Outnumbered And Outgunned, Marriott Sort Of Backs Off Stupid Plan To Ban Guest Device Wi-Fi
from the know-when-to-fold-'em dept
Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks to prevent customers from using tethered modems or mobile hotspots at the company's Gaylord Opryland Hotel and Convention Center in Nashville. Marriott's ingenious plan involved blocking visitors and convention attendees from using their own cellular connections so they'd be forced to use Marriott's historically abysmal and incredibly expensive wireless services (in some cases running up to $1,000 per device).When pressed by the FCC, Marriott pretended this was all to protect the safety and security of their customers. The company also tried to claim that what it was doing was technically legal under the anti-jamming provisions of section 333 of the Communications Act, since the deauth attacks being used (which confuse devices into thinking they're connecting to bogus, friendly routers) weren't technically jamming cellular signals. The FCC didn't agree, and neither did industry giants like Microsoft, Google, AT&T and Verizon, who collectively filed opposition documents with the FCC arguing that Marriott was clearly violating the law.
After carefully surveying a battlefield scattered with millions of pissed off consumers, annoyed regulators, and angry, bottomless-pocketed technology giants, Marriott has apparently concluded that maybe its shallow ploy to make an extra buck isn't worth fighting over. In a statement posted to the company's website, Marriott states it's going to stop acting like a nitwit, maybe:
"Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices."You'll notice the selectively-worded statement doesn't completely put the issue to rest, and clings fast to the argument that Marriott is just really concerned about visitor security, suggesting this may not be the last we hear of this.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Once Again, Security On The Internet Is Implemented At The Endpoints
So all this idea of “rogue wi-fi access points” is nonsense. It makes no difference whether the access point you have connected to is “rogue” or not; so long as you have properly set up authentication with the other end, you will be fine.
[ link to this | view in chronology ]
Re: Once Again, Security On The Internet Is Implemented At The Endpoints
Many places do this. My company does it. The only way to know for certain is to examine the certificates - which most people do't do.
[ link to this | view in chronology ]
Re: A man-in-the-middle attack is done by impersonating an SSL connection
Hint: it cannot be done without the collusion of the CA.
[ link to this | view in chronology ]
Re: Re: Once Again, Security On The Internet Is Implemented At The Endpoints
Basically, separate the definitions of "secure" communication and "trusted" communication. Secure means only you and the endpoint you're connected to (and anyone that endpoint wants to talk to) can see the content of your communications. Trusted means that you are definitely connected to the endpoint that you think you are connected to. Secure and trusted means that your communications are private, or at least as much as the internet can make them.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Security?
[ link to this | view in chronology ]
Re: Security?
Which is true, as far as it goes... but there are (unfortunately?) better ways to handle that problem that doesn't require blocking any and all hotspots that happen to interfere with an extremely lucrative opportunity for the hotel.
* No really, they can't speak about what the rogue hotspot might do to the data. Maybe they don't know?
[ link to this | view in chronology ]
I understand what brought it about was another gouge to the traveling public and businesses.
[ link to this | view in chronology ]
Re:
The Marriott was not actually doing this. Their method - while it looked like a duck - did not actually violate the existing jamming rules.
[ link to this | view in chronology ]
Re: Re:
No matter which way you slice it, the Marriott is in clear violation of Federal laws.
From the FCC:
Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi).
http://www.fcc.gov/encyclopedia/jammer-enforcement
[ link to this | view in chronology ]
Re: Re: Re:
There is a lot of ambiguity there. By my reading, this implies that they are talking about actual jamming -- that is, the disruption of radio signals. A deauth attack does not do that. If by "interfere" they mean something broader than "jamming", then a deauth attack would qualify. But that's not how the rule is written, and we have to assume intent beyond the wording of the rule to interpret it that way.
All that said, it's a very good thing that Marriott backed off on this. They were doing a real disservice not only to their customers and other on their property, but to anyone within the range of their WiFi equipment.
Now, if only they'd drop the disingenuous excuse of security as their motivation for wanting this.
[ link to this | view in chronology ]
Liar, liar, pants on fire!
Any company 'committed to protecting the security of Wi-Fi access' would be offering leaflets advising customers to use firewalls and other such basic essentials of online security, not anticipating how to get away with continuing to block the Wi-Fi of those customers' devices. Simples!
[ link to this | view in chronology ]
Transparent Lying Liars
If Marriott tells the lie that it needs to make money in order to offer WiFi, then I would ask this. Why don't you also charge a special fee for:
* Electricity
* Indoor Plumbing
* Air Conditioning / Heating
* Television channels
* Use of in-room phone
Each of the things I listed have a huge up front cost to install, along with an ongoing cost to operate. How is WiFi different?
I will be anxiously awaiting your lies.
[ link to this | view in chronology ]
Nitpicking: not MITM
The deauth attack is not a MITM. A MITM is where the attacker is in the middle: it intercepts the original packets (so the destination doesn't receive it) and sends new packets (or the original packets, depending on the attack) to the destination.
In the deauth attack, the attacker doesn't drop or modify any traffic, nor can the attacker do that since it's not actually in the middle. Instead, the attacker sends a newly-created forged packet. Unless the target is using 802.11w to authenticate control packets, it's treated as legitimate and the target breaks the connection (as instructed by the forged packet).
[ link to this | view in chronology ]
Re: the attacker sends a newly-created forged packet.
[ link to this | view in chronology ]
Re: Re: the attacker sends a newly-created forged packet.
[ link to this | view in chronology ]
Re: Re: Re: the attacker sends a newly-created forged packet.
A man-in-the-middle attack involves a "man in the middle". In other words, Alice sends a message to Bob. Carol, the man in the middle, intercepts Alice's message before Bob gets it, then inspects and/or alters it, then sends it on to Bob.
A deauth attack is not that. It's more like if Carol hangs out by a telephone and waits for it to ring. When it does, Carol hangs it up before anyone else can answer.
[ link to this | view in chronology ]