This isn’t clickbait, this isn’t some “oh I won an internet voucher from bingo” thing, I actually found a way to get free Internet in the middle of the ocean, all legally.
Everyone knows that getting internet access on a cruise is expensive, people don’t want to pay over $200 for Internet just for their 5 day holiday, so this made what I found very rewarding.
What are the usual Internet Options at sea?
Let’s go over them one by one:
- Onboard Wi-Fi, provided by the cruise company, typically around $30 AUD per day, with unlimited data, works throughout your cruise wherever AP’s are available.
- Maritime Roaming, using the onboard cell tower, $1 AUD per MB, this will cost you thousands of dollars if you do so much as watch a few YouTube videos, it also won’t work on lower decks when out of range of the onboard tower.
- Satellite Internet, such as Starlink, $80 AUD for 50GB over 30 days, many cruise lines (but not all) explicitly prohibit satellite receivers onboard. However, some guests actually get away with bringing them, using a balcony for the installation.
Lastly, of course, there’s the option of not paying for any Internet at all, being disconnected at sea and just using free Wi-Fi or cellular when the ship is at port.
My cruise had a stop in Australia and I knew my phone would work immediately when we arrived there, so I had no plans to pay for any Internet access while at sea.
How did I end up with free Internet onboard?
Well, some context first:
Many cruise lines these days are going all digital, almost all of them have a cruise line app that allows you to manage your cruise, view interactive maps, events for the day, shop, etc.
Now, that’s all well and good, until you think about how the app actually works, obviously not everyone is going to pay for the Internet access onboard, but the cruise line wants the app to be available to everyone regardless.
The solution, give everyone access to the onboard Wi-Fi Network, and block all other Internet access (unless you paid for it).
So when you board the vessel you put your device in airplane mode, and connect to the onboard Wi-Fi Network, then you can use the app just fine all over the ship.
Once I was at sea, however, I noticed something…
Every few hours (and sometimes every few minutes), my phone would get a burst of notifications. I’d get emails, messages, YouTube comments, completely randomly, throughout the day.
At first, I thought I was getting trickles of cellular, but because I was on airplane mode, I knew this wasn’t possible.
What was even stranger is that after a while I got the Wi-Fi Calling status indicator, and I could even send texts to my partner.
Even with this though, anytime I tried to browse the web, tap on a notification, or do pretty much anything I’d get a “no internet” error message or see “ERR_CONNECTION_RESET”.
This prompted me to have a deeper look into their Network.
Let’s check out their Network setup.
At first, I was just curious what hardware they might be using, so I pulled up Fing/Wifiman on my phone and scanned the subnet.
The scan didn’t reveal much, they’re clearly doing client isolation, even for the router. Hiding MAC’s like this is often done on paid Wi-Fi to prevent people from hijacking the MAC of a paid user, fair.
I did however know that they were (at least partially) running Aruba gear, because there was literally a WAP in my cabin.
I also knew that they were using Windows as part of their infrastructure for the mobile cruise app, because a bunch of pages were being served by this IIS server.
How was Internet Access authenticated?
So if you paid for the Wi-Fi, you’d head to this page, fill in your details and be granted access.
It’s clearly not meant to be insanely secure, you could get someone’s DOB pretty easily online, and modern smartphones could get you a photo of any cruise card with 50x zoom.
Anyway, I’m not here to attack their Network, or steal someone’s paid Wi-Fi, just curious how it works, so I scrolled down.
So we have an option to purchase a plan, but also at the very bottom, we have “Free Sites” and a button for the Cruise line’s “App Download”.
Free sites was unfortunately not that useful, it mostly just provided limited access to the cruise line’s webpage, so you could book your next holiday, if you tried to navigate away with any links you’d get a connection reset.
How about “App Download”, what are they doing here, hosting an APK file on an internal server?
No.
I clicked this “app download” and was sent straight to the Google Play Store, which let me download any application I wanted, interesting…
Then I got thinking.
Allowing Google Play explicitly is not an easy thing to do, a lot of the backend servers it uses are shared by other Google platforms.
It’s therefore quite likely that by allowing Google Play, that they have also allowed a bunch of other services inadvertently.
I wonder if I could Google Search something now?
Yup.
I was pretty surprised by this, I honestly didn’t expect it to just work, initially I actually navigated to Google via a privacy statement page in the Play Store, but I later realised that I can go straight to Google directly.
This is pretty cool, I can use this to keep up to date with news via Google searches, but does anything else work?
How much Internet Access do we actually have?
This is the real question, we could probably access some other services too, depending on how the cruise line has implemented their filtering.
I initially tried to access my blog here, but got the usual “ERR_CONNECTION_RESET”, then I tried some other pages and found that YouTube worked, Instagram worked, email worked, Discord worked, this was great!
