Hotel Connectivity Provider SuperClick Tracks You

saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.

Putty w/ dynamic proxy support and an SSH server.

[tgd]

If you've got the resources to run an SSH server at home, use Putty with a dynamic proxy and point your browser and IM clients to it via SOCKS5.

I wouldn't trust any network like that... even if the service itself isn't watching what you're doing, do you trust the other people on that network aren't?

Its easy to surf or do other network apps safely on questionable networks. At least among the Slashdot crowd its easy... but I've educated even my parents on doing that when using public or hotel internet and gave them an SSH account to use at my house.

I've always worried about this...

[dslknowitall]

...which is why I only get online using my corporate VPN, and never visited any sites that required a login (banking, blog, yadda yadda).

Of course that's assuming the VPN is secure enough...i'm sure there's a way around everything. Hell, just connecting to the WiFi and checking your email can give anyone your password if they have half a brain.

Re:I've always worried about this...

[Anonymous Coward]

This is assuming your VPN forces ALL traffic through the tunnel instead of doing "split tunneling" -- where only traffic that's has been identified as "interesting" (i.e. just the internal subnets you have at work or where ever you're VPNing to) gets sent through the tunnel & everything else is ignored.

Re:Some hotels intercept SMTP traffic too

[NimbleSquirrel]

That would be http://www.superclick.com/ [superclick.com]. Take a look at their customers. Hilton is one.

Some? How about "most"?

[Svartalf]

They're intercepting all of the SMTP traffic outbound ostensibly to prevent spammers from renting a room for the night and using their "high-speed" access to cover their tracks. Since my SMTP server can use the alternate authenticated (and SSL encrypted) ports, they're not dinking with my email right at the moment- either way. Their little mail proxy engine is like an open relay and gets rejected by other mailservers if they've got those sorts of countermeasures on. I'd sent some emails to my friends and wife back home to my personal domain- got a bounce that didn't make any sense- it was coming from ME, through what claimed to be a symantec based mailserver. I promptly changed access methods and have had no issues since- I'm not going through their garbage for anything but the web- soon, I probably won't even be doing that much.

OpenVPN

[Shawn is an Asshole]

Or just use OpenVPN. I use this on my laptop. Set it as the default route, use the internal DNS and your good to go. I also use an internal proxy server. So when I'm at a coffee shop or hotel doing some work, the only thing they get to see is encrypted traffic to port 1194 (udp).

Over that connection I can do anything. Instant messaging, email, SSH, http, ftp, BitTorrent, etc.

Re:Some hotels intercept SMTP traffic too

[Anonymous Coward]

Hello, I do tech support for an outsourcing company that does support for a large number of independently owned hotels.

This is actually done mainly for compatability reasons. Many people are configured for smtp without authentication, so what happens is when they try to send email they get "we do not relay" type errors from their home smtp server because they are not connected to their regular ISP (their home isp uses IP white lists to decided who is allowed to relay). So, some hotels redirect outbound port 25 to a server that is configured to relay for that hotel.

I've noticed most hotels that do this do not redirect smtp via ssl, so if you're concerned about it then set up smtp over ssl and make sure you have smtp auth enabled.

As to why it took 12 hours to deliver the mail.. that's shame on the admins for a slow server. :)

Re:https urls?

[DaveCar]

You are right, but they will be doing your DNS lookups for you too, so let's say they see www.myxxxporn.com get resolved to aaa.bbb.ccc.ddd for your client, then an https request to aaa.bbb.ccc.ddd from your client then there's a pretty good chance you're viewing pages at www.myxxxporn.com. Exactly what you are viewing they don't know, they can't see the content or the path part of the URL, but it's probably good enough to work out what you might be interested in.

Set up an squid/ssh server at home/work, set your browser's proxy settings to a localhost:port and portforward everything with ssh to your home machine. I personally also would only use web based mail (via ssh/proxy) or imaps to read mail too, I wouldn't trust a client not to connect insecurely with imap+starttls, but that's probably just paranoia.

If you are on some kind of public network just assume that someone is watching/mitming everything you do. You don't want to end up on the wall of sheep [google.com].

HTTPS tracking

[ACMENEWSLLC]

>>Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.

Um, yes, you can. It is possible with todays hardware.

Here are a few;
http://www.esafe.com/eSafe/traffic_solutions.asp [esafe.com]

Another;
http://www.scmagazine.com/us/products/productdetai ls/94de9e89-b7a1-6d6f-9479-84b866a2ffab/webwasher- 1000-csm-appliance/ [scmagazine.com]
http://www.cyberguard.com/products/webwasher/webwa sher_products/csm_appliance/index.html?lang=de_EN [cyberguard.com]
"WW1000 has the ability to scan encrypted SSL"

The days of HTTPS being valuable are long gone. We can look inside this traffic realtime. I monitor & block traffic to HTTPS sites myself..

