Hot, free and dangerous
Expect mobile mayhem
Tunnelling can obtain free WiFi hotspot access, says Ken Munro. This could mean users bypass your content filters.
It's possible to obtain free wireless hotspot internet access with DNS or ICMP “tunnelling”. While this may upset hotspot service providers, it doesn't give particularly fast connections so probably won't appeal to the bandwidth-hungry.
When authenticating to, or buying airtime from, a hotspot, you will invariably open a browser window, which then displays the service provider's web page to enable you to buy airtime. The domain name service (DNS) needs to be running to allow you to resolve www.airtime-provider.com to an IP address that your network card can deal with. The access point will probably also allow “pinging” using internet control message protocol (ICMP) to check that the connection is “up”.
DNS tunnelling involves inserting data into the DNS packet. It's a fairly technically involved process of using “space” in the packet that can take additional data. A DNS packet can contain a TXT record into which any text, up to 220 bytes, can be inserted. You fragment the data, maybe an HTTP request, add it to the packet, and send the modified DNS traffic over the web to a receiving server. It recompiles the sent data, and enables internet access. String a large number of packets together, and you get all the free web browsing you want.
Other features of DNS packets that can be used include CNAME records, but they are limited as they only allow the digits 0-9, characters A to Z and the hyphen. EDNS0 messages, which extend DNS query and response datagrams, can also be used to send HTTP data over UDP. With ICMP, you can use A and MX records, but they are troublesome as they don't handle many types of data.
Is DNS tunnelling legal? Almost certainly not, although the Computer Misuse Act could be clearer. You don't need to view the hotspot operator's web page so you don't have to agree to any of the provider's conditions of use. The hotspot provider gives you access to the DNS service before you get access to the hotspot service itself. That means you're already using the service, though perhaps not for the purpose the provider intended.
This is not just a WiFi issue though. Tunnelling techniques used in the process have an interesting application elsewhere that should be of concern to IT security managers everywhere: your internal users may be able to use tunnelling to bypass web content filters.
In business we like to know what traffic is circulating in our networks. Knowing this can protect us from very expensive and embarrassing public floggings at the hands of regulators and the law. Depending on your LAN configuration, it is often possible for an internal user to encapsulate HTTP traffic in DNS and ICMP packets, which may render your content filters useless.
So don't allow internal users access to external DNS, other than via your proxy server, and check that employees can't ping external hosts using ICMP. It's possible to encode (or even encrypt) the contents that you encapsulated in the DNS/ICMP packet. Inspection at the corporate firewall can expose this data, but it can't be read.
A simple indication of DNS/ICMP tunnelling could be high numbers of requests from a single internal user. This should always be checked as it could indicate that something untoward could be going on.
Incidentally, while I was using a Cloud hotspot recently (with legitimate intention), I connected to and opened a browser to buy airtime. Even before I entered my details, Messenger had signed in and a colleague messaged me. It would appear that due to a configuration error the hotspot was allowing Messenger traffic to pass uninterrupted, yet HTTP traffic was proxied to the “buy airtime” page. I'll survey the access points I use over the next few months and update you as to whether this was a one-off, or a wider issue. If you've had a similar experience, please contact me.