Outnumbered And Outgunned, Marriott Sort Of Backs Off Stupid Plan To Ban Guest Device Wi-Fi

from the know-when-to-fold-'em dept

Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks to prevent customers from using tethered modems or mobile hotspots at the company's Gaylord Opryland Hotel and Convention Center in Nashville. Marriott's ingenious plan involved blocking visitors and convention attendees from using their own cellular connections so they'd be forced to use Marriott's historically abysmal and incredibly expensive wireless services (in some cases running up to $1,000 per device).

When pressed by the FCC, Marriott pretended this was all to protect the safety and security of their customers. The company also tried to claim that what it was doing was technically legal under the anti-jamming provisions of section 333 of the Communications Act, since the deauth attacks being used (which confuse devices into thinking they're connecting to bogus, friendly routers) weren't technically jamming cellular signals. The FCC didn't agree, and neither did industry giants like Microsoft, Google, AT&T and Verizon, who collectively filed opposition documents with the FCC arguing that Marriott was clearly violating the law.

After carefully surveying a battlefield scattered with millions of pissed off consumers, annoyed regulators, and angry, bottomless-pocketed technology giants, Marriott has apparently concluded that maybe its shallow ploy to make an extra buck isn't worth fighting over. In a statement posted to the company's website, Marriott states it's going to stop acting like a nitwit, maybe:
"Marriott International listens to its customers, and we will not block guests from using their personal Wi-Fi devices at any of our managed hotels. Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels. We will continue to look to the FCC to clarify appropriate security measures network operators can take to protect customer data, and will continue to work with the industry and others to find appropriate market solutions that do not involve the blocking of Wi-Fi devices."
You'll notice the selectively-worded statement doesn't completely put the issue to rest, and clings fast to the argument that Marriott is just really concerned about visitor security, suggesting this may not be the last we hear of this.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blocks, fcc, hotels, wifi
Companies: marriott


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Lawrence D’Oliveiro, 15 Jan 2015 @ 4:14pm

    Once Again, Security On The Internet Is Implemented At The Endpoints

    Look at the commonly-used security protocols, namely TLS/SSL and SSH, and you will see that it is the endpoints that handle all the encryption and verification, not any part of the intervening network. It doesn’t matter if somebody in the middle is listening to everything, because all they will see is data they cannot decrypt.

    So all this idea of “rogue wi-fi access points” is nonsense. It makes no difference whether the access point you have connected to is “rogue” or not; so long as you have properly set up authentication with the other end, you will be fine.

    link to this | view in chronology ]

    • identicon
      John Cressman, 15 Jan 2015 @ 5:21pm

      Re: Once Again, Security On The Internet Is Implemented At The Endpoints

      This is incorrect. A man-in-the-middle attack is done by impersonating an SSL connection. Basically, you try to get to an SSL site - like Google. The middleman intercepts the request and establishes an SSL connection with your client, then establishes another SSL connection with Google. IT takes information from you... and then passes it to Google... but it is able to see everything UNENCRYPTED.

      Many places do this. My company does it. The only way to know for certain is to examine the certificates - which most people do't do.

      link to this | view in chronology ]

      • identicon
        Lawrence D’Oliveiro, 15 Jan 2015 @ 6:02pm

        Re: A man-in-the-middle attack is done by impersonating an SSL connection

        You might like to read up on how MITM attacks on TLS/SSL are actually conducted.

        Hint: it cannot be done without the collusion of the CA.

        link to this | view in chronology ]

      • icon
        MrTroy (profile), 15 Jan 2015 @ 9:21pm

        Re: Re: Once Again, Security On The Internet Is Implemented At The Endpoints

        On the recent story about Chrome marking non-SSL sites as untrusted, beltorak made what I thought was an awfully good suggestion that I believe would make "trust" on the internet easier to understand for everyone (https://www.techdirt.com/articles/20141213/07112629425/chrome-security-team-considers-marking-all-h ttp-pages-as-non-secure.shtml#c599)

        Basically, separate the definitions of "secure" communication and "trusted" communication. Secure means only you and the endpoint you're connected to (and anyone that endpoint wants to talk to) can see the content of your communications. Trusted means that you are definitely connected to the endpoint that you think you are connected to. Secure and trusted means that your communications are private, or at least as much as the internet can make them.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jan 2015 @ 4:47pm

    Protecting guests? They just be greedy.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jan 2015 @ 4:53pm

    Security?

    Thats easy, wired to the rooms and pass-worded WI_FI for events. Whats the problem? I suspect the real motive is locking 3rd parties out, funny thing about RF, the FCC gets their panties all in a bunch when you mess with that.You can lease a dedicated frequency but WI-FI is meant to be OPEN to all.

    link to this | view in chronology ]

    • icon
      MrTroy (profile), 15 Jan 2015 @ 9:14pm

      Re: Security?

      The Mariott is talking about the security of their guests because they claim to be blocking random third parties from entering the hotel, setting up their own wireless hotspots that claim to be the Marriot official hotspots, and doing terrible unspeakable* things to the data that hotel guests are sending via what they think is an official hotspot.

