news in an upper frame).
Any idea or url I can see to achive this?
Thanks.
Hi Joaquin, I definitly have no idea how they do it at the airport. But one idea is to write/use a little proxy between the wlan and the internet connection it uses. Then you can put your intereception logic inside the proxy without having to mess with the TCP/IP stream of the WLAN itself. And you should be able to setup the wlan to use the proxy. But really, I have no clue how this should be done in reality ; ).
What I have been lookin for!
Thanks!!!!
i tried this hack in several airports worldwide....it does not work.
Marcello: I can only confirm that it works at the Atlanta airport. But unless they developed their own access point system there should be at least some other airports where this would work. But maybe those are rare.
Cool discovery. i am gonna try this out at the next opportunity.
Sadly, this hack no longer works at the ATL airport. I'm sitting here and have tried several variations, with no luck.
Keep on hacking . . .
-hk
James: Afaik there were several networks you could connect to at ATL. I was only able to try out one and it worked. But I don't remember the name of it any more, hm : /. But it's also possible that they've fixed it.
I'll be getting the chance to try this in a couple weeks, but just a thought: perhaps use "#" instead of "?". If you're browsing a page with a url like domain.com/index.php?page=home or something then your method will screw it up, as php is going to look for the page called "home?". This may (or may not be) an issue on other sites, I dunno.
"#" on the other hand terminates the url as far as any (to my knowledge) browser is concerned, and the likelihood that someone's going to have an anchor named ".jpg" somewhere in the site is low enough that not starting at the top of the page shouldn't happen too often ;)
Malachi: Good idea! I should have tried that as well. However, I'm not sure if browsers send the '#' in their GET/POST requests. So this will only work if they do ...
Felix: I just checked and unfortunately it seems you're right, firefox at least does not send the # and anything that follows in their GET/POST requests. However, manually appending "#hithere" to a get request does not change the response (at least on the servers I tried). It shouldn't be too hard to make a firefox extension to that purpose, although I'll need to read up on how to make them in the first place. I'll get back to you on that.
[...] I saw this tip on how to get around some airport wifi restrictions. Check it out. Posted by dru Filed in General [...]
Have you ever heard of ICMP tunneling? Sometimes wireless networks will block TCP and UDP requests, but forget about ICMP, so you can set up a 'ping tunnel.' Google PTunnel. It works for any site you can ping and get a response from.
Trevor: Great tip, I'm flying to Atlanta again this autumn and will spend time on other airports as well so enough opportunity to try : p. Thanks a lot!
[...] But now that I’m online, I just found a great little trick that lets you save that $7.95 and get free wireless Internet at any airport. Here’s all you have to do: [...]
I've never paid for WIFI. Most wifi gateways identify paid customers via there mac address. You only have to sniff the wifi network for associated mac addresses and clone the mac on of your wifi card. You can easily boot of the other associated clients using deauthorization attacks so you can use there internets >:). Works great every time!
i've looked at this in the past and concluded that they return dns results based on your mac address. so you effectively pay to get the correct dns returned.
is it possible that you had a fixed dns server cofigured? and then you managed to workaround whatever secondary blocking they had added? that would explain why you managed this when others haven't been able to reproduce it.
andrew
Wonder if that will beat McDonald's pay-for-wireless system?
also if your work or school ever blocks websites. u will probly need these proxies
www.esmacorp.com
www.reseachtoppicks.com
www.pimpmyproxy.info
www.proxy000.info
An excellent alternative [if you have a server to spare] is iodine and iodined.
from the man page:
iodine lets you tunnel IPv4 data through a DNS server. This can be useful in situations where Internet access is firewalled, but DNS queries are allowed. It needs a TUN/TAP device to operate. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream. iodine is the client application, iodined is the server.
It's very useful for exactly that sort of situation.
Download WifiWay v1.0b2.
Install onto a USB key.
Boot from key.
15 minutes later, you have the key for any WEP/WAN.
Then do a little dance.
Nice, I will have to give this a try next time I fly.
Did you make the greasemonkey script avaliable?
Malachi:
When you have a page like ?page=home you could just substitute ? for &. so for example you could get a URL like
/?page=home&foobar.jpg
There are many hotels that have the same kind of security protection to get you to pay for the wlan services. I'll have to give it a shot. Very cool.
so where is this magic greasemonkey userscript? :)
Wow, this is a really cool hack, thanks for sharing.
Hmmm, you could be accused of terrorist activity...Keep up the good work!
