Warning: This post is technical.  The non-technical tl;dr is that the airport lounge network in Cancun attempted to hack my Internet connection to work.


Mera Business Lounge @ CUN AirportIf my flight is in the evening on a weekday, I’ll often show up at the airport early, work from the airport lounge, and catch my flight.  They tend to have reliable Internet, I get to spend the day eating and drinking for free, and I don’t have to worry about traffic or making my flight on time.

I sat down in the “Mera Business Lounge” in CUN’s Terminal 3 last week and went to log into my work server via “SSH” — a secure protocol commonly used to interact with Linux computers — and was somewhat surprised to see this:

$ ssh -i xxxxx jon@127.0.0.1 (not the actual address)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA:256:wS09c2yexsr6pbxFdUUJBSsYykAbo02oDxfGV4ctD1Q…

No big deal — I assume someone at work has just changed around something on the server, like the message suggests after the scary warning part.  But, nonetheless, my standard practice is to connect to a VPN and repeat the attempt.  This mitigates any man-in-the-middle attack on the local side of the network, because although an attacker might be between Cancun and my work, if I have a VPN provider attempt the connection for me, the attacker no longer sits in the middle.  If the VPN attempt reports the same key mismatch, it’s probably not an attack.

Well, with VPN enganged…

$ ssh -i xxxxx jon@127.0.0.1
Welcome to Ubuntu 16.04.3 LTS…

I actually couldn’t believe it, so I disconnected from VPN, repeated, re-connected to VPN, repeated.  Same result: fingerprint mismatch, no fingerprint mismatch.

A lookup of the external IP address of the lounge showed the network was run by an ISP called “G TEL” —

% Joint Whois – whois.lacnic.net
% This server accepts single ASN, IPv4 or IPv6 queries

inetnum: 148.243.37/24
status: reallocated
owner: G TEL Comunicacion, S.A.P.I. de C.V.
ownerid: MX-GTCS-LACNIC
responsible: Sergio Antonio Bravo Garcia
address: DR. ATL, 2084, Int. 606, Zona Urbana Rio Tijuana
address: 22010 – Tijuana – BC
country: MX

I attempted contacting their LACNIC point of contact and the standard “abuse” e-mail address, but received no reply as of the date of this article.  It’s unclear whether the attacker had access only to the airport lounge local network, or was at G TEL, or somewhere else on the Internet. I also have no reason to assume that I was targeted specifically (instead of, say, targeting everyone who was on the network). But it’s clear that my connection was indeed attacked.

Watch yourself out there!  While “sophisticated” attacks like MitM are uncommon for the everyday Internet user, they apparently happen.  If you ever see those “certificate not valid/trusted” warnings, take them seriously, and understand that if you proceed, any credentials that you’ve put into that Web site — in the future or in the past, as they’ll be taking your authentication cookies — are now in someone else’s hands.

Full session…

MitM Attack @ CUN