Spoofing Holiday Inn’s WiFi For Nintendo Wii
My girlfriend works as a manager for a major restaurant chain that has a catchy theme song about ribs. About a month ago, one of the restaurants located in a city about 50 minutes west of where we live lost three managers. I’m not very clear on the details, but I understand two walked out without giving advanced notice (why oh why, I wonder) and a third was fired for breaking a serious policy (I mean a federal law, but its been dealt with). As a result, the place is essentially in a state of needing emergency life support. They’ve called upon my girlfriend to help pick up the pieces (hopefully with the intention of letting her go someday, and not use this as an opportunity to coerce her to stay permanently). So far, she’s been scheduled to stay through till the end of July, and this was a very recent revelation on the part of her boss. I would not be surprised if “the end of July” becomes “the end of August” sometime soon.
Fortunately she is being put up in nice hotels (which I would imagine is coming out of her bosses bonus checks this year, and that sort of makes me feel a tad bit better about the whole long-distance relationship mini-drama). But there are many days I can’t stay with her, and spending time in a hotel alone can get really boring after a month or two or three (hopefully not four, but I’m a little pessimistic at this point).
Holiday Inn’s WiFi Meets Nintendo Wii
One of the things my girlfriend purchased before this stretch of work was delivered to her was a Nintendo Wii. I showed her at my house how to configure the wireless network connection settings and talked her through it over the phone when the time came. But for some reason, it just wouldn’t connect. By “connect”, I don’t mean wireless association followed by authentication (which, in this case, means nothing because the network does not use encryption). What I mean is, you’re not granted gateway access to external IP addresses until you’ve clicked on a link indicating that you agree to certain legal usage terms. Once you click the “I agree” button, you are then given full access to the Internet.
What the Nintendo Wii is trying to do is phone home (access Nintendo’s servers) immediately after it’s assigned a default gateway with the assumption that the gateway is not blocking traffic to external IP addresses. If it were to ping the gateway, it would likely get a reply. Any other site, nothing. The Wii assumes your router to be working, but the cable modem is broken, so it gives up and asks you to try a different network.
Since I’ve already agreed to a certain group of usage terms I shouldn’t be required to click “agree” again so as to personally access the Internet. But it’s the MAC address that acts as my identity, more like a name-badge, and the MAC on the Wii will be different from the MAC on the laptop. Your MAC address is a hard-coded number used to uniquely identify your wireless networking adapter. No two MAC addresses are said to be the same. So at first, it would seem there’s nothing I can do with the Wii to get it to connect to the Internet… Or is there?
What can be done about this?
There are a couple solutions. The first is to contact customer service and see if they can get their IT guy on the phone. I would then ask him if he could manually add the MAC address of the Wii to their routing tables and grant the device access. For some, this would be the simpler solution… though your mileage may vary. How long do you think it would take? Because I really don’t feel like placing bets on them being immediately available. I’m just telling you right now that the IT people at this particular hotel are not very advanced. The reason I say this is because the channels they picked for their 3 routers are all within the same frequency range (channels 1, 2 and 3) instead of spread out (channels 1, 6 and 11). In other words: They’re not very professional. Bandwidth is being lost because the routers are overlapping each others frequencies, and this is basic wireless network design technique we’re talking about here.
The other solution is to trick their wireless networks into thinking my laptop is the Wii and click “I agree” a second time, and then disconnect. I would do this by changing the MAC address of my wireless adapter. This is what is known as “MAC address spoofing”, the act of using a networking device to appear to be another (not to be confused with a “spoofing attack”, because we’re not going to attack anybody). Not all networking devices can do this. I happen to be using one that contains an Atheros chipset (it’s a D-Link WNA-2330 to be exact), which can be made to do anything I want it to do in the world of Linux. (Another blog I’m going to write in the future about Wireless Adapter hacking is turning my laptop into a Wireless router, and then share my cellphone’s Internet access wirelessly).
The Trick
I intend to use a copy of Backtrack 3 beta to carry out this little experiment. But it’s late, I’m away from home and have to download a fresh ISO and burn it to a disc first before I can try this out. By the way, spoofing a MAC address can be done in Windows, but I’m not going to write about Windows software that does this in here (because I’m lazy. But if you’re really curious, google can help).
In Backtrack (or even Ubuntu if I install the MadWifi drivers, which is not as easy as burning a Backtrack Live CD) the commands to change the MAC are as follows (reference link):
- wlanconfig ath0 destroy
You can use any mac address you like. In this example: 00:11:22:33:44:55
- macchanger -m 00:11:22:33:44:55 wifi0
- wlanconfig ath0 create wlandev wifi0 wlanmode managed
- ifconfig wifi0 up
After this, I can just use a plain old connection manager to connect to the network. I could also use this command to do it manually:
- iwconfig ath0 essid [NetworkName] key [WepKeyHere]
Pretty simple. Note though that if your card uses a chipset other than Atheros, you might not be able to do this with your card, and the first command “wlanconfig ath0 destroy” might be slightly different (like “eth1″ for instance), depending on the device name Linux assigns your wireless adapter.
Isn’t this a little extreme?
If by “extreme” you mean “illegal”, the answer is no. Spoofing doesn’t become illegal until you use it in to acquire private information you’re not supposed to have access to (which requires a lot more work anyway). The Nintendo Wii is flawed in that it doesn’t included a web browser with it by default, and even if it were installed, it wouldn’t believe it was actually able to connect to the Internet. Perhaps I’ll send Nintendo a little suggestion so they’ll release a patch in their next update sweep. Though it surprises me that they’ve not encountered this problem, considering they sell Nintendo Wii carrying cases for smug Wii-owners to take their Wii’s to their non-Wii-owning friends’ house so they can show it off over and over… though this probably doesn’t take place in nice Hotels with moderate network security in place. And Nintendo would probably ignore me because they charge people to buy their web browser (you have to be able to download it from their servers anyway), which is required to agree to view Holiday Inn’s agreement page.
So I suppose the next best place to put the blame is on Holiday Inn….and we know that IT guy isn’t in the mood to revamp company policy (and I can’t really think of an easy solution, other than unblocking the MAC). You see, it becomes this dilemma of, “Just how out of my way should I have to go?” If I had a backtrack CD with me right now, I’d hopefully be able to solve this problem in 5 minutes. To me, that’s the opposite of extreme. I’d call it practical (for me). For most people, they’re either stuck with a design flaw in their game console, or hotel Internet policies that were not designed to accommodate these kinds of dumb devices. Quite a double-bind we have here.
Well, I’ve got some sleep to get… At least they have nice pillows here and the bathroom sink is to die for!