Cruising with WiFi – Is that a travel router in your pocket?
by firestorm_v1 on Jan.10, 2019, under Embedded devices, Hardware, Networking
Internet access on cruise ships is now a common occurrence and more commonly, I get frequent questions on how to “game” the system and get Internet access without paying for it. The short of it is, you’re going to have to purchase at least one account to get anything online. The long of it lies in the rest of this article and it’ll be up to you to decide if it’s worth the effort. Quick spoiler alert: For me it wasn’t, and I ended up buying another access to get myself and my wife online at the same time. While it was a punch in the pocketbook, it was a lot cheaper to pay money to resolve than the costs incurred in other areas (time, frustration, etc.).
Before we get started
- Don’t mess with the ship. (This should be rule #1 on any cruise, really.) Don’t pentest, don’t spoof, don’t mess with other people’s vacations. Definitely don’t mess with the ship.
- This article does NOT cover how to “steal” WiFi. You will be required to get at least one “access” for any of this to work.
- This article does not cover a specific billing system or cruise line, nor does it cover any “hacking” of the billing system. Didn’t I mention, don’t mess with the ship? Good.
- This article MAY be against the Terms of Service or at the very least will be completely unsupported by the cruise line. Don’t even bother asking them for help with this.
Captive Portals explained
If you’ve ever been on a plane, restaurant, dealership, mechanic shop, hotel, sporting event, coffee houses, or even buses or trains that offer free Wi-Fi, chances are, you’ve encountered a captive portal. Captive portals act as a gatekeeper between an internal network and the public Internet and serve to manage payments and authorization in order to be able to get outside. Below, we’ll outline the steps involved with connecting to and gaining Internet access through a captive portal system:
- You associate your WiFi device with the wireless network as described by the site’s instructions (sign, business card, etc..)
- Your device pulls an IP address that is defaulted to a “deny outbound access” state. This means that any attempt to go outside the network get redirected to a captive portal (unless the request is directed to a whitelisted website, like to the provider’s website or the business’s site, etc..).
- Your device tries to connect to a public site, fails, and triggers the “Internet access may not be available” warning (Android, IOS, Mac, and Windows do this but have different ways of presenting the alert.)
- You open a browser and try to pull up a website (say google.com) and instead get redirected to a captive portal page that prompts you for information:
- This could be a “I ACCEPT” for a terms of service page (like hotel WiFi)
- This could be an authentication page (for places offering prepaid WiFi)
- This could be a page that’s set up with billing and plain details (for places offering on-demand paid WiFi)
- Once authentication credentials have been provided (or purchase completed, or the accept button pressed), the captive portal server confirms the account credentials and level of service, then sends that info to the firewall along with your device’s MAC address.
- The firewall then allows outbound access from the IP address associated to the MAC. Wherever the MAC appears on the network (even if the IP address changes), it will be allowed to communicate with the outside world.
- When the connectivity timer expires (say the plan only allows for one hour of connectivity, etc..) the captive portal server sends a command to the firewall to revoke the access rule for your MAC address, redirecting your outbound requests back to the captive portal page once again to re-authenticate or pay more money.
Cruise Ship specifics
Topology
Unlike most land-based environments, a cruise ship presents a challenge to providing wireless coverage to the guests. You have a very high density of WiFi devices in a very small space (tighter than that of hotels) which means that there are going to be multitudes of APs all around the ship. In our specific cruise ship, there was an in-wall AP for our stateroom, and a much more powerful one that covered the hallway. About every 50 feet in common areas (Lido Deck, Casino, Dining Rooms, Shops, Outdoor areas) were additional APs, and all of them had zero-handoff working so you could easily walk from bow to stern and maintain connectivity as you walked. The end result (and the reason why I’m even mentioning this) is to reinforce the fact that the AP you’re talking to in one part of the ship is not going to be the same AP you’re talking to in another part of the ship. Even if you’re in the same location, it’s entirely possible your AP may be different depending on user density for that AP.
Billing
Cruise ships are just like hotels in that the booking of a stateroom on a cruise ship (or booking a hotel room) creates a Folio account. This is essentially the “room” to charge things to (i.e. “Waiter, charge this to my room”), and in most cases is backed by a credit card that’s charged when the folio is closed at the end of your stay. Unlike most hotels, everything on a cruise ship is charged to the folio, from bar tabs, jewelry stores, casino, to stuff in the gift shop. (Hotels usually don’t allow gift shop items or casino transactions to be charged to the room.) When an Internet access plan is purchased through a cruise ship, it’s associated with a stateroom’s folio or an individual folio. When the user is directed to the captive portal page, they are prompted for the Folio number and the birthdate of the person with the Internet access. If no folio has Internet access, the user is prompted to buy one (which is then charged to the Folio account). Generally, this is a per-person (or per-folio) access, so if everyone in your cabin has a different folio number, then everyone has to buy a plan or they don’t get access. Using another member’s folio simply disconnects their device and authorizes yours so it is possible to “share” an account but only one at a time can be connected.
Travel routers?
Travel routers are a relatively new thing and I’m so glad they are a thing now. Essentially they consist of a pair of WiFi interfaces (one acting as a “client”, one acting as an “AP”) and a wired Ethernet interface. When you first set it up, you are asked for one of several different connection types which then sets how the three interfaces act. There’s AP mode (like a standard AP, the ethernet and WiFi-AP are bridged, the WiFi client is disabled.), there’s Router mode (Ethernet becomes “WAN”, WiFi AP becomes “LAN’) and then there’s hotspot mode (or WISP mode, where WiFi client becomes WAN, Ethernet and WiFi AP are bridged and become LAN). Some of the fancier travel routers have options where you can add a USB storage device and share storage or use DLNA for streaming content. (The AC750 offers SMB storage however it was not tested as part of this project.)