Maybe they caught on to what you were doing and are auctioning your luggage to recover the $7 :)
That's Atlanta for you, ask directions of anybody, even cops and they put their hand out for a tip(cash).
You are admittedly dishonest over 7 bucks. Then above that is a "Hire Us" Good Luck with that.
JG: I'd say they are dishonest about the 7 bucks. They say you have to pay them but you don't ; ).
Come on, this is a perfect example for the joy of hacking. I'm paying more money for wifi access at airports and hotels while traveling then I usually pay for my faster and better connection at home. This is poor service at high price being enforced on you like popcorn in movie theaters ... I have little guilt breaking the rules here.
huh...I thought for sure that you'd have to spoof some other paying members mac address. Various wireless training's have explained that when you pay your mac gets added to the allowed list. Changing your wireless mac address to a mac address of a user who has paid may have worked as well. I'll try this out next time. Thanks for the feedback.
The reason popcorn costs so much is because the theatre has to pay almost all of their ticket sales to the studios. They have to make up the difference some how.
can you please send the Greasemonkey script to my email? i would appreciate it a lot
or could you please upload it somewhere :)
thanks!
Michael: Well hollywood using their monopoly on the theaters is another issue ...
About the Greasemonkey script: I've just checked and I don't have it anymore. After all this post is 2 years old and I have no idea how it got so popular over at reddit ; ). Sorry folks.
Hey Felix, I live in GA and my main Airport is Atlanta. That is amazing news to hear. Next time I travel I will definitely use your method, and possibly test this out on a school proxy to see if I can use it to get around things. It sounds like a fun experiment. Thanks for the Info.
i'm tempted to try this but i just got back from england/france and they "ramdomly" security checked me leaving the country, entering england, and france as well as on the way back. the risk of being sent to gitmo i'll just sit there and play games on my phone. lol
Interesting and smart, just by adding ( ? )
Thanks bud, I've been looking for a quick and easy hack to use for those types of WLAN. I bet this will work at my hospital too, trying to charge me to do what I do while I'm laying in bed sick! Ha! Take THAT! Well, anyway, thanks again, mate!
I got your luggage hahaha.
That's awesome. I'll try it :D
I wanted to try this at my airport, but the internet was free.... only time i was disappointed to not have to pay for internet lol
Excellent hack.
Thanks for sharing :)
going to the airport now, im going to try this out.
i wonder if you still can get on the network if you arent actually browsing the web...
i want to get on irc.
thankss, great discovery
_________________________
http://www.aybardumlu.com
Will definitely give this a try in the course of my travels. Thanks for the tip.
sweet, I hope I don't get into trouble if I try this
Hmm... at TPA (Tampa International Airport, in Florida) they have free Internet. All the Internet you can eat for free...
haha that was really clever thinking, I'll try your trick in college which is fully wifi :D
great post, ill try next time!
is the script somewhere avalaible; im not experienced in scripting.
thanks!
oups, the question had already been answered, im sorry.
Awesome Felix! I'll try this out next time I'm in one of many airports. Hopefully the IT staff at airports across the country havent read this yet :P.
hahaha.......very good piece on information. I hate paying for Wifi access at airports. They should provide free internet access to passengers. They already charge us so much for tickets. Why should we pay more?
I will certainly try this on my next trip. Lets see if I am able to get through.
Priceless information, especially as I am an airline pilot.
Bloody marvelous, shall have to try this in Heathrow T5...
I've been looking for something like this for ages. Thanks for sharing. Now I can eventually hook-up when my flights are delayed AGAIN (Gatwick, UK)
dude,
do you really believe it was just a coincidence that your flight was delayed and luggage was lost after you hacked the arport's secure network?
atlanta is the busiest airport in america, used heavily by the us armed forces. ive been there numerous times and security is beyond airtught, its parania lockdown... use your brain next time genius.
i wish i had seen this 4 days ago before i went to the airport and encountered a 5 hour delay.
well hey, now i got it.
krispy: That made me chuckle. You've been watching too much TV!
Even though you don't have the script anymore, can't you just write out the code for it? You said it's only 4 lines.
It may be a simple script but I have no idea how to code. Could you make your script available to download for greasemonkey?
Thanks!
I haven't read all the comments, so hopefully this isn't a repeat. Here's a simple Greasemonkey script that adds "?.jpg" to every link in the page you're on. I haven't tried it at an airport, but if others say it works, why not!
Nice, publish the script?
