Tag Archives: Hilton

FCC Going After Companies That Block Personal WiFi

Some of you may remember that the FCC fined Marriott $600,000 a year ago when it was disclosed that Marriott was blocking personal WiFi hot spots so that customers were forced to use the Hotel’s convention centers WiFi, which often costs hundreds of dollars a day or more.

This summer, the FCC fined Smart City, an ISP for convention centers and hotels, $750,000 for doing the same thing.

Now they are fining M.C. Dean $718,000 for blocking personal WiFi connections.  M.C. Dean charges exhibitors up to $1,000 a day for WiFi access at the Baltimore Convention Center.

The FCC has proposed to fine Hilton $25,000 for obstructing an investigation by failing to turn over documents for over a year.  They said that fine could go up a lot if Hilton continues to fail to hand over documents related to WiFi blocking.

From the hotel’s and provider’s standpoint, they don’t want anyone to interfere with their very expensive WiFi service.

From the FCC’s standpoint, the law says that you cannot block free spectrum even if it might interfere with you making money by selling access to that spectrum.

It certainly appears that blocking WiFi signals to force you to buy their service could be a standard practice at major hotel chains, especially in the convention center areas.  In my experience in staying at hotels, my personal WiFi hot spot often does not work.

The FCC says that the blocking tools are not exactly precise in nature and sometimes blocked WiFi signals in passing cars in Baltimore.

M.C. Dean said that they did use “auto-block” mode which automatically attempts to kill any WiFi connection that is not going to a paid session.

By fining these companies a few million dollars collectively, the companies are not going to go broke, but I would not be surprised if fines go much higher for repeat offenses.

The fine for jamming can go as high as $112,500 per act or $16,000 per day.  That means if you block just 1,000 sessions, you could be fined $112 million.  That would likely get people’s attention.  1,000 sessions could occur in 1 day at a busy convention center.

Unfortunately, as more people use WiFi, there will be competition for access and possibly more of this kind of activity.

Clearly, charging you $1,000 a day for WiFi access makes these hotels a lot of money.  Maybe not enough to pay a hundred million dollar fine, but a lot of money none the less.

On the other hand, if big companies start cancelling conventions over it, that will get the companies’ attention.

Material for this post came from Network World.

Hilton Honors Web Site Flaw Found and Fixed

I have to both harass and complement Hilton.

Until recently, Hilton was offering Honors members 1,000 points to change their passwords.

First the harassment:

A security staffer at BancSec figured out that you could hijack any other Honors account by guessing or knowing the account number and making a small change to the site’s HTML.

The hacker could then redeem points, change the password and do anything that the hacked user would be able to do.

This might indicate a lack of white hat hacking on Hilton’s part.

And now the complement part:

After being informed, Hilton immediately blocked password changes, effectively stopping, at least, the hijack part of this hack.  Hilton quickly fixed the flaw as well.

This hack, a cross site request forgery attack (see here), exposed some design flaws also.  For example, Hilton did not require you to enter your old password when you changed your password.   If they had, the attackers in this case would not have been able to hijack random accounts because they did not know any of the existing passwords.

Apparently, the 1,000 point reward was designed to speed up the migration from Hilton’s old 4 digit PIN login security to an 8 digit complex password.  The old 4 digit PIN security caused a large number of Hilton Honors accounts to be hijacked last year.  Users will be forced to select a password starting April 1st if they try logging on with their PIN.