Testing reveals that not all travel routers are the same, and neither are WiFi networks.
In my first iteration of testing, I used a Hootoo Titan device on Amazon however it miserably failed the security checking and so I won’t even bother linking it. The seller is still hounding me about the bad review I left about the device and requesting that something be done about it’s horrid security (SMB listening on WAN, Telnet open on WAN, etc…). Generally, avoid Hoo-Too at all costs, it’s not worth the few bucks you’ll save.
Back to the drawing board, I came across the TP-Link N300 (TL-WR802N) Wifi Travel Router and ordered one to test with. Home testing appeared to work and I just happened to be leaving on a training seminar in Arizona and it passed all tests there too. I was able to use the N300 to provide wired Internet to a router I was training on. Unfortunately I found out that while I was away, one of our network guys decided to enable “OFDM Only” mode for our wireless SSIDs, which disabled the N300 from working. I would later find out that Cruise Ship WiFi is OFDM Only as well. TL;DR: OFDM only excludes .11b clients from connecting. You can find out more gory details here if you’re so inclined.
Again back to the drawing board, I came across the TP-Link’s AC750 (TL-WR902AC) Wifi Travel Router and had great success. It connected to OFDM only networks as its client was 5GHz (802.11AC) and in doing so, would produce a 2.4 and 5GHz network as expected. This would be the device that would ultimately get me connected, but at a cost…
Actual on-the-ship experience
During my time on board, I tried with the N300 and could not get an association due to the density of the wireless network and the optimizations in place (OFDM Only) so I had to use the AC750. As soon as it booted, I was able to select an AP and pull an IP address and then I could associate my wife’s phone to the network it was producing. Once I entered my folio information into the captive portal, both of us were able to connect and do things.
There was one small problem though…
In our testing, I had powered the AC750 off of a large USB battery pack (large in capacity, not in size) however as soon as we got out of range of the AP we were associated to, we both lost connectivity. A quick reassociation with a closer AP reconnected both of us, but it quickly became apparent that this would not work for a mobile solution. In order to get both phones to stick with the AC750’s wireless network, Auto-reconnect was turned off on the cruise ship’s wifi with the intent that the AC750 would handle the roaming and zero-handoff. (Hint: It didn’t.)
Know when to hold ’em, know when to fold ’em…
Anyone with a geeky mindset has that threshold of “cost” that once broken triggers the “Fix this NOW” reaction, be it the project gets scrapped, or the project is taken back to the drawing board, or even the project is abandoned and a more expensive avenue is executed. After having to reassociate the AC750 a total of 9 times moving from our stateroom, to the Lido, to the Casino, to the shopping, that threshold of “Fix this NOW” was crossed between having to re-login to the AC750 to reassociate and dealing with intermittent connectivity. With the WAF (Wife Approval Factor) in the toilet, I finally made the executive decision to scrap the project and purchased the same Internet plan for her as I had on my folio account. This got both of us online and without the need to reassociate anything as we traversed the ship. The connection was solid and wasn’t dependent on either one of us doing anything further.
Hard Mode
In Hard Mode (because why not), I introduced more hardware into the mix, the previously failed N300 and an Ubiquiti EdgeRouter X. The idea was that the EdgeRouter X would provide VPN connectivity for the LAN side and all outbound traffic would traverse the VPN. The AC750 was delegated as a ‘client’ , set up in hotspot mode (WiFi WAN, Ethernet LAN) and would provide wired Internet for the EdgeRouter X. The N300 would be configured in AP mode and would connect to the EdgeRouter X’s LAN. Once the AC750 was authorized in the captive portal, the EdgeRouter X was connected and it worked exactly as expected, albeit SLOWLY because of the satellite Internet connection.
Final Notes:
There were several hurdles to overcome in this project:
- The use of OFDM only modemeant that only 802.11AC routers were compatible with the wireless network. OFDM Only mode is common in super dense environments (like a cruise ship).
- The requirement of travel routers to associate to the ship’s WiFi AP’s MAC address made it a pain in the rear to maintain connectivity if you were moving about the ship. If you were staying in place for a long time, or were only wanting to use wifi in your stateroom, this might be a workable solution.
- Being able to anticipate what kind of wireless environment I’d be in resulted in a mis-purchase which drove up project cost. Additionally, buying a Hoo-too router which was so insecure as to be unusable was another unexpected cost.
- Trying to carry around the AC750, a USB cable, and a USB battery pack is very bulky and inconvenient.
- Maintaining the happiness of those you’re cruising with is very important to the project’s success.
- The EdgeRouter X is a really good router if you need VPN connectivy while cruising! Its small size and international power supply means you can use any plug to power it with the right adapter and it’s true that big things come in small packages.
In the end, it was far better for me to just purchase another account than it was for me to continue messing with the AC750. While technically it “worked” in that it did handle the captive portal authentication and associated devices to it were able to connect, its shortcomings in handling roaming were made very apparent when I had to manually select AP MACs to associate to. Had the device supported SSID-based association rather than MAC-based association and been able to handoff from one AP to the other, this plan might have actually worked in its entirety. As a fixed-location deployment, the AC750 worked exactly as I expected it to and would more than likely have worked.
Happy Hacking! Cruising!
FIRESTORM_v1