Getting around paid in-flight Wi-Fi
September 2, 2013
Note: The following article is theoretical and based on lab testing. I do not condone or suggest that you attempt to bypass filtering mechanisms for paid Wi-Fi access. This is merely an academic exercise performed in a lab setting.
I was flying back to New York recently, and my flight (like most) had a paid Wi-Fi access option. Naturally, as a student with an interest in wireless networking, I started to wonder if there was a way to bypass the payment option get some free access. Theoretically, this would be simple on certain types of paid services.
Some paid Wi-Fi services implement filtering by MAC address. The mechanism is (embarrassingly) simple: When you first connect to the paid network and attempt to browse a website, you’re redirected to a splash page for payment. Once you’ve paid, the MAC address of your wireless radio is added to a list of allowed clients, and you can freely browse until your subscription expires. It’s basic, simple to implement, and easy to bypass.
To get around a paid Wi-Fi portal, you simply need to impersonate the wireless radio of someone who has already paid for access. This is accomplished by spoofing their MAC address onto your radio. It’s a reasonably simple process:
Eavesdrop on the wireless medium and capture some packets
Find someone who seems to have paid for access
Spoof their MAC address onto your radio
Enjoy Internet access
When you’re done, just set your MAC address back to its original value
Step 1: Recon
To listen in on the wireless medium, you will need Wireshark installed and a wireless adapter that is capable of performing captures in monitor mode. Monitor mode essentially lets you eavesdrop on the wireless medium instead of just capturing traffic that is on your SSID. You could also associate to the SSID and use promiscuous mode, but I’m using monitor mode for the purposes of this article. At any rate, the stock radio in my MacBook Pro worked just fine. The air waves are a shared medium, so eavesdropping is easy. Open up Wireshark and navigate to Capture > Interfaces > Options. Put a checkbox in the “Capture” column for your wireless interface. Double-click on the interface to bring up the Edit Interface Settings page and select “Capture packets in monitor mode.” Hit “OK” and then “Start” to begin the capture. Listen in on the medium for 5 to 10 seconds and then stop the capture.
Step 2: Finding an honest person
Finding someone who already paid is fairly easy. You can just look around for an HTTP stream to an external website, or some other sort of traffic that indicates they have paid to get online. Below, I’m just using a TLS packet to a GoDaddy host for example purposes. The important field that I’m interested in is the destination address field in the 802.11 header, since I know that this frame is destined for someone who paid for access.
Step 3: Spoofing your MAC address
Once you have identified a person who has paid, you can place their MAC address onto your wireless adapter. Spoofing a MAC address causes your 802.11 frames to have a source address of a different MAC address. Doing this varies by system, and some systems may not allow you to alter the MAC address. Performing this on my Macbook Pro only required the use of some simple ifconfig options:
ifconfig <interface> ether <MAC address>
This is the crux of weak filtering systems: they simply check to ensure that a MAC address has paid for access. If the MAC address has paid, the received traffic is allowed through. A weak system may not even check for an IP address conflict with other machines.
4. Enjoy free surfing
Once you’re online, you can navigate as if you have already paid. At this point, you’re probably going to be experiencing degraded quality due to having duplicate MAC addresses on the network. This would also cause a lot of grief for the passenger who you are piggy-backing off of. For these reasons (aside from the fact that you’re stealing a service), I again encourage you to only perform these types of experiments in a lab environment, and never in the real world. This article is based on theory and lab experimentation, and these types of activities should not be performed in the wild.
5. Normalize your system
Once you’re done enjoying free access, don’t forget to set your MAC address back to its original value. You did write it down somewhere, didn’t you?
This article discussed a method for circumventing weak paid wireless access gateways. Modern gateways implement stronger forms of protection against activities such as these. However, this experiment is still an interesting exercise in the shared nature of the wireless medium. When you’re using a shared medium, it’s possible for anyone to sniff the wire or airwaves. Often, the intentions of the snoop are much more malicious than getting free Internet on a cross-country flight.
Previous article: Book and Cert Review: Certified Wireless Network Administrator
Next article: Upgrading Cisco 7940 Firmware to SIP