Warning: This post is technical. The non-technical tl;dr is that the airport lounge network in Cancun attempted to hack my Internet connection to work.
If my flight is in the evening on a weekday, I’ll often show up at the airport early, work from the airport lounge, and catch my flight. They tend to have reliable Internet, I get to spend the day eating and drinking for free, and I don’t have to worry about traffic or making my flight on time.
I sat down in the “Mera Business Lounge” in CUN’s Terminal 3 last week and went to log into my work server via “SSH” — a secure protocol commonly used to interact with Linux computers — and was somewhat surprised to see this:
$ ssh -i xxxxx jon@127.0.0.1 (not the actual address)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA:256:wS09c2yexsr6pbxFdUUJBSsYykAbo02oDxfGV4ctD1Q…
No big deal — I assume someone at work has just changed around something on the server, like the message suggests after the scary warning part. But, nonetheless, my standard practice is to connect to a VPN and repeat the attempt. This mitigates any man-in-the-middle attack on the local side of the network, because although an attacker might be between Cancun and my work, if I have a VPN provider attempt the connection for me, the attacker no longer sits in the middle. If the VPN attempt reports the same key mismatch, it’s probably not an attack.
Well, with VPN enganged…
$ ssh -i xxxxx jon@127.0.0.1
Welcome to Ubuntu 16.04.3 LTS…
I actually couldn’t believe it, so I disconnected from VPN, repeated, re-connected to VPN, repeated. Same result: fingerprint mismatch, no fingerprint mismatch.
A lookup of the external IP address of the lounge showed the network was run by an ISP called “G TEL” —
% Joint Whois – whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries
…
inetnum: 148.243.37/24
status: reallocated
owner: G TEL Comunicacion, S.A.P.I. de C.V.
ownerid: MX-GTCS-LACNIC
responsible: Sergio Antonio Bravo Garcia
address: DR. ATL, 2084, Int. 606, Zona Urbana Rio Tijuana
address: 22010 – Tijuana – BC
country: MX
I attempted contacting their LACNIC point of contact and the standard “abuse” e-mail address, but received no reply as of the date of this article. It’s unclear whether the attacker had access only to the airport lounge local network, or was at G TEL, or somewhere else on the Internet. I also have no reason to assume that I was targeted specifically (instead of, say, targeting everyone who was on the network). But it’s clear that my connection was indeed attacked.
Watch yourself out there! While “sophisticated” attacks like MitM are uncommon for the everyday Internet user, they apparently happen. If you ever see those “certificate not valid/trusted” warnings, take them seriously, and understand that if you proceed, any credentials that you’ve put into that Web site — in the future or in the past, as they’ll be taking your authentication cookies — are now in someone else’s hands.
Full session…
Professional Troublemaker ® 
I to use Linux, Gentoo here, and one reason I use it is the security it provides even in a normal install. While I have social media accounts, I’ve never had one hacked. Everyone I know that doesn’t use Linux has had their account hacked at least once. Some of the attacks ended up with some really bad postings and a lot of friends being confused.
It’s good that some of us try to be secure if for no other reason, it makes it hard for them to use our systems to do further damage, either someone we know or someone we don’t. It’s a nasty and sometimes dangerous world on the internet.
That is why when I travel I just take my trusty tablet with me. It has never been hacked. True, once in a while my pencil needs to be resharpened, but that beats getting hacked. 🙂 Oh, for you computer nerds, just remember, in the next 10 years there is about a 10% chance of a massive solar flare that would end all your computer hacking worries (and about every other worry as well) so be sure to back up your information with pencil and tablet as well.
That and some sort of EMP is why I want to buy a printer. I want to print as much stuff as I can just in case. Heck, just lack of power for any reason makes it a good idea.
Also, I’ve bought several books on different topics too. I don’t mean those electronic things, I mean real books.
You could also just back up to optical media lol 🙂
In the case of a EMP, what would you read the optical media with? Unless you have your puter in a EMP proof area, which means not connected to the outside world either, then you won’t have anything to read the media. Paper however would still work.
That said, I do backup things like pictures to DVD on occasion. However, I read somewhere long ago that a EMP that is close by could also ruin DVD/CDs and such. There is a little metal in there. That may not be true or it could have changed. May research that when I get a minute to see.
Did a quick search and found what I believe to be accurate. Modern CD/DVDs should be safe. It may be that the first generation of CDs had some metal in them. I might add, when in a microwave, they sure react like they have metal in them. I’ve seen videos of it before. Of course, it mostly warps them.
Either way, at least if a EMP ever were to happen, I’d be able to get my pics back, if computers are ever working again.
I just found your blog, it was shared by a friend. Great stuff! I’m not convinced it was the airport or the carrier that was performing the MitM attack though. A nefarious actor could setup a system pretty quickly and easily in the lounge. I’ve read about several airports and malls having this happen where someone finds a card on a food court table (or wherever) offering “FREE WIFI” with a network name and password. Of course, that’s not to say the airport or carrier couldn’t be nefarious as well.