Tuesday, January 8, 2008

Hotel snooping on your browsing activity?

If you are concerned about browsing privacy you may want to think twice about using your hotel network.

I'm currently at a hotel that is using Superclick to provide wired and wireless access to the hotel rooms. I don't expect exceptional download speed while at a hotel; however, I never expected to have my entire browsing experienced monitored and logged by the ISP.

While on the Superclick network I determined the following:

  • All non-SSL URL requests are intercepted by Superclick and fed to their webserver as a URL parameter

  • The Superclick server retrieves the requested page, drops it into the main frame of a frame set and returns the frame to the browser

  • The returned frameset always includes a Superclick php file in the top frame, presumably to maintain control of the user's browsing experience


For example, if the user requests google.com, the following request is made

Superclick_Redirect

Notice that google.com is passed to the Superclick site (12.4.217.194) as a parameter.

Now, Superclick retrieves google.com and wraps it inside a frameset, making sure to insert its own php code in the top frame. Take a look at the page source.

Superclick Frame Wrap

So, not only will the ISP have you network traffic logs, but now they also have complete control of your browsing experience. From my observations, it appears these actions are not taken for SSL sites; however, I wouldn't trust much of anything thats going on at this point.

Lastly, this little modification also leaves the user with the random occurences of the URL not matching the site you are on. Yes, you heard me right, Superclick will serve you up the requested page and somehow, not update the URL in your browser window. It seems that this happens when you follow a new link to a page on another server. In the page below you can see that I am on the Disney site while the URL still says ESPN.com

Superclick URL Error

Here's a snapshot of the broken back button too. Clicking back will just take me to Superclick's redirectr, which sends me to the page I started from, thereby eliminating the ability to go back at all.

Superclick messes up back button

How can you tell if your hotel is pulling these shananigans on you?

  • The 'back' button will mysteriously stop working.

  • All urls will end in a question mark (see previous image)

  • Viewing the source of any page you've browsed to will show a frameset with the Superclick site injected nicely into the top frame.


I'm not the only one who has commented on this hotel activity http://www.sans.edu/resources/securitylab/266.php

Happy browsing....

-Michael Coates

Update June, 2006:

Looks like more ISPs are thinking they have the right to monitor and inspect all your traffic for the purpose of injecting adds and making money.

http://blog.wired.com/27bstroke6/2008/06/isp-spying-made.html

http://blog.wired.com/27bstroke6/2008/05/charter-to-inse.html
Posted by