ihg.md

Hello -

I am currently staying at the David Intercontinental in Tel Aviv, Israel - I'm here on business for 10 days - I'm a web software engineer at Google in Mountain View, California.

While reading a close friend's blog using the hotel wifi (note I am using the paid service), a popup appeared midway down the page asking me to use my room number to "get the latest digital services" from the hotel:

As my friend's blog is hosted in the US, and he's never been to to the David hotel or Israel, for that matter, I thought it was somewhat odd that his website would be asking me anything like this. So, I jumped on my laptop, and visited the page from there with Chrome's developer tools running.

To my great surprise, I found that the hotel wifi was modifying the page as it transited the network, and injecting code into the page. This code made a couple of requests to a third party server, which injected yet more code, and depending on a number of parameters would show one of a few popups - this one, soliciting my room number, and another asking "How Is Your Stay so Far?"

In my line of work, when I see unknown, third-party code being injected into a webpage, it's a sign that something nefarious is happening - this same technique is used by malicious actors to do all the nasty things you're warned about on the internet.

It's important to understand what's happening, and while it may seem benign, it opens up a number of extremely concerning privacy and security holes.

Traditionally, when someone uses a WiFi hotspot at a hotel, the first time they try to visit a webpage, the WiFi system (generally the router) will intercept that request, and redirect the user to the sign-in page. Once the user signs in, the router will redirect the person back to the original site they requested. From that point forward, the router knows the user is authenticated, and from that point forward, it simply acts as a relay, passing requests and responses back and forth, acting as a bridge between the hotel's network and the wider internet.

So:

• my browser requests www.somewebpage.com
• the hotel router passes that request along to the internet
• www.somewebpage.com sends the webpage back to the router
• the router hands the webpage back to my browser.

This is all perfectly normal, and is fundamentally how the internet works: computers talking to computers via other computers and routers, sending webpages and and emails and selfies all over the world simply by cooperating and agreeing to pass along data. Importantly, part of this whole contract is that said data should not be modified or deeply inspected - simply passed along to the next link in the chain.

This is NOT what's happening at the David Intercontinental Hotel.

Instead, every webpage that is requested and returned from a server, before being returned to the user's browser, is modified. A small block of code is inserted into the page's code, without the consent of either the person requesting the page nor the author of the webpage.

These are not "banner ads" as we traditionally know them - for a start, banner ads are something that a website owner must explicitly opt-into. Further, ads are "third-party" - they run in a sandboxed environment, away from user data - this means that even an ad that is designed to do evil things is greatly restricted in what sort of data it has access to, and generally can't steal password and secrets.

By contrast, the system installed at the David is doing something much more dangerous - it's injecting code directly into the webpage, where it runs with exactly the same level of permissions and power as the code the user actually requested. This means that this code can do anything it wants - talk to servers, steal passwords, and even act on behalf of the user.

This is, quite simply, crazy dangerous. The only mitigation for this is HTTPS - that's the green lock you get in your browser window, which encrypts the data going through the router, preventing this kind of attack. Unfortunately, while your bank likely uses HTTPS, something like 70% of the top 1 million sites on the internet don't - every single one of them will be modified by the router at this hotel.

As you can probably tell, I find this extremely problematic on principle - beyond the security implications of this attack/marketing feature, the basic technique of injecting code requires them to deeply inspect every. single. webpage. that crosses the network.

To illustrate what's happening - here's the world's simplest webpage, when I'm connected via Google's encrypted VPN (which also prevents this sort of utter nonsense):

Here's the exact same webpage requested with the VPN turned off, using the hotel WiFi:

All that hot garbage is added by the hotel to every non-HTTPS website visited on the network.

Fun fact: there's so much garbage added, that if you used the complimentary 8-megabyte wifi plan, you could only visit 30 or websites before using all your data!

So I sent a sort of "what?!" tweet to the hotel's twitter account, and IHG was kind enough to call the night manager. He redacted was very nice, and he initially tried to say "we use your data in accordance with our privacy policy and T&C's etc", but after having a similar discussion with him, he made it clear he was out of his element (and to be fair, I am rather passionate about this...)

I did read IHG's privacy policy, and as far as I can tell, nothing like this is covered : https://www.ihg.com/content/us/en/customer-care/privacy_statement#15 - the IHG policy is pretty standard, and allows for nothing like inspecting and modifying a users's web traffic. It's perfectly reasonable to track my MAC address and incidentally log what sites I visit, just like it's perfectly reasonable for IHG to track what international phone numbers I might call, so they can bill me fairly.

What's absolutely not appropriate is inspecting or modifying the contents of my web traffic for marketing. Or for any reason. Just like it would be absolutely inappropriate for IHG to listen in on my phone calls, or, as is happening here, for them to get on the line and interrupt the conversation to ask me how I'm enjoying my stay. Well, since you asked...

Because I like to know who is creeping on my data, I followed the public breadcrumbs from the injected code. https://www.routier.io/ appears to be the vendor behind this terrible idea, and it appears their whole business is built around what is basically, a security vulnerability. I don't know how IHG reviews vendors, but at my employer we run security audits on all ours, and this idea would have been laughed out of the building. We have entire teams of people dedicated to preventing such nonsense.

Their promo video seems great (actually: adding popups to anything ever - literally everyone hates it. we have the metrics to back it up. Just Don't.) - but if you keep in mind how they're doing it, its slightly less compelling I reckon. https://www.youtube.com/watch?v=lcC2OtMshsE

I hope I've communicated the seriousness of my concern. Please feel free to reach out to me via email - robwormald@google.com or by phone at +1737 346 2493

Thanks!

Rob Wormald

Routier.io "Communication Done Right"

The on/off VPN screenshots are amazing - if you can make it to the end of the video, the last line, claiming "...without downloading a thing" now gives me a laugh.

Wow, on a technical note (not agreeing with what they did!) -- why the hell wouldn't they just embed the script; and have the script dynamically create everything. That is a hell of a lot of boilerplate that is being added to the page and does give a good chance of messing things up in the real page. Adding a simple <script src="..."> should be a lot simpler and a hell of a lot more user/traffic friendly...