53 comments

[ 3.1 ms ] story [ 48.2 ms ] thread
> Marriott has said it had an obligation to protect guests from “rogue wireless hotspots” that could lead to hacking.

Oh please. It's too easy these days to hide behind security and user protection as a motive. FUD mongering.

The final quote sums it up. This statement proves how important it is that people can use their personal wifi.
They could have a legitimate concern for rogue wifi networks that use the same SSID as their legitimate wifi network. But that's the only legitimate concern, and it can be stopped by allowing hotels to _only_ block wifi networks that use the same SSID.

But they want the ability to block any and all wifi networks, which is BS.

They might also want to block wifi networks with similar names, to avoid confusion.
Ironically, there's plenty of worry about the integrity of their Wi-Fi - in a few, highly-targeted cases they've had state-of-the-art attacks (courtesy of the South Korean government).

http://securelist.com/blog/research/66779/the-darkhotel-apt/

I think the big takeaway lesson is: always assume the network's untrusted, let's strengthen our protocols accordingly to ensure they're encrypted and authenticated whenever possible and deprecate the weak ones which are easy to manipulate like HTTP and Telnet. And happily, that's beginning to happen…

Another option: refuse to stay at Marriott-owned hotels. There are lots of other awesome hotels out there, and a lot are cheaper and/or nicer than Marriott brands.

Related: http://fortune.com/2014/09/16/marriott-tips-worker-wages/

They're not exactly the best company out there to be supporting.

I'm all for voting with our wallets. Just about the first thing I want to know about a hotel is if it has good wifi. If it doesn't, sorry, I'm checking out. This is especially important on a business trip. I want the wifi to be ubiquitous and built-in to the room charge. If you charge separately for wifi, or if you meter the wifi, you are doing it wrong. You're also pushing people to use their personal wifi. There is no aspect of this that the hotels are going to win until they start taking customer service for tech people seriously.

EDIT: Actually, not only tech people. Normal people probably hate this stuff, too.

Then you'll have to refuse to stay at Hilton hotels too: http://apps.fcc.gov/ecfs/comment/view?id=60001005951 .

Cisco, Aruba, Ruckus, Smart City, the Ad Hoc Telecommunications Users Committee have similarly come out in favor of allowing wireless operators to attack other wireless operators.

Interestingly, the National Cable and Telecommunications Association filed in opposition to the petition, with a rather strongly worded filing.

It's not surprising to me that Cisco would weigh in in favor of this being allowed, since managing "rogue" APs is one of the features they advertise on some of their enterprise stuff.
In my opinion Hilton is just about the worst hotel brand out there. I actively refuse to stay there at any opportunity. They wanted to charge me 10 euros to use the gym when I stayed in one recently (this was a discounted rate as well because I'm a member of Hilton Honours), regular price for guests was 20 euros. For one use of the gym!! That's not far off what I pay for a month of 24/7 gym access at home.

Wifi was 25eu a day. A small bottle of water from the mini bar was 8 euros, a small coke 12 euros. A pretty average chicken ceasar salad from the restaurant was 35 euros. It's just crazy when you/your company are already paying 350 euros a night for a room.

Having stayed at he Marriott, for business, around the country I can tell you that their internet is crap. I end up using my own hotspot at many of their locations. If they want to prevent me from doing so, they can take their mid-tier, over priced hotels and sell it to someone else.

I've spent over 70 nights at the Marriott and this will make me stop immediately. There are a lot of other options around with similar reward benefits when booked through hotels.com

That's awkward. Marriott had to settle with the FCC, and as part of that settlement can't jam peoples WLAN, but suddenly theres a decision to be made, petitions considered and Google and Microsoft have to beg for the law to be applied?

How did that happen, exactly?

It's pretty clear, actually. From the article:

> A lodging industry trade association petitioned the FCC last month for the ruling on blocking personal Wi-Fi signals.

> The petition stems from Marriott International’s agreement last month to settle an FCC investigation into a complaint that at least one of its hotels used communications-jamming technology to disable the personal Wi-Fi hotspots that many travelers tote with them.

Firstly, the ban on Wi-Fi jammers is an FCC rule, not a law.

So Marriott settled according to current rules. The hotel lobby then petitioned FCC to authorize them, and change the rules if necessary, to jam Wi-Fi. Google and Microsoft filed letters opposing this petition.

