The captive portal economy: how hotel WiFi login pages turned into both a security risk and a discreet advertising medium.
**TL;DR**: Hotel WiFi captive portals have become a significant security threat (due to HTTP-only pages, DNS hijacking, and rogue networks) and a programmatic advertising channel that gathers first-party data. Many VPN clients struggle during the transition to these portals. KeepSolid developed a Captive Portal Network Checker within VPN Unlimited to automatically detect and reconnect.
Last month, I checked into a hotel for a conference. I opened my laptop, clicked on the WiFi, selected the hotel network, and the usual splash screen appeared, prompting me to enter my room number, last name, and accept the terms. This is the standard process.
However, what’s happening behind that splash screen isn't standard anymore. The captive portal, the login page that appears before accessing hotel or airport WiFi, has quietly transformed into two parallel industries: one being a security vulnerability and the other a programmatic advertising platform generating revenue. These two aspects share the same infrastructure, yet most travelers do not perceive this duality, nor do most VPN providers.
**The Technical Reality**
A captive portal intercepts HTTP requests from your device before you've logged into the network. You cannot bypass it like other forms of access; the network forces a redirect for every request until you fulfill the portal's requirements, which could include entering a room number or accepting terms, and sometimes even watching a brief advertisement or providing an email address for marketing purposes.
This occurs because your device must perform an unencrypted HTTP request to a known test URL to verify internet access. Apple uses captive.apple.com, Microsoft uses www.msftconnecttest.com, and Google uses connectivitycheck.gstatic.com. Essentially, the operating system is asking the network, "Am I online?" and the captive portal intercepts that inquiry to redirect you to its login page. This is intentional design, not an error.
This is also why your VPN isn't helpful here. By the time you launch a VPN client, the OS-level connectivity test has already identified your device and triggered the portal redirect. Thus, the VPN cannot function because the network won’t permit it until you authenticate with the portal. So, you disable the VPN, navigate through the splash page, and often forget to reactivate the VPN afterward, leaving you vulnerable for the remainder of your trip.
This is the gap we aimed to address by incorporating captive portal handling into VPN Unlimited, as most VPN clients fail to tackle it effectively.
**What’s Behind That Captive Portal?**
Most major hotel chains do not maintain their own WiFi infrastructure. Instead, they hire companies like Boingo, Aptilo Networks, or Cloud4Wi. While these businesses provide legitimate products with reasonable security standards, the quality varies significantly across locations, and a brand-wide standard may not apply to the captive portal setup at any specific franchised property in a particular country.
The security problems can be categorized as follows. The most prevalent issue involves HTTP-only portals, where the splash page does not enforce TLS, causing any entered credentials (like room number, last name, and sometimes credit card details) to be transmitted unencrypted over the local network. A second issue is DNS hijacking, where the captive portal reroutes all your DNS queries through its resolver, allowing the portal operator to monitor every URL you access during your session, irrespective of your device's DNS configuration. Lastly, a less common but well-documented issue involves fraudulent portals, where a malevolent device masquerades as the hotel network, presents its own splash page, and collects user credentials before linking them to the actual network without their realization.
You don’t need to be in risky environments for any of this to happen; being in a hotel is sufficient.
**The Advertising Channel Aspect**
Many travelers overlook the fact that the splash page serves as valuable advertising space.
The sector of "WiFi marketing platforms" is legitimate and rapidly expanding. Companies in this area, such as Cloud4Wi, market their products to hotels, airports, retailers, and sports venues as a means to monetize the time guests spend on the captive portal. The typical pitch suggests that every guest connecting to WiFi represents a captive audience for brief video ads, surveys, email collection, or sponsored offers. Venues gather first-party data that, depending on the platform's setup and partnerships, can be shared with marketing networks or used for targeted advertising once guests leave.
This business model is beneficial for venues, as WiFi usually incurs costs. Introducing a programmatic advertising layer can generate additional revenue, especially in high-traffic regions. For advertisers, it is also advantageous due to the particularly well-targeted audience (knowing their specific location) and their guaranteed attention, as they cannot engage elsewhere online until they accept the portal.
None of these practices are illegal, but they are often not disclosed in a way that the average traveler is likely to notice. The "accept terms" button, often clicked hastily, usually includes consent for marketing communications, data sharing with the WiFi operator's partners, and sometimes location
Other articles
The captive portal economy: how hotel WiFi login pages turned into both a security risk and a discreet advertising medium.
KeepSolid CEO Vasyl Ivanov describes how hotel WiFi captive portals have changed into a security risk as well as a programmatic advertising channel, and what actions VPN clients should take in response.
