How not to run your hotspot…

I am reminded of a teacher that I got into an argument with.. He told me that MAC address filtering is a better security measure than WEP, and I naturally argued back to no avail. Granted, I am talking about each measure as a stand alone, not MAC filtering behind a WPA2 Enterprise infrastructure or anything along those lines. Cracking WEP is trivial with or without injection to the access point, but it’s STILL encryption even if it is marginal at best. MAC address filtering as a security safeguard is and always has been NO security. Zip zero none. Yet, here I sit in 2014 paying $50 a month PER DEVICE at a hotel for a max of 5 mb/s… I initially made the mistake of signing up for my wifi using my iPad, even though the bulk of my surfing is still on my laptop. When I went back to authenticate on my phone and laptop I realized that they were doing straight up mac filtering and wanted $50 per device.

no_authenticate

I don’t know about you, but $150 for one month to connect three devices at turn of the century speeds really pisses me off. Since this isn’t a pentest and I am a good guy I just cloned the MAC address from my own iPad, BUT I could of easily stolen the MAC of any of the 30+ devices in the area that had already paid. You can use macchanger (you are using linux right!?!?) macchanger

Or you can… drumroll…… just edit your networking file at /etc/network/interfaces

auto wlan0
iface wlan0 inet dhcp
hwaddress ether 54:E4:3A:DB:0D:C5

Remember, I know the IP of the access point so finding any device sending packets through the gateway is probably authenticated and paid up. I could even get on before them and then they would be the “rogue” device trying to clone me and thus not allowed access. I could even go be a bad guy on the internet, and when the police come back to the ISP with a warrant the user on record with them and having registered via credit card sure ain’t me. It’s some poor bloke that will say, “but I was sleeping in my room, I would never deface Justin Bieber’s website”.

But what’s the alternative the ISP might say?!!? Umm… WPA2 with a randomly generated username/password just like most of the better hotels. In this day and age of high speed internet, restricting the number of devices is not only tacky, it’s bad business. What are you worried about, people running Napster from their room?!?!

proof