FreeNX

[astrashe]

I use FreeNX to go back to my home desktop through a ssh tunnel. I use the local desktop only if I want some multimedia -- I'll start streaming a radio station, then pull up my home desktop, etc.

FreeNX is fast enough to make this viable.

You get a lot of advantages from doing it this way. There's the privacy angle, which is a big thing. But you also get your main desktop -- the one with all of your stuff on it.

And you don't need a really fast laptop. Once it's fast enough to run FreeNX, you're ok. I use a thinkpad I bought on ebay for $200. It's not just cheap, it's from the era when laptops ran cool enough to actually hold on your lap.

Not all hotels are like this.

[Anonymous Coward]

I find it somewhat strange/funny that the majority of hotels having these systems in place seem to be the "expensive" ones. Marriott, Hilton, etc..

From my experience (a few different positions) in the hotel industry, the less expensive hotels (Econolodge, Travelodge, Red Roof, etc..) typically don't have these tracking systems. The downside is that their networks are usually less secure, because many don't have any sort of authentication outside of a WEP/WPA key. The tracking systems aren't found at these hotels because of the high setup costs (usually in the $1,000-3,000 range) and fees. It's not cost effective for the rates charged at these places, so they often end up with some sort of homebrew solution (kind of like the one I set up at a place -- used WRT54Gs authenticating to a FreeRADIUS server) which is less expensive to set up, and ends up being less expensive in the long run by only having to pay for a separate Cable/DSL connection. As previously stated, the downside here is security most of the time.

It really turns into a pick your poison-type situation. Regardless, I'd go along with the VPN/SSH Tunnel mentality. You never know what that front desk worker is doing downstairs in their free time.. *grin*

Re:Putty w/ dynamic proxy support and an SSH serve

[Anonymous Coward]

Dynamic Proxy with OpenSSH:

ssh -C -D NNNN @

where NNNN is a port on the local machine. Just setup your network applications to using localhost:NNNN as a socks5 Proxy.
If you are paranoid, make sure DNS lookups are done via the proxy too.

To do that in Firefox. go to about:config in the location bar and make sure that this is set

network.proxy.socks_remote_dns = true

Hotels want to know EVERYTHING

[AndSheWas]

I work for a certain hotel company, I'm the person who you get when you call to make a reservation. If you have any kind of identifying profile or number, then you're activity is being tracked. Whether you stayed on business or pleasure, who you're companion was, what floor you like, how many beds, on what occasion you decided to stay at the hotel...any information i can gather about you, i am paid to gather. We use an integrated soft phone that is linked with our reservations system. I know what number you are calling from. If you have stayed with us before, chances are you have a profile, and i have your address, credit card number, and possibly how many kids you have. The hotels want your business so badly, they want to REALLY get to know you, and have your favorite flower on the bed when you come in, or if you know the concierge well enough, your favorite escort. So if you want to keep you're personal info "secret", don't earn points towards that free stay, and don't get a profile number. We get paid extra for making these profiles, so watch out for people just making you one, without your expressed consent. It happens all of the time. i watch it happen everyday. I'm looking for a new job.

Re:OpenVPN

[ArbitraryConstant]

Unfortunately, an SSH connection is much more likely to be allowed out than VPN traffic.

Re:FreeNX

[drinkypoo]

what does this give you that you couldn't get by tunnelling X via XDMCP over SSH? Doing remote-display stuff is part of the fundamental design of X, after all.

It makes the connection dramatically faster and more responsive. Like, as usable as Microsoft's Remote Desktop Connection. X is not very efficient. NX does some other things too but that's the biggie.

OpenVPN uses SSL

[SIGBUS]

Note that OpenVPN can be set up to use a TCP connection instead of a UDP connection, and it uses SSL. No need for weird things like GRE that might not make it through.

You could always put OpenVPN on a port other than 1194 if you think you might run into port blocking, too.

I work for a competing pay to use service.

[blanks]

For the last 3 years I have worked for another pay to use wireless service.  I won't say the name but we supply most of the wireless service in Hiltons, Radisons and Embassy suites in the united states.

Thankfully it sounds like they are not even trying to lie about what is happening, and are say they are trying to push advertisements to their wireless users so I don't need to explain why they wouldn't be using a proxey.

After a user authenticates at a location there is no need for any of this redirecting per page every time a user tries going to a different site.  Any good wireless gateway (and many bad ones) simply track each user using a session assigned to their mac address on the gateway, Nothing needs to be done to track service usage as long as they are active.

The only reason (and I don't know why they haven't been using this as the excuse) is to be able to claim monitoring illegal web usage such as kiddy porn or illegal music downloads.  We had a few places claim they needed to be able to track this, but we dropped them instead of willingly tracking users for a b.s. reason.

This is just another case where a company that is charging for a service are trying to make even more money doing secretive and underhanded business practices.