Please :)
Everybody: Please give John's script linked above a chance. It looks pretty much like the one I came up with back than ; ).
Felix, great stuff. Just about to go on the holidays, so that one should come in super useful!
Well I will try it in 345 days. (next holiday).
at time being , f4ck 411
So, as long as you can get past the lock it is permissible to steal. The airport WiFi is a product for sale. You know that there is a fee and password and you publicize a system to defeat the security. Regardless of the fact that the security is weak and the method to defeat it is trivial it should still be within your conscience not to steal. That would certainly be the example that I would set for my children.
Whoa..
zbigniew: I'd be happy to see my children stay on the edge of what is legally and morally allowed and develop themselves freely ; ). Let me take that back, if my children would be too afraid to hack into a computer system for the pure joy of overcoming the lock without the intention of harm they'd be grounded for a while ; ).
danke!
@Felix Geisendörfer, @zbigniew : Felix you're so right... That's a so 20th century mind of yours zbigniew, he was doing no harm, and besides didn't he spend money on just being at the airport (meal, flight, surveys...)? Wireless (at public places) and Information should be totally free, and they should even encourage you to use it.
Thanks for the script John. :)
I am glad to someone trying to get around the system.
Hi there,
I work(ed) for the company that originally provided the wireless network access in the Hartsfield-Jackson Atlanta airport. It's a long story, but basically they bought system from us, we installed it, and had it working, and they decided to stop paying us for support. Effectively that means that any updates that we've come out with over the past few years haven't made it into their system (at least, not by us).
The vulnerability you found is legit -- we had to have some mechanism to handle pictures and other things for some various reasons. Contained on the server that manages the access, there is a list of URLs and domain names that we will allow anybody to visit, without being authenticated. Google.com is in there, which is why http://www.google.com/.jpg works.
Visiting a site that isn't in the list of allowed URLs won't work, and will either redirect your browser to the portal page or display a blank page (depends on the circumstance).
This system is in place at many locations, and not just airports.
Oh and as an aside, this particular system is only in place at the Atlanta airport. Unless other wireless providers use a similar method, it probably won't work in other airports as we never serviced any others.
So I meant to say the vulnerability is "quasi-legit", as it does work, but only for allowed URLs.
If some completely random URLs work, then the code is probably really outdated (but hey, no support contract = no updates).
you're going through a port redirected proxy. images are allowed to flow to take stress off the proxy. Your trick will only work on the most simple and bare of pages, such as google. Trying it on a complex page, like www.cnn.com wouldn't work. If you were really clever you could possibly capture and rewrite the urls on the fly, but honestly - it still wouldn't work for many things and at that point you're spending more in labor than in access rights. You'll also see that things like security updates and such are allowed to flow freely, in the greater interest of the community. Why would you want a compromised machine on your network, right? So.. nice discovery, but it won't get you very far - sorry.
-da man
Anonymous, Insider: I was able to access any site, not just google. Complex sites like gmail didn't work, but I was able to improve many sites with additional grease monkey / rewriting magic. But yes, in the long run this is more of a PoC than a swiss pocket knife to hacking this particular Wifi system.
zbigniew: so you've never downloaded a song, recorded a t.v. show, fast forwarded through a commercial, or burned a cd?
are you jesus? unless you are, no one wants to here your self-righteous bull. save it.
@ zbigniew: Corey Doctorow, in his book _Little_Brother_ (and related blog posts) has some very eloquent things about the necessity (yes, necessity) of defeating security. Essentially, it makes us _more_ secure.
If you look, you can find more than a few youtube videos, instructibles, etc. detailing how to defeat a popular padlock with a soda can. Is that irresponsible? Does it promote theft and criminal activity? Debate that if you want, but I, for one, will _not_ be buying one of those locks in the future, now that I know how easily they're defeated.
And _that_ is the point. How do you know how secure you are until someone has tried (and failed) to get around it?
My son just started a daycare that has webcameras in the rooms so parents can hover from work. The camera page is protected with a login and password unique to each child. In attempting to find ways to get their [abysmal] site to work with my Mac, I found that the camera feeds themselves were behind an _insecure_ server. Good, that I'm now able to see my son, but bad, that absolutely anyone on the internet can watch every kid in the school. I told them about it, and they shrugged their shoulders.
Which parents would be OK with that?
This is something if any body within my school system in Florida (County will not be shown because I don't want no $#@! from them...). Had both the Java script knowledge and actually used Grease Monkey then... Lets just say... our county might just shut the internet down for a long ass time.. then again.. Id love to see them even be able to hack into the WiFi connections at the school and not be arrested... But this was funny coming from a total tech geek...
