Cisco sell a Wireless LAN controller, which can send disconnect packets to "rogue" APs that get set up, rendering them useless. This is particularly important at events where the airspace is severely cramped, such as big arena events, racing, horse racing etc. where the myriad of APs to provide coverage of free wifi to pundits would have to compete with these other APs. In a severely crammed airspace, this would help to encourage the other AP providers to turn their boxes off.
And getting a mobile telephone call in such events is even trickier, given that 50,000 people are in one space and the masts to serve them are oversubscribed. If they all suddenly want to place bets or browse the web, that's incredibly difficult to provide on the mast, so providers will set up additional masts for big events (like the big horse-racing events here in the UK). That's why they provide free wifi too, and having other APs set up and attempting to provide wifi over the airspace doesn't really help.
I wonder if Marriott hotels have the same approach in order to provide better wifi coverage? I have been in numerous hotels where the wifi coverage was great if you're sat in the bar but abysmal if you're down the other end of the building (where the hotels here in the UK are large old buildings with thick walls, very tricky for wifi).
Irritating if you're trying to use your phone to provide wifi to your laptop in order SSH to your own box at home or to get content via your mobile (which might be faster than their Internet access in some cases). I suppose you could just use a Bluetooth PAN instead (and it uses less power!)
Cisco sell a Wireless LAN controller, which can
send disconnect packets to "rogue" APs [...]
this would help to encourage the other AP
providers to turn their boxes off.
Perhaps I should make a product that detects controllers sending fake deauth packets, and does the same thing in return.
This would help "encourage" people who buy the Cisco product to turn that feature off :)
Not defending Marriott, but the primary use case for rogue AP mitigation is not fueled by corporate greed. I recommend it to clients to keep employees from standing up insecure AP's on their internal network, which is a serious security concern. I encourage you to write the tool, though!
Many consumer routers have a clone MAC feature to address exactly this issue. A person puts their computer behind the new wifi router and clones the MAC address so it can get on the network.
Cisco makes the product that does the detection, too. So does Aruba, Motorola, and probably Meru.
The first main use case for the deauth packets is when someone is broadcasting your SSID but they're not actually part of your network. The second use case is when a client that you actually own (corporate laptop) connects to an access point it's not supposed to. And nobody will really mind if you do those.
The use-case doesn't really matter; it's against the regulations for that radio band to interfere with other people's usage. Even if you think they're attempting to commit fraud.
I recently worked for an ISP providing service to some Marriott resorts. This is my opinion and in no way representing either company, but this is exactly what Marriott is trying to do. Marriott is not using any sort of wifi jammer like the author is suggesting; in fact such devices would block their own wifi signal.
The most typical problems with wifi in resorts comes down to construction; most of these were built years before wifi was a consideration and are constructed in a way such that even with commercial APs you will get a very poor signal even with the APs in each unit. There's one such property I know of where guests only get wifi in the one room with the AP and out on their balcony and no where else in the hotel besides the pool & lobby.
Also they often use authentication pages that mean you can't get on with a device without a browser...but when you have 200 guests sharing a 100Mbps connection, you don't want someone hooking their Xbox or AppleTV anyway.
Actually, 200 guests on a 100MBit connection is probably not a problem. At a nearby university they have a 100MBit connection for 1000 students plus teachers, and it holds up reasonably well. (Of course, unless the hotel bought an overbooked connection with only a theoretical max speed of 100mbit)
Even though we're a major vacation destination, people seem to want to stay in and watch movies or play online games on their expensive vacations. There's basically always a minority of users ruining the connection for everyone else.
Watching movies and playing games away from home does sound like a nice vacation to me.
Ruining is subjective - many hotel wifi networks were provisioned for 2002 style access of web and email, not 2012 where one's mom streams gigs of video. This is why I appreciate the move to free basic wifi and paid premium wifi at some hotels.
>I suppose you could just use a Bluetooth PAN instead (and it uses less power!)
On that note, it's worth pointing out that many Android (and other) phones allow USB-based tethering as well, which eliminates the need to use the airspace entirely.
I think the solution to this is for the industry to add a set of licensed frequencies to the 802.11 spec. They could set it up so that base station operators would rent the alternate frequencies for their events (either baked into the cost of the AP, or on a time/geographic limitation basis), and consumer client-side devices would of course need to be updated to implement this additional spectrum when talking to a licensed AP.