      Which is true, as far as it goes... but there are (unfortunately?) better ways to handle that problem that doesn't require blocking any and all hotspots that happen to interfere with an extremely lucrative opportunity for the hotel.

      * No really, they can't speak about what the rogue hotspot might do to the data. Maybe they don't know?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 Jan 2015 @ 4:58pm

    Sometime back the FCC was raising cane at theaters and restaurants doing cell phone blocking. I can not for the life of me figure out why the Marriott chain thought this would be an ok scam to pull off. Only thing I can figure is they thought the FCC fine would be less than the income they got in.

    I understand what brought it about was another gouge to the traveling public and businesses.

    link to this | view in chronology ]

    • identicon
      Michael, 16 Jan 2015 @ 4:48am

      Re:

      What the FCC was originally "raising cane" about was the actual use of signal jamming to prevent cellular bands from working properly (thus disabling all cell phones). The intentional introduction of signal interference is a big no-no.

      The Marriott was not actually doing this. Their method - while it looked like a duck - did not actually violate the existing jamming rules.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Jan 2015 @ 5:44am

        Re: Re:

        "The Marriott was not actually doing this. Their method - while it looked like a duck - did not actually violate the existing jamming rules."

        No matter which way you slice it, the Marriott is in clear violation of Federal laws.

        From the FCC:

        Federal law prohibits the operation, marketing, or sale of any type of jamming equipment, including devices that interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi).

        http://www.fcc.gov/encyclopedia/jammer-enforcement

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 16 Jan 2015 @ 7:54am

          Re: Re: Re:

          "interfere with cellular and Personal Communication Services (PCS), police radar, Global Positioning Systems (GPS), and wireless networking services (Wi-Fi)"

          There is a lot of ambiguity there. By my reading, this implies that they are talking about actual jamming -- that is, the disruption of radio signals. A deauth attack does not do that. If by "interfere" they mean something broader than "jamming", then a deauth attack would qualify. But that's not how the rule is written, and we have to assume intent beyond the wording of the rule to interpret it that way.

          All that said, it's a very good thing that Marriott backed off on this. They were doing a real disservice not only to their customers and other on their property, but to anyone within the range of their WiFi equipment.

          Now, if only they'd drop the disingenuous excuse of security as their motivation for wanting this.

          link to this | view in chronology ]

  • icon
    Sheogorath (profile), 15 Jan 2015 @ 7:45pm

    Liar, liar, pants on fire!

    Marriott remains committed to protecting the security of Wi-Fi access in meeting and conference areas at our hotels.
    Any company 'committed to protecting the security of Wi-Fi access' would be offering leaflets advising customers to use firewalls and other such basic essentials of online security, not anticipating how to get away with continuing to block the Wi-Fi of those customers' devices. Simples!

    link to this | view in chronology ]

  • icon
    DannyB (profile), 16 Jan 2015 @ 6:33am

    Transparent Lying Liars

    If Marriott were concerned for security, they would make sure their WiFi were free to all guests. Maybe to anyone in the area. Better to 'protect' everyone.

    If Marriott tells the lie that it needs to make money in order to offer WiFi, then I would ask this. Why don't you also charge a special fee for:
    * Electricity
    * Indoor Plumbing
    * Air Conditioning / Heating
    * Television channels
    * Use of in-room phone

    Each of the things I listed have a huge up front cost to install, along with an ongoing cost to operate. How is WiFi different?

    I will be anxiously awaiting your lies.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Jan 2015 @ 6:38am

    Nitpicking: not MITM

    > Back in October we noted how the FCC had fined Marriott $600,000 for using deauth man in the middle attacks

    The deauth attack is not a MITM. A MITM is where the attacker is in the middle: it intercepts the original packets (so the destination doesn't receive it) and sends new packets (or the original packets, depending on the attack) to the destination.

    In the deauth attack, the attacker doesn't drop or modify any traffic, nor can the attacker do that since it's not actually in the middle. Instead, the attacker sends a newly-created forged packet. Unless the target is using 802.11w to authenticate control packets, it's treated as legitimate and the target breaks the connection (as instructed by the forged packet).

    link to this | view in chronology ]

    • identicon
      Lawrence D’Oliveiro, 16 Jan 2015 @ 12:05pm

      Re: the attacker sends a newly-created forged packet.

      And that is different from “MITM is where the attacker ... sends new packets” how, exactly?

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 16 Jan 2015 @ 2:00pm

        Re: Re: the attacker sends a newly-created forged packet.

        Because a deauth attack does not involve intercepting another person's datastream. A man-in-the-middle attack does.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 16 Jan 2015 @ 2:05pm

          Re: Re: Re: the attacker sends a newly-created forged packet.

          I stated that poorly. Let me try again:

          A man-in-the-middle attack involves a "man in the middle". In other words, Alice sends a message to Bob. Carol, the man in the middle, intercepts Alice's message before Bob gets it, then inspects and/or alters it, then sends it on to Bob.

          A deauth attack is not that. It's more like if Carol hangs out by a telephone and waits for it to ring. When it does, Carol hangs it up before anyone else can answer.

          link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.