Note: Still trying to learn programing at moment...
haha, wow, that's awesome!
you can always rely on good ol' Hartsfeild to give you a delay and a rip off. I was there two weeks ago and they tryed to charge me like $2 dollars for a bottle of water! anyways, next time im sitting around I might try and check that out...
oh, and way to stick it to the man! XD
Nice. I fly this weekend and will have a layover. I will attempt to play with this. Great article!
I hope you lose your luggage! You circumvented a legitimate service charge. That's theft of services.
Haha, that was real slick man. If I get a laptop, thats something I might would like to try.
GOOD IDEA I WONDER IF THIS WILL WORK ALONG WITH MCDONALDS AND OTHER ESTABLISHMENTS IN THE LIKE.
tried it today at Prague airport - no luck. :(
Hey Felix, great found!
Thanks for the tips and tricks, and I'll definitely try this trick whenever I stuck at airport while waiting my uncle to pick me up ;)
Cheers
This does NOT work at Mitchel Itnl. in Milwaukee :(
How do you disable redirects in about:config? I can't seem to find any values in there that would be relevant.
Well Done! So, maybe you can give a full tutorial on the process including the four lines of js script.
Cheers
I made a script: http://userscripts.org/scripts/show/32896?.jpg
So cool. thanks for sharing.
I'll give it a try soon.
hey for all the new people to this, including me lol can any one make that script? and how to make it work?? thanks
did you succeed?
if only google works (here or in other occasions)
you can probably visit all other websites on the world by using the google-website-translation service, no?
like
h**p://translate.google.de/translate?hl=de&sl=en&u=http://debuggable.com
I tried to circumvent a system like that in a parking camp (not to avoid paying, but because they were saying it didn't work :| And although it allowed google neither 'translate' nor 'cached' pages worked.
Will try that method next time, but I don't have much faith. :P
i would learn more about this topic.. i would like get into red that my computer localized.. i dont have the password of this red but i want to know if is the same method to get in...??
It is so hi-tech hack.
You spend 2 hours to find it?
Great finding. But unfortunately it is not working on Atlanta airport wi-fi (as I indicated in my own blog), but maybe others.
Old but actual.. Shows vulnerability easy to understand. Check the wireless hardworkers at http://airdump.net/
The direct link to the post I mentioned above is http://lichao.net/eblog/hack-the-wi-fi-network-of-atlanta-airport-is-the-old-news-200809173.html
Does anyone have Wifiway that they can send me?
Nice hack! I realize it's 2 years old now and won't work anymore, but with more and more people carrying wi-fi enabled devices, I don't understand why wi-fi at airports simply isn't free everywhere.
does these works on starbucks??
im all the way over in newzealand and it workz cheerz for that mean hack
Sitting in Atlanta airport now and this no longer works.It continues to redirect me.
Google let us meet the desire of peeping-camera hacking
Hack to search live Camera with google
Here’s a fun thing to play around with, if you’re bored.
And Google will sniffs out network cameras that have Web interfaces and the URL or link location to the viewers that have been indexed by Google. With this hack and trick, video surfers can peek into videos or intermittently capture images showing places and scenes such as office, restaurant interiors, a Japanese barnyard, women doing laundry, the interior of an Internet collocation facility, government project sites, animals, parks, streets, Internet cafes, casinos, private rooms, and a cage full of rodents, among other things, in locales and locations scattered around the world.
yes! really, starbucks would be interesting.
owned you are so the man the same thing happened to me i just got a free unsecured wlan from the control tower some how i geuss i was close enough so i never got the motivation to figure all that
Did anyone manage to get this to work in Starbucks. or with the T-Mobile systems?
Try this script: http://userscripts.org/scripts/show/32896
C0SM0S-: Yeah, this could work.
Wow thats great - smart thinking! Definately going to give this a go next time i travel
Hmm thats really thinking outside the box. I like malachi's idea though, with a bit of time we might be able to get that to work.
I find this article about AirPort WLAN very helpful for my essay writing in college. Thanks.
I also like the idea of Starbucks ;-)
This post is too old. We do not allow comments here anymore in order to fight spam. If you have real feedback or questions for the post, please contact us.
Hehe Felix!
If i'll ever be stuck on an airport, i'll try that! :D
Hope you'll get your luggage back, hate flying because of that...
Cheers!