Friday, October 03, 2014

Two Minutes of Hate: Marriot deauthing competing WiFi

Do you stand for principle -- even when it's against your interests? Would you defend the free-speed rights of Nazis, for example? The answer is generally "no", few people stand for principle. We see that in this morning's news story about Marriott jamming (actually deauthing) portable WiFi hotspots in order to force customers to use their own high-priced WiFi.

The principle I want to discuss here is "arbitrary and discriminatory enforcement". It was the principle behind the Aaron Swartz and Andrew "weev" Auernheimer cases. The CFAA is a vague law where it is impossible to distinguish between allowed and forbidden behavior. Swartz and Weev were prosecuted under the CFAA not because what they did was "unauthorized access", but because they pissed off the powerful. Prosecutors then interpreted the laws to suite their purposes.

The same thing is true in the Marriott case. Deauthing Wifi is common practice on large campuses everywhere, at company headquarters, hospitals, and college campuses. They do this for security reasons, to prevent rogue access-points from opening up holes behind the firewall. It's also used at the DefCon conference, to prevent hostile access-points from tricking people by using "DefCon" in their name.

Section 333 of the Communications Act is vague on whether deauths are inherently illegal. That's because they aren't causing "interference" as the word is used in physics and radio communications. "Deauth" is a command you send to the device, not electromagnetic waves that drown out other signals. If the access-point and the client simply ignored the deauth (which they can be configured to do), then they would have no effect on the radio communications. (I configure my systems this way on pentests, btw, it's awesome).

Marriott quite rightly defends itself pointing out there is nothing in the rules that distinguish between the deauths everyone else is doing (which aren't prosecuted by the FCC) and the deauths they were doing. Sure, they are shitty dirtbags for doing it, but there is nothing in the law that distinguishes between "shitty dirtbag deauth" and "cybersecurity deauth".

In discussions on Twitter, I find that nobody cares about the principle of "discriminatory enforcement". Instead, all they cared about was that corporations are evil, and that Marriott was particularly evil in this instance. While nobody could explain what part of the law distinguished permissible deauth from impermissible ones, they frequently argued why deauths can be thought of as violating section 333 of the Communications Act. That's missing the point: if their interpretation of the law is correct, then all deauths need to be prosecuted by the FCC, and all makers of WiFi security products (Cisco, Aruba, etc.) need to be prosecuted for marketing jammers within the United States.

The point isn't whether spooing deauths is illegal. The point is "discriminatory enforcement", and nobody seems to care -- at least when it concerns those who they already hate.

The phrase "two minutes of hate" refers to George Orwell's 1984. The picture above is from the movie. My outpouring of hate on my twitter feed feels like that.


martijn said...

For the record: I agree with you. Both on that it's evil what Marriott did, and that fining them is wrong.

I feel the same way about hefty fines (usually through settlements) handed out to big companies, who clearly deserve fines.

And I also think nazis should have a right to free speech, just like anyone else.

I'm sorry if this shatters your world view. :-)

Robert Graham said...

Totally shattered -- I guess I go by my twitter feed where everyone is eager to express their hate. I, of course, hate everyone, so I have to swim against the current :).

Anonymous said...

You're right in so far as deauthing an access point you don't own is willful interference and should be prosecuted under the law.

George said...

Can a retail store confiscate stolen clothing? Can corporate IT block cyber-attack network traffic? I think it's pretty clear and obvious that both of these actions are legal.

Can a hotel confiscate a guest's towel at their hotel pool to force those guests to buy a new towel in the hotel gift shop? Especially if they're secretly taking the towels? Well this is exactly what Marriott is doing when Marriott blocks a guest from using their own portable hotspot with their own mobile 4G connection.

Now it might get into a gray area if guests were actually sharing Marriott's network connection with other guests. I don't believe this is what happened, but this would be an interesting scenario.

PacoBell said...

Doesn't this just mean that more people should implement and use 802.11w PMF? Sure, there are plenty of other ways to disrupt service, but at least they'd have to work much harder to do so.

Unknown said...

I think they've made it clear by prosecuting people inn the past for accessing networks that are not they own, saying that WLANs are private and attacks, or unauthorized access will be punished.

So, if there were attacks or unauthorized access to Marriott's network then the de-auths would have gone unnoticed.

These were not attacks these were personal networks not real security threats. That's why I think the FCC acted in this instance.

So, no fining them was not wrong. They impeded the use of unlicensed spectrum and were properly fined.

- Eddie Forero

Unknown said...

There are so many typos in this post; you should really take five minutes and proofread it. And no, automatic spell checking is not proofreading.

John Thacker said...

FWIW, it appears Marriott is asking to use deauths in conference rooms, not individual hotel rooms. There's a stronger case for using them in a conference room (they still want to charge for it, but it's a less dirtbag move because preventing spoofing, etc. is stronger). I'd be interested if the FCC distinguishes between crowded conference room and individual hotel room.