I am a co-founder at a startup that does advertising on WiFi networks. We only run advertising before you connect (when you are in a captive portal), without the use of proxying.
Before anyone overreacts to this article, it would be beneficial to understand the hospitality space. The hotel you stayed at is most likely owned by a franchise group and operated by a GM. GMs are responsible for contracting their own networking services with Hotel WiFi Operators such as the one mentioned here. As such, a major hotel brand such as Marriott may use hundreds of WiFi operators. WiFi operators range in size, managing anywhere between one property to tens of thousands. The vast majority of these operators do not leverage javascript injection.
The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.
This is spot on for how the hotels operate. Everything is a cost on top of already slim margins and if it doesn't contribute to an extra dollar in the till, they won't pay for it. I used to work for a company that internet access at a large number of hospitality locations (never did ad injection, but we talked about the possibility regularly) and the typical billing model was for us to get a percentage of the cost to purchase access, or charge the location more to provide free access. The normal model was that the brand owner would sign a deal that x% of the franchise operators would use our service and then the operators would fight tooth and nail to keep it from going into place. We did full PMS integration, 1-800 support lines, were a top provider and operators would still fight it on the basis that they thought that the fact it wasn't free would impact their people staying there, but were unwilling to pay extra for it to be free. The plus-side is that we worked extraordinarily hard to make sure that once service was provided (after clicking through the terms of use or paying) that no traffic was discriminated and what the each user received was the best that could be provided and was just as secure as any random computer on the internet. Use of subnetting, vlans and disallowing communication between switchports was common, though nothing can be done to protect against someone connecting to the same wireless network because it's impossible because even if encrypted, the keys would need to be publicly available (negating the protection of the encryption) and not nearly enough devices support 802.11x or client certificate authentication.
I sometimes reminisce about the things we did, but even if you refuse to race to the bottom, you get dragged down by a Linksys router and consumer grade internet connection even if the experiences for guests is markedly lower. I'm much happier to now be working in and industry where our customers, and our customers' customers, value the work that is done and pay accordingly.
The margins for a hotel aren't that slim in my experience. I worked IT at a hotel for 11 years, and the standard rate for a room ($169 at the time) was well above the break-even cost for a room (around $30-40 for all related labor and services). We never did charge for internet access for the simple reason that the required support load for a paid service is far lower than the support load of a free service (the executive managers were easily talked out of it the couple times it did come up).
"Beds are considered a cost center but are tolerated because they are the number one amenity requested by guests."
WiFi is just as much part of the service a modern hotel provides as a clean bed, nice breakfast and whatever else they might advertise. Why isn't it treated like that? Why aren't they putting ads on my pillow?
There was actually a piece on this on Watchdog (a BBC Uk consumer issues programme) just last night. One hotel owner (which provides free Wifi) said it cost them £300 to provide the Wifi, he had 150 rooms so £1.50 a month/5p a day. The cost of the Wifi equipment that needed to be installed? His reply was "it's like fitting toilets, it's a one off cost which you just need to pay". They were specifically looking at the cost of wifi when staying at top hotels, some costing up to £20 a night. Your argument was one they also raised :)
The reason for the extortionate costs? Probably to make up for the lost revenue streams from people not using the in-room phones any more. I hope at that at least in this instance the guy wasn't paying for the internet access, that would be taking the p*ss!
Actually if you take away the WiFi you have a hotel I no longer go to. The last few years I have traveled to the same places (mostly toronto area) enough that if I find a hotel with no wifi or a real bad connection I simply never go there again. There are always other hotels I can go to.
I'd be more than willing to pay a fair price for good network service at hotels.
By "fair price", I mean a similar cost per megabyte transferred to what I could reasonably expect to pay for home or business internet service in that area. They can meter it and add it to my bill. So I can go nuts on bittorrent, but at a fair price. If I don't go nuts on bittorrent, I'd expect that the total should be very cheap for a typical hotel visit, especially compared to the rest of the bill.
By "good network service" I mean comparable in bandwidth and latency to residential or business service offered by ISPs in the area (e.g. cable or DSL), with good wifi coverage, and no port blocking or any other kind of filtering or traffic shaping beyond what's necessary to fight spam and provide good service to all the guests using the network.
Also, please don't restrict the number of devices. I've had hotels insist on one device to a room, or demand unreasonable feeds for extra devices. If each person has a phone, a tablet and a laptop, that's pretty inconvenient. Please bill for total bytes transferred instead.
I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
You get many details about the hospitality space dead wrong.
First, in direct réponse to "GMs are responsible for contracting their own networking services"...
GMs are managed across several MBOs, including occupancy and REVPAR (revenue per available room).
There are 3 major players in the hotel space:
1) People who own hotels, 2) People who manage hotels, and
People who brand hotels. Two or even three of these may be a single party. From this you quickly learn that "Hilton" is a brand, and that, while Hilton owns some of the hotels with it's brand on top, it also owns hotels without a Hilton brand, and manages hotels on behalf of 'ownership groups' with a mixed set of brands.
At the end of the day, it is the owner, not the GM, who decides which vendor gets a particular contract. Sometimes the owner will defer to the management team (which may, remember, be a separate entity).