Rule? It sounds like a law to me:

"15. Can I operate a jammer in the U.S.? No. It is a violation of federal law to operate jammers in the United States, except for authorized, official use by the U.S. government."

http://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf

There are over 300 different kinds of "law" in the US. FCC rules are one of them, and it's broadly classified as an executive ordinance. The same sort of thing as any local government regulation. Just because it doesn't appear to be a more or less independant part of the government doesn't make it's rules any less of a law. There are countless agencies that have varying authorities and can issue decrees that apply within certain constraints. Everything from the military, DoJ, CIA, SEC, FBI, FDA, NSA, DoA, DoC (which issues most laws that apply to the internet), DoD, DoE, Dept. of Education, Dept. of Health, DHS, Dept. of Housing an Development, DoI, Dept. of Transportation ... all have the power to issue "laws" (usually referred to as regulations) that are as binding as any congressional law, but usually have limited scope. Scope is similar to the more well-known concept of jurisdiction, except it's usually not territorial but functional in nature. E.g. laws that apply only to airports, or ports, or trains, or power plants, or banks, or flying things, or boating, ...

One way to get bitten by this is by working for the government. You might think you have a contract, and that for instance your pension is set in stone by the paper you signed. That would be a wrong impression, as that paper you signed is (usually) not in fact a contract, merely an acknowledgement of the regulation (the text will, of course, state that this is so), and that regulation, unlike contracts, can be changed without your approval.

It seems to me that the GP is attempting to technically point out that the most narrow definition of law only applies to what both houses decide and the president signs. That's not true in any meaningful sense.

>"We remind and warn consumers that it is a violation of federal law to use a cell jammer or similar devices that intentionally block, jam, or interfere with authorized radio communications such as cell phones, police radar, GPS, and Wi-Fi."[0]

Why should this be any different?

[0]: https://www.fcc.gov/encyclopedia/jamming-cell-phones-and-gps...

This is a press release, the actual law / regulation is slightly more nuanced. It is perfectly OK to operate a jammer in your premises, given that it doesn't interfere with authorized radio communications outside your premises.

For example, every time you operate your microwave oven, you operate a 1kW RF jammer in 2.4GHz band, but because of the Faraday cage built around it (in theory: infinite attenuation; in practice: 30dB attenuation), it doesn't interfere with authorized communications outside your premises.

Are you sure about that? The FCC seems to think otherwise:

> 17. I don’t use my cell jammer in public. Can I use it in my own home, business, or vehicle?

> No. Jamming devices may not be used regardless of whether the device is operated on public or private property. If you own a jammer, do not continue to operate it. You risk substantial fines (of up to $16,000 for each violation or each day of a continuing violation, or up to $112,000 for a single act); seizure of the device by the government; and criminal imprisonment. Signal jammers do not respect property lines, and federal law provides no exception that allows for the private or commercial use of a jammer. [1]

A Microwave oven isn't a jammer. It's an authorized device that has to comply with certain regulations, essentially the same as for other devices using the 2.4 GHz ISM band.

[1]: http://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf

Exactly property rights explicitly do not apply to radio waves. You must not interfere with radio signals on your property, except through static structures (you're perfectly at liberty to build a faraday cage on your property).

Property rights have big exceptions. Property rights don't include :

radio waves

mineral rights

air space (include "space" space above your property)

Space is even a bigger exception in that it has been agreed that the airspace above a country > 100km up is no longer considered that nation's territory. You can't buy it, from anyone.

No. The microwave has passed FCC testing and has been approved. Devices with radios have to be approved before they are commercially sold.
That is not correct. You cannot legally build something that interferes with FCC-licensed devices.

Various devices fall under different FCC licensing categories, which basically define a hierarchy of who-gets-to-interfere-with-whom. "Part 15" devices, basically home and office equipment, is basically at the bottom of the stack (must not interfere, must accept interference received). Moving up the pecking order, Amateur Radio, under "Part 97", can under some circumstances interfere with Part 15. There are other sections for microwave ovens (Part 1030?), commercial broadcasting, medical equipment, military / government use, radionavigation... anything that uses the RF spectrum basically.

The FCC regs apply everywhere in the US, all the time.