Of course this doesn't do any good for existing consumer devices, it would have to be baked into the next 802.11x spec.
Is that LAN controller illegal? According to the article:
"Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi)."
If that disconnect is disabling wifi aps then technically it is "intefering" with wifi services and thus illegal?
I imagine "jamming" has a pretty specific definition by the FCC. For example, if I DOS a WAP with reset packets, then that's just network traffic as far at the FCC is concerned. If I setup some kind of overpowered RF device that demolishes everything in the 2.4ghz spectrum, then I'm guilty of jamming.
If you DDOS my website, which is for some reason attached to the internet via wireless, you're not jamming anyone. You're doing a DDOS. The regulatory body or laws surrounding that are going to be different than a proper old fashioned RF jam.
Actually it's not - the FCC definition is extremely broad, it simply states:
"No person shall willfully or maliciously interfere with or cause interference to any radio communications of any station licensed or authorized by or under this Act[.]" [1]
And in fact their explanation specifically states that jammers "prevent targeted devices from establishing or maintaining a connection". [2]
To put the same actions in a different context - if two radio amateurs are trying to communicate over a digital mode and I broadcast "disconnect" packets to shut them down, I am clearly jamming their communications. The fact that this jamming occurs on the 2.4GHz band instead of the 20-meter band is irrelevant.
What it comes down to - your laptop wifi is a device licensed by the FCC for radio operation, two parties (you and the router) are communicating, and a smart jammer interferes with these communications.
As for your DDOS example - jamming is usually used in the context of the low-level layers of the OSI model, not the application layer. However, there are analogous actions that would be actionable in amateur radio. If you get a dozen of your buddies to deliberately pile-up on someone's CQ/QRZ without actually trying to communicate, you can bet the FCC's gonna look at that as de facto jamming too.
You can get away with a lot as long as you do it on private wires - but when you get public airwaves involved then an additional set of much stricter rules apply.
Has your interpretation ever panned out in reality? Do DDOS kiddies ever get FCC jamming charges applied? I've never seen that. I can't imagine case law fitting in with your interpretation.
Sure. K1MAN made communications that would probably have been legal if they didn't cause willful interference:
In support of its motion for summary judgment on the monetary forfeiture, the Government presented FCC transcripts of recordings made on November 27, 2004, December 8, 2004, and March 31, 2005 that it alleges show K1MAN beginning to transmit on top of existing communications by other users. [...] The Government also provided the declarations of several FCC personnel who monitored and observed interference between K1MAN and other amateur operators. [...] [1]
Chief US District Judge John A. Woodcock Jr, in writing for the Court, agreed with the FCC on the first two counts -- willful or repeated failure to respond to FCC requests for information, and willful or malicious interference -- and granted summary judgments to the FCC in the amount of $3000 and $7000, respectively. [2]
As for more targeted attacks, see the Notices of Apparently Liability for KZ8O [3] and K3VR [4].
Once public airwaves are involved (as opposed to wires) you're on the FCC's turf, and the FCC takes radio communications VERY seriously.
The difference between this and jamming is signal jamming typically uses noise on the same frequency to make it impossible for the receiver to understand the signal. Basically, jamming blocks ALL communication on that frequency. This just shuts down the specific AP by deauth'ing the clients.
In Asia there are tons of places with free Wi-Fi, even where there the tap water is not potable. At a bus stop in the middle of nowhere in South Korea. At a roadside cafe in Malaysia. At a cheaper-than-cheap hotel in Indonesia. Even some airports!
There are no "portals," no "user agreements," just beautiful open Wi-Fi scattered all over the place. It's hard to imagine spending even $5 at any place that wouldn't offer you internet access, much less the $150+ that Marriott charges its "guests."
Sooner or later all this unnecessary friction (sorry, "added value") is bound to catch up.
This works because the free wifi makes the people want to stay there and spend money there, so in effect everybody pays for the wifi. In high-end hotels the relationship is entirely reversed and people stay there because they want to stay there, and the wifi is used to extract more money because people actually need it while staying there.
It also needs to be kept in mind that all these asian small places have DIY wifi, while hotels got into the wifi game way too early and locked themselves into expensive, underdelivering and long-term contracts with 3rd party companies that do the wifi for them.
