Sea of Troubles

➞ Hotel Wifi JavaScript Injection

It seems that some hotels are actively altering web pages served over their guest internet connections. Justin Watt noticed that there was something wierd on his personal blog when browsing through hotel WiFi; after checking a couple of other blogs, he concluded:

Somewhere between the internet and my computer, someone [was] injecting JavaScript into EVERY SINGLE PAGE I LOAD.

I found a utility that unpacks packed JavaScript, and it only took a quick skim of advnads20.js (over 1900 lines reformatted) to estimate that its primary purpose is ad injection/takeover.

It seems as though the code was injected deliberately, by a device disturbingly named the Revenue eXtraction Gateway (RXG), made by RG Nets; see Justin’s blog for more details.

This is very disturbing from a security perspective. To an attacker, this RXG device is a perfect target; if you could add a hook to a drive-by kit (e.g. this week’s hot topic: the Flashback malware attacking OS X), you could target every user on that network. This device is, by design, a man-in-the-middle rewriting attack.

John Gruber’s observation:

Yet another reason to bring your own 3G or LTE hotspot with you when you travel.

I couldn’t agree more. If you can’t, look for other alternatives — like a corporate VPN, an SSH port forward (use -D) to a trusted host (e.g. EC2 or Linode) — and use SSL as much as possible.

Let’s hope the wireless carriers don’t feel the need to install these devices into their networks.

(ᔥ New York Times and Daring Fireball)