Sitting In Starbucks. Or, Is There An Easy Way Around Pay WiFi?

October 15, 2009

I was just sitting there having a large Americano with an extra shot idling away some time and with the wireless function enabled on the netbook it detected and connected the coffee shop’s wireless network perfectly. Except that Starbucks use a BTOpenzone pay service which got me thinking. How do you regulate a pay wireless service which is unencrypted without installing any software on users devices or getting hostnames or MAC addresses from customers?

Firing up Firefox, I shoved the address for Google in the address bar and press Return. Rather than loading Google’s homepage, it instead takes you to a BTOpenzone login page where it prompts you for a username and password. So they must do a DNS hijack which redirects to their proxies where they check whether a time limited cookie is amongst your cookies. If not, you get the login page.

So, could using a service like OpenDNS allow you to bypass this and get the service for free? Coffee for thought…

Of course, if they’re sensible, they’ll block outbound DNS requests except those originating from their own DNS servers. Experience dictates though that most IT Security teams only ever patch holes in their security arrangements after someone has been exploiting it for some time and they notice it when auditing the log files, and how many of a coffee shop’s punters would even know how to do this let alone think about it?

For a corporate network, you should never be able to do this as the default behaviour should be to block all outbound traffic except that which has been explicitly permitted, and a good asset management process with solid CMDB to track changes along with thorough audit procedures allows you to do just that. If someone needs something opened up then they submit a change request with the requisite business case which then gets approved or denied.

But you can’t do this for public networks where your users will be doing everything from email to browsing to VPNing into work to playing online games such that you have no idea as to what needs to be opened up or not. Restricting your paying customers to just surfing the web isn’t going to hold much dice, and would just encourage more and more businesses and software developers to continue the rampant misuse of ports 80 and 443 and to expand on the trend to treat the http and https ports as ‘universal ports’.