July 23, 2011

DEFCON Travelers.. Don't just go. Boingo (for free)

While recently traveling, I noticed several airports I visited had a hotspot named "boingo".  Boingo claims to be a worldwide leader in Wi-Fi services. They basically provide wireless internet access for a fee. In this article I'm going to discuss the steps I took to avoid paying a fee for Boingo internet access.

The "boingo" hotspot is "open" and anyone can connect to it. When I connected to it, I received a dhcp lease. I launch my web browser and when I attempted to go to google.com, I got redirected to a boingo web page suggesting I pay money to use the internet.

I had noticed the boingo web page seemed to have quite a bit functionality to it. One thing in particular that I noticed was the advertisements. When I looked up the source of an ad, I noticed the ad was pointing to the advertiser's server over the internet. I started going through the source code of the web page and discovered the following URL was being used to redirect advertisers requests through the network via a proxy.


If I could use this proxy to get to google.com, this would solve all my problems. Yet things aren't always that easy.. I entered http://ads.jiwire.com/JOS.aspx?http/www.google.com/ into my browser and I got an error stating that this domain was not in the "white list".

Now that I know the system is using a white list, it is just a matter of brute forcing domains to find which domains are allowed.

Below are a list of domains I found by manually brute forcing:
  • mobileproxy.org
  • www.att.com
  • www.bing.com
  • www.blockbuster.com
  • www.chrysler.com
  • www.dell.com
  • www.ford.com
  • www.hp.com
  • www.htc.com
  • www.itunes.com
  • www.java.com
  • www.netflix.com
  • www.oracle.com
  • www.t-mobile.com
  • www.skype.com
  • www.sprint.com
  • www.wordpress.com
To my shock, a proxy service such as mobileproxy.org was in the white list. You can see below, by using mobileproxy.org to redirect my traffic through the ads.jiwire.com proxy.. I was able to reach google.com!

A white list system is never a perfect security solution, it just filters content and in this case we were able to abuse that. If we weren't able to access the mobileproxy.org service that redirect our requests, there is always the potential of URL redirect type issues with in any of the advertisers domains.  It would just be a matter of finding them. Enjoy!