Hotel Connectivity Provider SuperClick Tracks You

saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.

Some hotels intercept SMTP traffic too

[toga98]

I noticed some hotels intercept SMTP traffic after a client complained he couldn't send email through our mail server while he was on the road. The hotel's service provider was trying to masquerade as our mail server and attempting to intercept the mail delivery. When I tested it I sent a test message through the mail server that was representing itself as our mail server and received the message 12 hours later. Interesting that it took that long to deliver the message and surprising that they would try to intercept messages and authentication information in this fashion. If I remember correctly, this was the Hilton in Chicago. I can't remember the name of the organization that was providing the service for the hotel.

I've assumed that this was the case....

[8127972]

.... for years. That's why I've begun to use a remote access product called the MobiKEY [route1.com]. It is a USB token that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your home/work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. Also, since it's SSL, I don't have to change my firewall settings.

By using this product, nobody can snoop on my activities and I can do what I have to do in complete confidence. Problem solved.

Re:Some hotels intercept SMTP traffic too

[Alpha232]

I won't try to claim there is no evil in this instance...
However there are some providers that do the same type of thing with the genuine interest in helping the guest.

This is NOT uncommon; this is all about providing transparent network services. There are systems already out there (STSN, et.al.) that don't even require you to use DHCP.. If your IP is static, it handles the masquerading needed to make it work without your intervention, same for DNS and Mail.

Take for instance your mom and pop traveler, they are setup for cable broadband, their ISP comes to their home and hard wires the DNS and SMTP settings, and sometimes the IP. Mom and Pop go on vacation and bring their laptop, yes Virginia some non-geeks/non-business people own laptops. What settings do they need to know how to change in order to get online? At a minimum their IP is hopefully DHCP but I'll say that is not always the case, and also DNS which would be set by DHCP unless their IP or DNS settings are hard coded. In this case, the system would see the system using an IP that isn't part of the hotel network and wasn't assigned by the server, so it will do what is needed to make that IP work. Same thing goes for DNS, it will route all DNS requests to its internal DNS server, and sometimes ISP's don't allow public access from the outside.

As far as SMTP is concerned, would you be surprised that in this age of rampant spam that Mom and Pops ISP refuse connections from outside their network? Also in a growing trend, the ISP the hotel uses wants some assurances that the public access isn't allowing mass spamming. In this case the hotel(or their network provider) routes all SMTP traffic to one server on their network which queues it and sends it out. They could be doing spam checks or simply a queue threshold/throttle to limit the damage Mom and Pops zombified laptop can do.

That last point is also my last point, from the Hotel/ISP point of view you're using a computer that is not controlled by the person who owns the network. Most companies do not allow unsecured systems on their network, in a hotel, that is the idea... so measures must be taken to not only have the network adapt to the user but also to protect the host from their guests.

Re:Some hotels intercept SMTP traffic too

[toga98]

Regarding SMTP, we do auth through TLS. That's why email failed to be delivered through their system. My point is that it is disturbing that they capture / attempt to capture authentication information from their clients without disclosing this information. There is a lot of room for abuse considering the type of communication that takes place over email by business travelers. Especially, as you mention that most ISPs either do not require authentication or secure authentication. Some of this could be mitigated by the use of certain email tools, but unfortunately things like PGP and other methods of encrypting communications via email are not well supported by email clients and are even harder to use by those email clients that support them. Not something that a typical business user would be able or willing to manage.

Whorehousing

[Anonymous Coward]

As a former employee of a hotel service provider, we would certainly store MAC addresses indefinitely, proxy (and occasionally read) outgoing email (and deny SMTP service for the flimsiest of pretexts), and best of all, t2 support would often tail the squid logs in search of the best pr0n. If the company had been in any way organised you can bet we'd have been selling (aggregate only! honest!) data to the first bidder.

And don't even get me started on the plan to introduce targetted ads direct to the browser on *every page*. What? you think we used squid for performance?

Re:OpenVPN uses SSL

[josecanuc]

On a related note: Does anyone know of any off-the-shelf router/NAT device that supports OpenVPN tunnels?

My company does 4-5 day jobs at convention centers, etc. and we currently use IPSEC with an off-the-shelf "VPN Router" product to tunnel back to our office network for access to fileshares and database data. Often, it is difficult and/or expensive to get hotel and convention center folks to give us a public IP address and they won't do port forwarding, etc.

I would love to have a box I can set up that will make an outgoing (from the conv. center) SSL TCP connection to the office and tunnel all VPN traffic through that, but I don't (for various reasons) want to run this tunnel on "yet another PC" that we have to carry with us.

I suspect that I'll end up having to either build a mini-atx-style or other embedded-type system to do this with OpenVPN, but it would be great if there was a commercial device that did this just like the so-called "VPN Routers" out there.

Re:You mean you didn't suspect this automatically?

[arootbeer]

It seems to me that your average coffee shop or cafe, local bookstore, any place that doesn't have a huge corporate structure behind it like B&N or Starbucks, is not going to have the least bit of interest in where you surf or what you do. If I were a coffee shop owner (I've considered it more than once) and wanted to add wireless, I would go out and buy a nice consumer grade wireless router, plug it into my cable modem, power it on, post the SSID on the counter, and go back to selling coffee. It becomes a feature of the establishment, and for anyone who's curious, I can tell them exactly how it's set up.

If someone approaches my one coffee shop with the offer of "free wireless service" and they'll pay me a set amount per month to allow it to run in my store, I would turn them down. The hassle of having to allow someone else access to your store whenever there's a problem, as well as scheduling and getting help promptly, as opposed to taking down the SSID sign, stopping by Best Buy on the way home, and then putting the SSID sign back up the next day, would require an awfully rich proposition, and my guess is it wouldn't be worth it to the research company.

Re:A true nerd

[Yottabyte84]

I'm certian I saw a patch that lets you play tetris. Ah, here it is: http://www.movementarian.org/fscktris/fscktris.htm l [movementarian.org]