Cracked Security at the Clarion Hotel

by Gauss VanSant

I recently stayed at the Clarion Hotel in Albany, which offers free high-speed Internet to its guests.

During my stay, I decided to poke around on the hotel's network.  I had heard horror stories about hotel networks and wanted to see if they were accurate.

The hotel contained three different wireless networks that I could identify.  The first network used the SSID ClarionInn  It was unsecured and broadcasting its SSID.  I connected to the network and was immediately disappointed with the network speed; if this was the hotel's "high-speed Internet," then the advertisers deserved to be drawn and quartered.

I ran the standard Linksys router security test: browse to 192.168.1.1, and entered the default passwords for the router.  I can't be bothered to look the default up, don't have it memorized, and happen to be lousy at guessing.  I tried username: admin, password: admin

The connection failed without displaying a password prompt, so I assumed that the router had been set up to disable wireless administrative access, but just to be sure I checked my computer's IP configuration.  Surprise, surprise, 192.168.1.1 was not my default gateway, and as it turned out, whatever I had connected to was not even using a private IP address.

In retrospect, the device was probably a wireless modem/router combination, but after a nine-hour drive, this didn't occur to me, so I simply retried the "Linksys for Dummies" test, watched it fail, and passed out.

The next morning, I wandered over to the hotel's public computer lab.  This consisted of two computers, one running Windows XP, the other running Windows Vista.  I sat down at the XP box, which was already logged in, and did a bit of idle web browsing.  Only a bit, though; I quickly discovered that HTTPS was being blocked, although straight HTTP worked fine.  At first, I thought that this might be an overly paranoid firewall configuration, but the neighboring Vista box worked perfectly well.

I looked around the installed programs list, thinking I might find some sort of child-proofing filter installed, but instead I found good reasons for the hotel to lock down network ports.  One thing Vista has right, and the thing which probably saved that box, is that it requires a password to install any significant software.  On the XP machine, I found World of Warcraft, Second Life, and, my oh my, Family KeyLogger.  Well, that can't be good, can it?

I started up the keystroke logger and saw it pull up an icon in the Quick Launch bar, which included an option to view the keystroke log.  Well, what would you do?  In addition to some test text I entered to see if the program was working, I discovered some lengthy chat transcripts from a program listed as Mail.ru, which turned out to be a Russian language chat client.  I also found a username and password for a Citibank Australia account, and some email transcripts from the same user.  Oh, hell.

Putting aside that moral dilemma (vacation in Honolulu, anyone?), I looked around to see why the hotel computers seemed to get such a fast network speed while mine was so lousy.  As it turned out, the hotel's second wireless network was not broadcasting its SSID, QUALITY, though it otherwise appeared to be just as unsecured as the ClarionInn network.  I headed back to my room to log in.

High-speed Internet, right?  No.  I couldn't connect to QUALITY and couldn't figure out why, so I decided that the hotel had set up MAC address filtering on the router.  This may not seem logical at first glance; after all, the hotel clearly hadn't bothered with any other security.  But it did make some sense when I discovered a note that hotel customers could come to the front desk to pick up a wireless card for the hotel network.

Here's how not to hand out a $60 piece of computer equipment: Do not ask for identification.  Do not ask the person what room he or she is staying in.  Do not ask the person to sign his or her name.  Do not write down any identifying information about the device.  In fact, do not do anything that would prevent anyone from walking out of the lobby and pawning off half of your network infrastructure.

So I picked up a card and tried it out.  Now I could connect to the QUALITY network, but my signal strength was miserable: 1% at best, and none at all if I moved in the wrong direction.  Since the ClarionInn network had a much stronger signal, I guessed that the card was a dud and spoofed its MAC address on my own wireless device.  Still no joy.  Eventually, I tried connecting from the hotel's computer room, which, it turned out, worked even without the MAC address spoofing.

Go figure: I'd given the hotel credit for implementing a basic security measure when, in fact, they simply didn't have proper signal coverage for their high-speed network.  I would understand if it were intended to be used by the hotel systems only, but the desk person who gave me (er, let me borrow) the wireless card specifically told me to connect to the QUALITY network.  So, if guests were supposed to be using it, why wasn't it broadcasting a SSID?

I believe I mentioned finding three wireless networks earlier.  The third was a near-exact copy of the ClarionInn network, ClarionInn1 or something like that.  Its signal was so weak that I never bothered to play with it; presumably, it was covering the other end of the hotel.  At this point, I decided that the hotel networks weren't worth poking at, short of locating the hardware and plugging in an Ethernet cable, and I wasn't about to do that without a spotter.

I headed back to the hotel computers and checked in on the XP machine.  By this point, someone had logged out of the guest account, killing the keystroke logger, which raises the question of what point there is in a keystroke logger that a five-year-old who understands the concept of right-click could disable.  But I digress.  I logged back into the account and got this pleasant message for my troubles:

Dear Hotel,
Your security is awful.  You're just lucky I was too lazy to break into your admin account.

I'm paraphrasing, but honestly it wasn't much more intelligent than that, popping up in a DOS window on login.

The amusing part was that when I sat down at the computer, the administrator account had been left logged in, and pretty much anyone with a finger could have simply clicked their way into it.  Presumably the "l33t hax0r" had actually broken into the box over the network.  Yet another reason to avoid the box like the plague, but the box was turning into an onion for me: tasty and lots of layers, but peeling them back made me want to cry.

Viewing hidden files and folders turned up a Remote Desktop program in the Documents folder; if this wasn't a back door that the script kiddie had set up, then it probably was the thing that let him into the system.  I also turned up another key logging program, Perfect Keylogger.  This one was a bit stealthier than the other one, in that it didn't pop in the All Programs menu wagging its tail and smiling.  I suppose I could have looked for some logs for this program as well, but at that point the box's virus scanner pinged me about a new piece of malware that was busy installing itself, and I felt a strong urge for an antiseptic and some sleep.

The next morning was checkout time, and it was only with a great effort of will that I didn't grab passing staff by the collar and start screaming about least privilege.  Returning the wireless card involved no more checking than acquiring the thing had; in fact, I still have a driver disc for it that I really ought to think about mailing back.

The moral of the story?

Don't touch a hotel computer.  If you must touch a hotel computer, and you have the option, pick Vista over XP, because a blind stab at security is better than nothing.  And, no matter how important you think it is, do not log into anything of value.  SSL is no defense against a keystroke logger, and for all I know that poor Australian's bank account is still out in the open.