Yes, WiFi (with Internet access) is the single-most requested amenity. I come from the bad old days, before the dot.com bust, when hotels were full, and the GM would look at me and explain, "My hotel is full, you should pay me to install this, and give a split of the revenue to me."
Ad injection is bullshit, pure and simple. It's XSS by another name.
> I was the founding CTO and VP of engineering of one of the most successful "networking in your hotel room" startups.
> You get many details about the hospitality space dead wrong.
Surely you meant to say "Wow it's interesting to see how different your experiences are from mine, working in that same industry".
Because, you know, I don't think either of you is making stuff up or is "dead wrong". And in such quite a large industry, with several different quality segments it's very possible that there's more than one way to do it.
Gonzo, seems like we are in agreement and you are just arguing very nuanced semantics with me. Hotel brands do indeed own their own hotels, but franchise groups will own the majority of the hotels for low to mid tier brands (Accor being a major exception).
Like you said, the GM, the owner, and the franchise group is a fuzzy designation at best. The contract is always with the owning entity, but management will most likely select the provider.
Wyndham, who owns the largest percentage of the hotels it manages, also owns (and operates) Hiltons, Marriotts, and Sheritons. Starwood owns hotels with franchised brands, as does Marriott. They (nearly) all do.
It's not a fuzzy designation, it's what happens when the backroom guys are literally playing Monopoly with real world objects.
But seriously, you're just as screwed if they inject HTML that changes the form submit URL for your password to an attacker-controlled site. The real answer to this problem is HTTPS, everywhere.
Given the spread of mobile browsing in the wider sense it's unreasonable to assume that the majority of users surf through a vpn. So which alternative do you provide to the users of a js-only site?
My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user".
I'm sure that there are better answers than three letter acronyms.
Mobile phones have VPN clients now built into the system. It was much easier to get Android (old one, 2.x but it was possible even in 1.6) to connect to L2TP/IPSec VPN than Ubuntu.
It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
Intercept HTTP requests that the target site tries to redirect to HTTPS. Then proxy the HTTPS connection. If the user doesn't notice that the lock icon is missing from the URL bar, then they're being effectively MITM'd (and anyone on the WiFi can see all their traffic).
e.g.:
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
A response to this attack is the "HTTP Strict Transport Security" extension implemented by modern browsers, which, for sites that enable it, prevents the browser from ever even attempting a non-encrypted connection to the site, and also prohibits bypassing the SSL certificate warning page if an unknown/invalid certificate is presented by a MITM attacker.
Same problem @ court houses offing WiFi to juror's. They express that you should take advantage of access to the local free/UNENCRYPTED WiFi for "JUROR's ONLY" to access.
Thought, the network is open which is a danger within itself, the network asks you to accept an invalid security certificate(which means their MiTM everything from the get-go), and then they took the time to make your read/accept an agreement stating in bold that this is an insecure network, and that everything you do over it will be audited, and monitored(SsL-STRIPING). As a juror, you must then sign-in using your badge#.
It defeats the purpose of any of these post associated protections, if an attacker simple injected his own certificate, or java-script frame. Even creating a Honeypot-Rouge-AP using any number of wireless capable devices such as, smartphones, and mobile routers, even wristwatches &sunglasses.
Compromising a jury from an attackers stand-point would be too, sit in the cafeteria, and literally eat-cake.
Maybe I am very naive, but how does unencrypted WiFi mean that anyone can do anything they like to me? Can they mess with my https, ssh or VPN connections? Can they inject content into regular HTTP pages?
Could A startup use this ad serving mechanism to also calculate and sell/publish the speed, uptime, etc of each hotel wifi network? Many won't care, but personally, I would like to see those figures next to advertised hotel wifi.
Before anyone overreacts to this article, it would be beneficial to understand the hospitality space. The hotel you stayed at is most likely owned by a franchise group and operated by a GM. GMs are responsible for contracting their own networking services with Hotel WiFi Operators such as the one mentioned here. As such, a major hotel brand such as Marriott may use hundreds of WiFi operators. WiFi operators range in size, managing anywhere between one property to tens of thousands. The vast majority of these operators do not leverage javascript injection.
The ones that resort to proxied ad injection do so because hotel IT is a thin-margin business. WiFi is considered a cost center but is tolerated because it is the number one amenity requested by guests. Operators will sometimes offer a discounted service fee to the hotel GM in exchange for mid-stream ads, although, in this case, it is just as likely that the hotel GM is unaware of this. It is almost absolutely certain that Marriott is unaware of this. Even if they were made aware, the power balance between the brand and the franchisee is not clearly defined with regards to WiFi.
As much as I dislike ad injection, it is important to note that public WiFi is never safe unless you are using a VPN. It is offered as an amenity, one that GMs would be more than happy to get rid of if they could. Unlike with your broadband ISP, you have logged into a privately operated network. You are probably not paying for it. You are subject to their rules. Furthermore, when you signed onto the WiFi network, you most likely had to check a checkbox indicating your agreement to the terms of their network (which no one ever reads). As such, caveat emptor, etc.