ARS Technica recently published an article on the security of inflight Wi-Fi. Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services. While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow. Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story. Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen. But what can be done about it?
First, Wi-Fi on an airplane operates similar to public Wi-Fi networks. Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service. Once that is done – the user is granted access to the web. There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear. This means anyone listening can grab the data that passes through the access point.
Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks. Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.” When you are on a public Wi-Fi your device becomes visible to other people on the network. Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.
While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional. Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google. By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers. ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:
“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”
While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.
To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled. Also, pay attention to the certificate warnings. If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to. Of course, the best defense is to turn off your Wi-Fi and work offline.
What does this mean for your organization? As your organization sends workers around the globe, it is important to develop good security habits. Start with security awareness training. Ensure devices are protected. An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.
Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.