With certain exceptions (very low power applications, amateur radio equipment operated according to regs), you can't build and operate random RF-emitting gear legally. (Much of it you're not even allowed to legally modify. If you run a microwave with the cover off, that's a violation.)

Constructing a cellphone jammer is much like constructing a machinegun: it's technically not that hard, and you can probably get away with it too if you're careful, but it was illegal from the moment you brought it into existence without the proper procedure. (Less prison time associated with it, though, and the rules governing simple possession aren't quite as strict, admittedly.)

Intent matters. Microwave ovens generate RF radiation to heat food, not to stop radio devices inside the microwave from operating correctly.
They've also been tested and licensed to do that. If GE, LG, et al. decide to come out with a new Microwave oven that leaks so badly it effectively is a jamming device then it won't be licensed and it can't be legally sold.
The arguments being made here are absurd.

There's a huge difference between "causing interference to other signals" or "managing [a hotel's] network in order to provide a secure and reliable Wi-Fi service," and willfully sending malicious packets designed to disable other wireless networks. The latter is buried in the text, but is what they are asking for permission to do. It's somewhat unclear how such behavior is an FCC interference issue rather than a criminal matter.

It's amazing that this is compared to "a homeowner using her cordless telephone that interferes with a neighbor's phone" and "a housewife whose use of a baby monitor device causes interference to a neighbor's garage door opener."

It does lead to an interesting question: if seeing a wireless network, which an automated system will not be able to confirm is actually on their property (consider the plight of nearby homes and businesses!), constitutes a threat that can be attacked, is it allowable for an adjoining property owner, or a guest with a wireless network, to see the hotel's network as a threat, and attack it in the same way?

The "alternatives" that hotels might be forced to implement if hotels aren't allowed to attack other networks are similarly entertaining:

>For example, a hotel could decide to prohibit guests from bringing Part 15 devices on the hotel's property. Alternatively, a hotel could limit the areas where Part 15 devices may be used, for example, by restricting their use to guest rooms or common areas.

I would love to see any hotel attempt this, even for one day.

Phone reply, so I can't easily find the links, but those comparisons are to previously decided FCC judgments about interference. So while outlandish, it's very much on purpose.
Well this is the whole reason of the FCC's existence. The FCC is the only organisation allowed to interfere with other's radio signals.

Radio waves are one of the explicit exceptions to property rights. The others are mining rights and airspace (including space).

So you shouldn't consider property rights here at all, they don't apply here.

Balls. Big, swinging brass balls. That's what the "hospitality" industry has to petition the FCC to allow them to block people's personal wifi.

No doubt they'd also like to block cell phone service so that you have to use the room phone.

Good on Google and Microsoft for standing up for what's right.
Please. Google and Microsoft are standing up for themselves. They both run search engines and advertising platforms that require internet traffic.
Personal access points are features of both android and windows phone.
Marriott are jackasses and I hope they go out of business, but I'm not sure I want the FCC to be policing this issue. The "jamming" doesn't entail actual radio jamming; they're just sending a deauth packet. Unless I very much misunderstand, the problem has been solved if your personal WAP supports protected management frames.
That is basically asking for an arms race, and I don't think that it would be a particularly productive use of either engineering effort or users' time to have to continually upgrade their mobile hotspots and client devices with the latest in anti-anti-anti-jamming technology.
No arms race. The problem has already been solved with protected auth frames. The only thing that really works agains t that is to violate the protocol and actually jam the signal.
Um, regulating the use of spectrum to prevent interference is exactly what the FCC are for, isn't it?

If you're trying to kick another user of the spectrum off it, that is jamming - specifically ECM, given it's taking a more technical approach than just filling the band full of noise. Many military jammers are pretty technical in their nature, but it's absolutely not an OK thing for a hotel to run, that's just ridiculous.

If they're accessing personal wifi devices without the authorization of the owner of said device, doesn't that qualify as a breach of the CFAA?
Actually the deauth packet is sent to your laptop, and it appears as though it came from your personal wifi device, even though it actually came from the hotel's evil jamming machine.

IANAL, but typically staying at a hotel involves signing forms with fine print, which could contain that sort of authorization.

There's a pretty simple solution to this problem. So lets say that a hotel wants to offer clean reliable wireless to its customers, possibly for a price. This can't be done with unlicensed spectrum, since you can't get exclusive access to it. The answer is to use licensed spectrum for this purpose.