So there I was, messaging my friends on Discord, catching up and chatting away and then all of a sudden, messages stopped coming in, and up came the “Connecting…” message.
My Internet Access had been cut off.
It must have been on a timer, to only allow people to download the Play Store app and then cut them off.
Time to bring out the laptop.
How does this Internet Access really work?
After a few minutes of playing around, I learned that the Internet access activation is literally triggered as you click “App Download”.
This page activates your Internet Access, and then redirects you to Google Play on Android or the App Store if you are on IOS.
So wait, couldn’t we just automate this?
Absolutely.
With this, we no longer have to worry about the timer cutting off our access, but so much of the web is still filtered.
Can we turn this into a more usable connection?
It appears that this connection is very strangely restricted, but not in the way you’d think. The webpages/services allowed seem to align mostly with what you’d expect from the “Social” Internet plan offered by the cruise line.
Includes the most popular social websites and applications like Facebook, Instagram, WhatsApp, Snapchat, TikTok, Pinterest, X, Reddit, LinkedIn, and major airline sites. It excludes access to most other websites, email, video, and music streaming services (e.g., Spotify, Netflix, Hulu)
I don’t believe my access included everything above, but the statement on “popular websites” seemed true.
At this point though, many apps still won’t open because they depend on services not in the access whitelist.
My first thought was to connect to my home VPN server, but I couldn’t even reach my home router.
So I tried a few public VPN providers, and had luck with RiseUP VPN and Windscribe when in IKEv2 mode.
I’m not surprised I was able to get through with Windscribe. It’s pretty difficult to block modern VPN’s and often requires beefy, expensive gateways with DPI that can read packets in the many different protocols VPN’s might use.
What did surprise me, though, is that Windscribe was able to stay active even when my 10-minute Internet session expired, without running my script.
I guess the cruise line didn’t want to risk closing legitimate IKEv2 sessions, which could break stuff like Wi-Fi calling (maybe it was too complex for them to do without impacting paying users?)
I also believe the gateway/firewall they are using might have some “quirks”. As I mentioned earlier I got occassional social notifications on my phone, before I did any of the above.
Perhaps their gateway is letting some traffic through when it’s under high load, and with Wi-Fi caling using IKEv2, it never disconnects.
My partners iPhone had iMessage and Wi-Fi Calling available too, without any Internet access activated, though apparently Apple makes this pretty difficult to break.
So how fast is the connection?
Well, it’s not going to break any records.
Speeds ranged from 0.3-1.5 Megabits down, and about 1-2Mbit up, both are almost certainly capped on the network side.
I’m not going to complain about this though, this connection is absolutely usable, I literally wrote this blog post using the connection on holiday, laying on a beach chair with a laptop, in the middle of the ocean.
Sure you won’t get fast HD streaming, reels, shorts or all that, but you will get usable messaging apps, google searches, news, basic audio calls (sometimes), and even YouTube in 144P before bed.
To be honest as well, (you probably won’t agree with me) but I’d say this is way more Internet than most people need on a cruise.
Being on holiday is not about spending hours scrolling through TikTok, posting every single meal you eat on Instagram, putting screens in front of kids faces, etc.
There is so much to do, to relax, to take in, be entertained by (even for young kids), just enjoy the holiday that you paid for.
Having basic communication during this is a bonus.
That being said, I was pretty content with being able to write my blog post directly, but I would have been satisfied writing offline as well, it was very peaceful. Some people read, I chose to write.
Would the cruise line know that I did all this?
Absolutely, on a modern firewall/gateway, there’s probably dozens of logs that could tell you that my traffic “doesn’t look like” Google Play traffic.
You’d also know from data usage alone that a non-paying device has used 2-3x more data than is needed to download the app.
In fact, towards the end of my cruise, after using somewhere between 1-2GB of total data, I was blocked from using the “App Download” button and requested to enter my first and last name for the cruise line to “help me out”.
I did wonder whether putting your details in here would result in the cruise director breaking down your door, forcibly trying to charge you for the Internet plan, but I didn’t really need any “help” so I didn’t try this.
I also found that it was pretty easy to “reset” my download limit, many people in IT would know how to do this immediately.
Is this illegal?
I have no reason to believe so:
- I didn’t tamper with anything.
- I used the service exactly as provided, on my personal devices.
- I accessed normal applications and services, nothing questionable.
- None of my traffic was excessive, nor would it have impacted other users of the Network, it was heavily throttled.
I have deliberately been vague about (and censored) the cruise line I travelled with, because this is not intended as a guide to avoid paying for Internet on your cruise, and it probably won’t work on every cruise network out there.
I’m sharing this as an interesting technical discovery, to document my findings, and hopefully, you enjoyed the read.
Cheers,
Chris
Leave a Reply