Circumventing Hotel Wireless Access

Circumventing Hotel Wireless Access

This summer a couple of my friends and I attended DEF CON, a security conference in Las Vegas. We stayed at the Rio where the conference was being held. Unfortunately the Rio charges $15 for 24hours of Wireless access and obviously we didn’t each want to spend $60 for Internet. Since we were at a hacker gathering we decided to circumvent the system.

For those of you who don’t know every networked device in the world contains a unique MAC (Media Access Control) address which identifies the manufacturer and has a random component on the end. Some networks, like hotel wireless, grant access to your device if your MAC address is located in their database which is called a CAM table. Once you pay for access your MAC is inserted into the table for the specified amount of time. This is very annoying and presents two problems. One, we would rather not pay for network access and two, we have multiple devices that want to access the Internet all at once.

I’ll start with the first problem. In this particular case once you join the network you connect and receive an IP address on the network. You are allowed to ping other devices connected, paid or not. You can also ping websites. Iodine can come in handy if DNS resolution is allowed and there are no paid clients on the network but that is a little out-of-scope of this article (In other words, Google it (This is the DEF CON talking…)). Anyways, you are on the network but your MAC address is not authorized for wireless. In this scenario we can scan the network range for connected hosts and copy down their MAC addresses. If you are using Linux it’s simple enough to use MAC changer to spoof your unique ID to match the paid user.

ifconfig (interface) down
macchanger --mac 00:11:22:33:44:55 (interface)
ifconfig (interface) up

Now onto problem two. What if you have multiple devices looking for access and they don’t run Linux? In our case we used a router running DD-WRT in client mode. Using the same method to obtain a MAC address as before we switched it with the one located in the router configuration. After that we created a virtual secondary wireless interface on the router so we could connect but you could also just plug in. This method allowed all of our devices out to the Internet because some poor Apple user paid for the service. If we lost access, we simply started the process over and obtained a new MAC address.

I plan on eventually writing a more in-depth guide to the DD-WRT setup but in the meantime if you have any questions throw them in the comments.

4 thoughts on “Circumventing Hotel Wireless Access

Leave a Reply

Your email address will not be published. Required fields are marked *