Inflight Wi-Fi Not as Secure as You Think

By Eric Noonan • March 18, 2016

ARS Technica recently published an article on the security of inflight Wi-Fi.  Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services.  While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow.  Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story.  Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen.  But what can be done about it?

First, Wi-Fi on an airplane operates similar to public Wi-Fi networks.  Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service.  Once that is done – the user is granted access to the web.  There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear.  This means anyone listening can grab the data that passes through the access point.

Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks.  Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.”  When you are on a public Wi-Fi your device becomes visible to other people on the network.  Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.

While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional.  Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google.  By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers.  ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:

“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”

While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.

To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled.  Also, pay attention to the certificate warnings.  If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to.  Of course, the best defense is to turn off your Wi-Fi and work offline.

What does this mean for your organization?  As your organization sends workers around the globe, it is important to develop good security habits.  Start with security awareness training.  Ensure devices are protected.   An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.

Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.  

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft

CMMC Con 2021 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.