It seems that some hotels are actively altering web pages served over
their guest internet connections. Justin Watt noticed that there was
something wierd on his personal blog when browsing through hotel WiFi;
after checking a couple of other blogs, he concluded:
Somewhere between the internet and my computer, someone [was] injecting JavaScript into EVERY SINGLE PAGE I LOAD.
I found a utility that unpacks packed JavaScript, and it only took a quick skim of advnads20.js (over 1900 lines reformatted) to estimate that its primary purpose is ad injection/takeover.
It seems as though the code was injected deliberately, by a device
disturbingly named the Revenue eXtraction Gateway (RXG), made by RG
Nets; see Justin’s blog for more details.
This is very disturbing from a security perspective. To an attacker,
this RXG device is a perfect target; if you could add a hook to a
drive-by kit (e.g. this week’s hot topic: the Flashback malware
attacking OS X), you could target every user on that network. This
device is, by design, a man-in-the-middle rewriting attack.
John Gruber’s observation:
Yet another reason to bring your own 3G or LTE hotspot with you when you travel.
I couldn’t agree more. If you can’t, look for other alternatives — like
a corporate VPN, an SSH port forward (use -D) to a trusted host (e.g. EC2
or Linode) — and use SSL as much as possible.
Let’s hope the wireless carriers don’t feel the need to install these devices into their networks.
(ᔥ New York Times and Daring Fireball)