Wednesday, 15 September 2010

McDonalds Free Wifi in Australia

Sometimes you just need somewhere to park between meetings without forking out for outrageous parking fees, but you don't want to unplug or cough up for 3G data charges; there are some down sides but overall, it's a nifty service if you take into account what you can or cannot do.

Back story

In Australia, from the 3rd of November, 2008 through to the 13th of March, 2009 McDonalds Australia rolled out wifi to several hundred stores

My access experience

In the interests presumably of making sure that little Timmy doesn't see someone accessing untoward content, that access is equitable for all and an easy experience, McDonalds has employed filtering on select sites and only allows certain ports through. The access can be a bit bursty and persistent connections to my home computer can be a bit flaky unless there's fairly regular traffic over them (NAT timeout is very very low).

That said, I don't have a 3G dongle yet and data rates on my default phone plan are horrendous. Couple that with insane parking costs in the city, and if you have an hour or two you need to kill where you need somewhere to put your car and would still like to remain connected to the world for work or entertainment, then I believe Maccas can actually provide a convenient means of access.

The experience is not perfect, but then again, it's free with absolutely no requirement to purchase anything as far as I've been able to tell (though I suspect they rely on people succumbing to temptation!). McDonalds does not provide any power outlets in the dining areas for use by notebook users, so whilst they don't impose a time limit, I suspect they know you can only be there as long as your battery lasts or until you have to move your car. Depending on where you sit in the restaurant and which one you attend, screaming kids may also be time limiting factor...

Should you choose to try and stay in your car, you may find the reception rather poor, even immediately outside the restaurant. I suspect signal strength is kept to a minimum to try and keep it to people in the restaurant (Ie. Waiting at the drive through pickup area at my local can be a challenge - no mum, I don't go that often!).

How do you log in?

As with most free WiFi hotspots, the McDonalds Free WiFi service in Australia broadcasts its network name and employs no encryption. To connect:
  • Enable wireless on your computer/phone/other 802.11g enabled device
  • Scan for wireless networks, you should see one called "McDonald's FREE WiFi"
  • Connect to this network
  • Launch your web browser and attempt to access any page
  • You'll be redirected to the login splash screen
  • Agree to the Terms and Conditions (tick the box)
  • Click the Login button

Problems with logging in

The other night when I was at a particularly busy venue, I found that the default login server (http://login1.maccasfreewifi.net/weblogin.php/9) was timing out, so I followed a hunch and changed the "1" to a "2". Hey presto! If you find that you've gotten a connection to the network, but login1 isn't responding or the autoredirect to their login portal doesn't work, you can try:

To find out how much you've downloaded and how long you've been connected, look at:
The login1 server appears to be on an internet routable IP whereas login2 and 3 appear to be on 10/8 private IPs.

Or, for a more minimal experience, all of these embed a small iframe from:

How do they do it?

Offering 50MB per session with no time limits, I recall reading that the system uses the Telstra NextG (3G) network as a backbone with wireless routers in each store. Having seen a few different splash screens depending on which login server I've connected to, I noticed the Amigopod logo. Amigopod manufacture guest network access appliances (such as WiFi hotspots). Some IPs point to servers managed by Earthwave.

Presumably, putting this all together, Maccas connects to the Telstra NextG network using a custom APN which connects all the stores through to a set of core routers and HP Procurve switch gear with each store AP linking back to an array of Amigopod appliances which instruct each AP to allow a notebook through once the user has agreed to their T&Cs. Authorised connections are then routed through Earthwave's "Secure Internet Gateway" aka "Clean Pipes" service.

The interesting thing I noticed at one point, was if you resolved access1.maccasfreewifi.net from within the McDs free Wifi network, it pointed to an IP registered to Korea. I guess not too surprising if it is actually located in Korea. Korea is a very well connected country with plenty of broadband and a high gaming community, then it could be a bit of routing magic going on. That or load balancing perhaps? The same hostname points to Earthwave's server in Aus externally.

