Red Carpet Club WiFi

| Comments (3) | Networking SYSSEC
Danny McPherson posts about his experience with the free WiFi in the Unied Red Carpet Club:
More interesting is perhaps the access model they employ. To login, all you need is the United Mileage Plus number of the primary Red Carpet Club account holder. Now, having long questioned the wisdom of a luggage tag that displays these numbers, be it a "hole-punched" Mileage Plus membership card, or a more obvious oval-shaped Red Carpet Club tag, I'm even more wary now. But if you're in bind and need your airport wireless fix, odds are you won't have to walk far to find one available for the taking. As a matter of fact, I see two from where I'm sitting right now.

I've yet to explore how difficult it would be to exhaustive search for valid numbers, or if multiple logins are permitted at a given time, or how far outside of the Red Carpet Club these numbers are valid, or... I also wonder how long it'll be until some poor schmuck is arrested for allegedly downloading child porn from an airport wireless network...

If this were a wired network this wouldn't be a security problem. After all, if you're inside the RCC, presumably you're an RCC member (unless you bought a day pass), in which case you should be entitled to use the network. But as Danny indicates, the wireless AP is probably accessible from outside the RCC, so if you sit outside the club, you should be able to get on the network, making it just a matter of having a valid mileage plus number, which you can get off of someone's luggage tag.

As far as exhaustive search goes, MP numbers are 11 digits long, but the first digit seems to always be zero, so this is a 10 digit space. I don't know how many RCC members there are, but Wikipedia claims that there are about 750,000 Premier and Premier Executive members, so let's say there are on the order of 200,000 RCC members, or 2*10^{-5} of the space. If the numbers are randomly distributed, you'd need to search about 100,000 numbers in order to find one. This could take quite some time (over a day at one per second). You might be able to get some leverage because the distribution isn't random. They seem to be issued in some kind of increasing sequence, though there seem to be too many numbers for it to be strictly sequential. If there's a check digit like in credit card numbers this would make the space a lot easier to search. (If someone knows the actual algorithm, please write in.) Of course, you only need to know a few valid numbers, so this might not be a totally prohibitive attack if reading it off someone's tag weren't so easy.

Three more thoughts:

  • RCC entry itself is a lot more valuable than access to the wireless, since the wireless access doesn't cost United much, but access to the club costs them food and (in the International terminal), free drinks. I assume it's not hard forge an MP card once you know a valid number. I'm not an RCC member so usually when I'm there it's on the "international ticket" + Star Alliance Gold exception, so they check my ticket, which is hard to forge. Do they insist on seeing your ticket if you're an RCC member? If not, this is actually a new attack vector on the RCC, since it would let you extract numbers even if it weren't easy to read them off other people's luggage.
  • There's actually a fairly easy way to secure the system against remote attacks (ones that don't involve somehow gaining access to the RCC interior) that wouldn't require lining the RCC walls with copper sheeting. For the first login to the RCC network, require not just your RCC #, but also a random passcode given to people on entrance (or maybe posted on the wall). After that, you can install a cookie on their computers and just let them on without a new login. 1
  • I'm a bit curious how the system checks for RCC number validity. Does it have a local copy of the RCC database? Is it connected to United's central systems? That could be interesting.

1 See draft-rescorla-stateless-tokens for a description of some techniques for avoiding the need for a centralized cookie database.


I think you are making the mistake of assesing the security of the system without actually determining the risk the system is intended to control.

WiFi access is not a particularly valuable commodity. But the Airport may well want to prevent fair competition with their overpriced monopoly product. (Yeah I know about the FCC ruling but it does not mean quites as much as people imagine. The airlines have an interest in not anoying the airport unnecessarily).

Sounds like an entirely reasonable security scheme for the application.

Never confuse "security controls" with alternative motives. I seriously doubt United considers this a security control. Its a lot of effort for mitigation for unauthorized access to the wireless network. My guess is that they are more interested in -who- is using their wireless. Potentially for marketing purposes in the future.

Norwest Worldclubs employs an incredibly sophisticated mechanism to control who has access to their wireless. They change the wireless password every day and posts it inside the club.

For what it's worth, I have verified that American Airlines (who employs a scheme identical to your description) does verify that each user is logged in no more than once.

Leave a comment