Some random technical notes on the T-Mobile WiFi Hotspots offered at locations such as Starbucks. Since I spend a fair amount of time at the 24-hour Starbucks on Washtenaw, I often end up playing around with the Cisco WAP instead of actually doing work.
Cisco WAP Devices
The T-Mobile hotspots are powered by a WAP and access control device from Cisco. I attempted several times to social engineer my way into the back up a Starbucks to get a picture of the actual equipment, but to no avail. Before authentication, any HTTP requests to port 80 or 8080 are redirected to the T-Mobile hotspot portal via the HTTP 302 Redirect mechanism. After successful authentication, requests originated from an host with an authorized MAC and IP address tuple are allowed through.
Unlike many of the pay-for-access hotspots which hijack any outgoing DNS requests, the T-Mobile hotspots allow unrestricted traffic through UDP port 53. By using a tunneling mechanism over port 53, one can obtain unrestricted internet access without having to pay the access charges. I personally prefer using OpenVPN. More complex covert channel tunneling mechanisms such as NSTX and OzyManDNS can be used in scenarios where a client's DNS requests are filtered by the hotspot.
ARP Spoofing Mitigation
An interesting feature of the Cisco WAP devices powering the hotspot is its defense against ARP spoofing attacks. If the access point observes a broadcast ARP reply for its physical address that doesn't match its hardware address, it will immediately send out its own ARP reply with the correct hardware address in attempts to mitigate any ARP cache poisoning. While these types of defenses may not be feasible in a general network setting due to legitimate changes of the gateway's physical address, the unique characteristics of a restricted hotspot deployment make this possible.
RADB information on the CIDR block of the externally visible address belonging to the hotspot:
route: 220.127.116.11/18 descr: T-Mobile USA IP Backbone origin: AS21928 remarks: Snoqualmie DC specific notify: firstname.lastname@example.org mnt-by: MAINT-AS21928 changed: email@example.com