> while hotels got into the wifi game way too early and locked themselves into expensive, underdelivering and long-term contracts with 3rd party companies that do the wifi for them.
It's basically one group of scoundrels that got cheated by another group of scoundrels. I wonder though, how hard would it be for hotels to renegotiate those contracts - or drop them and eat the fee - if they actually cared?
I wonder how much problems companies can get into when providing open wifi in the respective countries.
I assume nothing ever happens in a lot of asian countries when somebody torrents their favourite new movie/tv show from one of these connections while I imagine US ISPs send nasty "stop it" letters every now and then. (even if the hotel might not be liable, that probably doesn't stop Comcast from sending them)
Brazilian GSM operators just announced (at TV) that they'll all (at the same time) start cutting internet access after a quota in order to provide their customers a better service.
Usually cheaper places have free wifi and expensive 5 star hotels have paid wifi, even in the same city. I think on reason is knowing their customers. A backpacker hostel won't be able to charge the backpackers €10 a day for wifi, the people will either choose another hostel, or go to a cafe. The people staying at an expensive hotel are less price sensitive and will pay up.
And post 4G, WiFi is becoming less of a requirement anyway. Just a few years ago steaming YT on my phone was troublesome, now I just assume it works (and 9/10 it does).
I can stream HD YT to my laptop (via tethered 4G) and it works most of the time (although sometimes drops me out of HD).
Heh, with the government using stuff like IMSI catchers, I would not be surprised at all if using a faked AP is a common tool in the box of the 3-letter agencies.
I'm fine with Marriott using deauth jamming against rogue APs with their SSID (or a similar impersonating one, e.g. "Mariott Wifi" instead of "Marriott Wifi"), or operating on their specific wifi channel (thus downgrading the experience of the customers), but they absolutely have to leave APs alone which have a different channel/ssid.
> I'm fine with Marriott using deauth jamming against [...] or operating on their specific wifi channel
While they might have a justification that a "Mariott Wifi" ESSID on a Mariott hotel is theirs, how can they say a specific wifi channel is "theirs"? Wifi runs in unlicensed bands, any device which meets certain technical requirements is allowed on any channel in these bands, no matter who the device owner is. The 802.11 protocol is designed to share wireless channels between APs with different owners (while it also assumes that APs with the same ESSID have the same owner).
And what would be "their" channel? A well-designed wireless network for a large enough area will use several channels. Unless they have a single AP (unlikely) or their network is not well designed, they are probably using all the non-overlapping channels in the 2.4 GHz band and many channels in the 5 GHz band, including all the non-DFS ones.
No, the real hotel access points, including at Marriott, are part of their attack strategy. They get hacked, sometimes via physical means, and commandeered to launch high-grade targeted malware.
The South Korean government has done that quite regularly, for one (known as DarkHotel), and I do believe GCHQ does it over here from time to time. Several others too, I expect. Intelligence agencies just like hotels, I guess, between the visitors of diplomatic, political and economic interest, the public access, potentially lowered guard, and things left unattended in hotel rooms locked by surprisingly forgeable master keys?
I wish the FCC could subpoena financial records and to see the price consumers pay for Wi-Fi and the total revenue Wi-Fi sales made for Marriott. I would be willing to bet those numbers would make it harder for Marriott to argue this is anything other than an attempt to gouge captive consumers.
Worth pointing out, again, that this is not about charges for in-room wifi, but rather for wifi in larger conference spaces in the hotel.
Which can easily run into thousands of dollars for a weekend, so if an event wants to do, say, live streaming, they do their best to make it impossible for the event to bring its own hotspot and connection.
Do you have a source for that? I read the actual FCC announcement from FCC.gov and it says:
"Marriott employees had used containment features of a Wi-Fi monitoring system at the Gaylord Opryland to prevent individuals from connecting to the Internet via their own personal Wi-Fi networks, while at the same time charging consumers, small businesses and exhibitors as much as $1,000 per device to access Marriott's Wi-Fi network."
In your room or in the conference center you should be able to use your own Wi-Fi without interference.
I know many hotel chains have outsourced their wifi handling to third parties, who often gouge the hotels at least as badly as the hotels gouge the customers. So while the Marriott no doubt makes a lot of revenue from wifi I wouldn't be surprised if they make basically no profit.