The way this could be implemented, is for a wireless equipment manufacture (or consortium) to purchase a chunk of spectrum, that they can control. Make it an industry standard, so that it gets included in generic client-side wifi chip sets. Then the manufactures can control the usage of the base stations for this private spectrum, so that it is only available in a commercial setting (i.e., places like Marriott would pay a license fee to the consortium to stand up a base station with the private spectrum). The only trick here would be getting industry agreement so that the client side would get widely implemented, so that Marriott's (and other venue's) customers would be likely to have this spectrum available in their client side devices.

Have you looked at the price of radio spectrum recently ? This would never fly. Even a small sliver of spectrum for one country costs more than Marriott is worth.

Which is of course why they're trying to get it for free.

This depends entirely on how much spectrum, how much power, and how geographically diverse you want to deploy. Without going into too many details, I can say that purchasing 500 milliwatts of EIRP transmit power in a small urban area (<10 sq km) of 5 MHz of spectrum in one country of population < 10mm people can be had for ~ $2mm/year.
5MHz's unlikely to bring you any high-quality internet connection for many tens of guests, we should be looking at 100MHz at least.
Maybe it would be too expensive for Marriott to buy outright, but not for some equipment manufacture that can make up the money in licensing fees. That's what I was referring to -- someone like Cisco could acquire a chunk of spectrum, license it out for free for client side chipsets (call it 802.11x or something), and charge venues like Marriott for the base stations (and of course geographically control them so there is no overlap / interferience). Kind of like how Motorola owns the frequencies for some of their 2-way radios.
Hotels provide light, water, toilets, and often electricity for personal devices for free. I hope it's just a matter of time until free Internet access belongs to this group of naturally provided services that you don't even have to talk about.
Usually cheaper hotels have free WiFi. It's the expensive ones that tend to charge extra.
I don't know about you but when I pay to stay at a hotel I expect light, water, toilets, electricity, etc to be included in the rate. I'm reasonably confident that the law does too.
It will backfire for sure. Because stuff like this I prefer to use airBNB over hotels with insane WIFI rates and poor reception in the room.
If Marriott, and other hotels, are going to start "to protect guests from “rogue wireless hotspots” that could lead to hacking", that now makes them communication companies and they should be put under all the laws, restrictions, fees, forms, reporting and obligations that any telecommunication company should be put under.
That the FCC isn't clearly on the side of consumers speaks to how bought-and-paid-for the Federal government has become.

I write, though, to suggest how fun it would be if guests or neighboring properties started jamming hotel wifi in a bit of civil disobedience.

I wonder what the FCC would have to say about that (rhetorical, we all know.)

is this a widespread thing in the US or just in the Marriot? I travel a lot mainly within Europe & Asia but never encountered it.
Managing rouge APs is a legitimate pursuit in many contexts.

It is always legitimate for the operator of an Ethernet network to attack, disable, and punish people for attaching unauthorized APs to that network. As a university or corporate IT department, you likely employ access control and monitoring techniques (including WPA2-EAP and 802.1x). An employee or student's Best Buy wireless router that strips you of the ability to individually identify users is a major liability. The worst case scenario in this case is a ruling against rouge AP management that does not distinguish between hotspots attached to the corporate network and hotspots merely existing on corporate property.

Second, there is a compelling argument against cellular hotspots in contexts like secure corporate and government environments. Many corporations have a self-interest, ethical responsibility, and legal/regulatory obligation to monitor and archive employee communication. A personal WiFi hotspot would allow employees to exfiltrate private customer data, bypassing logging and packet inspection schemes.

That could be used for anything from a financial rep engaging in prohibited sales practices immune from auditor/supervisory eyes and litigator discovery, to a Facebook employee selling chat logs to the highest better, to old-fashioned corporate espionage against R&D work products.

Jamming cellular personal hotspot devices in a hotel should be illegal, but for the right reason - it's anticompetitive. Same thing as a railroad company selling exclusive carriage to one food company.

I think it's all part of a marketing scheme or something. I think Marriott can do that if they want so long as they tell their guests but with Google and Microsoft joining in, that's completely unnecessary.
I think it's all part of a marketing scheme or something. I think Marriott can do that if they want so long as they tell their guests but with Google and Microsoft joining in, that's completely unnecessary.