The last time I hooked up, I also noticed I was issued an IP in a 192.168.../28 net which suggests that either only 14 clients can connect at a time to the AP I was using or that each client is given its own isolated subnet.

What can you access?
  • HTTP (TCP 80)
  • HTTPS (TCP 443)
  • PPTP (TCP 1723 + GRE)
  • Cisco and Nortel VPN (UDP 500 + UDP 10000)
  • OpenVPN (TCP + UDP 1194)
  • POP3 (TCP 110) + POP3S (TCP 995)
  • IMAP4 (TCP 143) + IMAPS (TCP 993)
  • SMTPS (TCP 465 + 587)
  • MSN Messenger (TCP 1863)
  • iChat (UDP 5060, TCP + UDP 5190 ... assuming Jabber blocked)
  • Skype (you have to work hard to block it anyway)
What can't you access?
  • Adult sites (did a quick test to see what would happen - redirects to splash screen)
  • Peer to peer (untested)
  • SSH (TCP 22)
  • VoIP (Haven't tested)
  • One another (Peer to peer within restaurant is blocked)
I use SSH effectively as a VPN at times, so the restriction is a little annoying but not unsurmountable.

But why would I want to use a VPN or some sort of tunnel?

Being an unencrypted Wifi network, any traffic that goes between your device and the McDonalds restaurant AP is unencrypted. This means that any nefarious person nearby sniffing the wireless traffic could intercept anything not otherwise encrypted like HTTPS

If you feed everything through an encrypted tunnel, then what leaves your computer is encrypted and cannot be intercepted easily by anyone else (provided you're using secure encryption). One is still, however, in some circumstances potentially able to be attacked through Man-in-the-middle attacks if they're able to trick your client's SSL certificate verification or trick you into thinking you're seeing your bank etc.

For things like browsing news sites, I'm perhaps not too concerned - this said, with an appropriately engineered MITM attack, one could trick a user into thinking they were visiting a news site when really they were going to a hijacked server and then the user thinking they were on a trusted site could be hit with some browser based attacks of their system...

Regardless, when it comes to personal email accounts, banking etc. I'd recommend always making sure you're using HTTPS and would NEVER recommend using plain HTTP or POP3 or IMAP over an unsecure WiFi network. Gmail (I'm not sure about the others) offers the option for requiring that HTTPS is used for all connections.

Indeed, for these things, I'd recommend a VPN tunnel of some sort where you can verify the identity of the remote VPN gateway (such as knowing the public host key fingerprint of an SSH server you use).

Using SSH as a tunnelling method, I found that unless something was happening in the SSH session itself on a regular basis, the SSH connection would time out. Using the watch command, I had the shell perform an ls every 60 seconds on my home folder:
  • watch -n 60 ls
Not too big and it makes sure things don't fall idle. I occasionally had to kick my SSH session, but it came back ok.

So, how did you figure this all out?

I've based a lot of this upon the documentation available from the official website that explains how McDs Wifi works, however some of it comes from my experience at several restaurants. I've not used any kind of penetration tools, I've simply paid attention to the servers my web browser was contacting as well as the source code of the splash pages. Beyond that, all computers come with DNS query and traceroute tools. With regards to IP ownership of non RFC1918 IPs, I used the whois tool on my linux box at home.

I admit I might have got some of this mixed up. I'm open to corrections.

Why post this?

I'm a curious sort and how things work is something that interests me.

References
Your thoughts?

What do you think? 

5 comments:

  1. Hi Hogan. Have you checked out free wifi in public libraries yet??

    ReplyDelete
  2. Hi Greenstone Girl..

    No, can't say I have to be honest. It's been years since I set foot in a public library (I did used to work at one of my state's major libraries a few years back, but that was probably the last time).

    ReplyDelete
  3. Hi Hogan. You and I used to work at that major library together!

    ReplyDelete
  4. I had a sneaking suspicion who it was given timing of comment, mention of libraries and request on other site :)

    ReplyDelete

Hey... thanks for leaving a comment! Due to Casino spam, I've had to turn on moderation for some of the posts. Apologies - I do read every comment left!