Obviously this is true, and hotels providing wifi services want to charge for them rather than allowing users to use their own (much cheaper) systems. No question.
That aside, what is the solution to rogue access points in a public space? We all know that it's pretty easy to set up camp in a public space, broadcasting a friendly-looking but dangerous wifi network. Let's says you've got someone sitting in the Marriott lobby, creating the "Marriott Free Wifi" network. A bunch of people will connect to it, and some information will leak.
Is there any reasonable way to deal with this issue? Obviously we have to assume that public wifi is compromised in any case and require transport-layer security, but I can certainly see there's still a gaping security hole there.
> Obviously we have to assume that public wifi is compromised in any case and require transport-layer security, but I can certainly see there's still a gaping security hole there.
Agreed on the security hole on public wifi, though it's probably about less "sensitive" data as HTTPS is becoming more of a standard, especially after the Snowden revelations.
Most services/apps speak HTTPS nowdays and a lot more will (hopefully) follow: https://letsencrypt.org/
> Is there any reasonable way to deal with this issue?
Another thing to consider is how it looks. Hotel patron sees hotel's free wifi (why should they care that it's not the real thing), but everytime they try to connect, the connection fails. "Man, this hotel wifi sucks, full signal but I can't connect!"
On the other hand, you're also saying that people shouldn't care as much about security if they are on the proper wifi network, which is a little ludicrous. Just hope on a vpn either way, and you're safe.
because "making walls thicker" is probably the most expensive way you can implement a blocking mechanism. Also whoever you lease your office building from may frown upon you going around making their walls all thick.
Incorrect. Jamming is denial of service by increasing the noise. Blocking is denial of service by decreasing the signal.
If the hotel puts a grounded Faraday cage around your room, that's blocking. If it transmits 1000 watts of static on the 2.4 GHz band, that's jamming. The former is legal, and the latter is not.
If the consensus in the comments here is correct, that Marriott's technique is legal because it doesn't create radio interference, then what law is the rogue operator breaking when using the same technique?
My guess, and my understanding is that it probably uses the same tech that most enterprise WiFi networks use. They probably send fake deauth packets in order to disconnect stations. A lot of enterprise wireless solutions also do this for the following:
(1) Removing security risks: You really don't want people running their own WiFi access point plugged into the corporate network.
(2) Removing interference: In order to remove interfering APs / stations from the network, it deauths them in order to disconnect them.
For those interested, the "This Week In Enterprise Tech" podcast covers this whenever it makes the news, and they go into some detail into what's happening (yes, it's deauth packets).
They also have a pretty good back and forth on the issues about it. One can probably find it in the show notes if you want to find out which casts have covered it already.
> Marriott operates a Wi-Fi monitoring system manufactured by a third party that was
installed at the Gaylord Opryland. Among other features, the system includes a containment capability
that, when activated, will cause the sending of de-authentication packets to Wi-Fi Internet access points
that are not part of Marriott’s Wi-Fi system or authorized by Marriott and that Marriott has classified as
“rogue.”
Seriously? The term "self entitlement" is often bandied around here with no real justification. But this comment truly exemplifies the phrase. Sure, I too had to click a couple of times to read this free article, but big deal, it could've been hidden behind a paywall.
Feeling so outraged as to blame the publisher for a cookie compliance dialogue (in Europe you have no choice; yes the implementation may be sucky, but they're making sure they get the message across) and an invite to subscribe isn't exactly the end of the world, or the justification to post their content on a pastebin.
And getting a mobile telephone call in such events is even trickier, given that 50,000 people are in one space and the masts to serve them are oversubscribed. If they all suddenly want to place bets or browse the web, that's incredibly difficult to provide on the mast, so providers will set up additional masts for big events (like the big horse-racing events here in the UK). That's why they provide free wifi too, and having other APs set up and attempting to provide wifi over the airspace doesn't really help.
I wonder if Marriott hotels have the same approach in order to provide better wifi coverage? I have been in numerous hotels where the wifi coverage was great if you're sat in the bar but abysmal if you're down the other end of the building (where the hotels here in the UK are large old buildings with thick walls, very tricky for wifi).
Irritating if you're trying to use your phone to provide wifi to your laptop in order SSH to your own box at home or to get content via your mobile (which might be faster than their Internet access in some cases). I suppose you could just use a Bluetooth PAN instead (and it uses less power!)