Who knew that a worldwide hotel chain could monopolize the WiFi networks accessed on its property? Earlier this month Marriott was fined $600,000 for “jamming” guest-created hotspots while also charging consumers and small businesses exorbitant fees (upwards of $250-$1000 for conference exhibitors) to use the hotel’s own wireless network.
The FCC uncovered the monitoring issue at a hotel and conference center in Nashville, TN, and even discovered that in some cases, the hotel giant was disconnecting customers’ devices from their own access points, allowing guests no other option but to use the hotel’s network for internet access. The government agency found this practice was in violation of one of its own advisories that forbids blocking, jamming, or interfering with authorized radio communications, including WiFi.
What is the motivation behind interfering with an individual’s personal access point? At many institutions, including colleges and universities, personal hotspots create wireless networks on the same frequencies as every other network in the vicinity, creating a huge amount of interference and making existing networks difficult to use. These hotspots are often created using smartphones or other devices.
Although it is unclear how many institutions actually implement WiFi blocking technology, the FCC ruling essentially shut down a method for keeping airwaves clear and managing networks that now cannot be used. Marriott claims its actions were legal, saying they are protecting guests from a data breach or attack that could lead to identity theft. But can shutting down rogue SSIDs at a university or corporation actually reduce the risk of potential data breaches, including a wireless man-in-the-middle attack? Not so fast.
Since the air is a shared medium, even WPA2-Enterprise users can fall victim to a man-in-the-middle attack. If a device is not correctly configured for the encrypted connection, anyone can broadcast an imitation SSID to intercept a victim’s username and password. Because this rogue network can have the same name as a corporation or university wireless network, the attacker often makes off with the user’s credentials before the victim realizes anything is amiss.
Anyone can make a small misstep when it comes to configuring a device for secure access, especially when it comes to installing the trusted server certificate. Incorrectly configured devices can leave users vulnerable to a plethora of attacks. An automated configuration solution will get your users configured in minutes, assuring your IT staff rest easy at night.
It is unclear at the moment how this ruling will impact the networking world beyond the hospitality industry. The FCC ruling affects all of the properties owned and operated by Marriott. According to the terms of the agreement, the hotel must implement procedures to improve its handling of IT issues.