Aircell GoGo Inflight Internet – Hackers on a plane

Aircell GoGo Inflight Internet – Hackers on a plane

GoGo Inflight Internet is a Wi-Fi service provided by AirCell and offered to an increasing number of airline passengers. This service enables users to connect to the Internet while in transit for business or pleasure. While the service is a great idea, its implementation is flawed and as such its users are put at risk. This blog entry is our effort to help educate GoGo Inflight Internet users about the risks involved so that they can make an informed decision about its use.

Over the past month we’ve made a continued strong effort to establish communications with AirCell regarding this issue.  We have not yet received any response from AirCell other than email disposition notifications and their CTO commenting on a blog. We want to know what AirCell is going to do to protect its users and secure its Wi-Fi Access Points.  It is important to understand that public Wi-Fi isn’t easy to secure by its very nature, but it shouldn’t be completley open.  Especially since many of its users are business users who connect to their business networks while in-flight  (updated on 05/27/2009).
Lets begin…

The problem with GoGo Inflight Internet is that it doesn’t offer any link layer security to its users. An example of Link layer security is Wi-Fi Protected Access (WPA) which provides a mechanism for encrypting wireless transmissions so that they are not intelligible to would be attackers. WPA is offered by most ground based Hot-Spot Wi-Fi providers including Starbucks which is the most commonly used Internet Cafe/Wi-Fi Hot-Spot.

Instead of GoGo Inflight Internet protecting its users at the link layer, it openly transmits its users network traffic in much the same way that a radio station transmits music. The primary difference between the two is that the GoGo Inflight Internet Wi-Fi transmission is bidirectional and radio stations are unidirectional. That means that anyone can listen to the network data being sent by the GoGo Inflight Internet service (or any unprotected hot-spot) and they can transmit to it.

This also means that a hacker can listen in on all network conversations and record all data that is sent or received by GoGo Inflight Internet users. Because the vulnerability exists at the link layer, there’s no way to establish a trustworthy SSL connection or VPN connection. This means that a hacker can capture credit card information while GoGo Inflight Internet users purchase their in-transit internet service. This credit capture is done by using a Man-in-the-Middle attack to defeat the security of the SSL or VPN connection during the initialization process. Here’s one example of an SSL Man-in-the-Middle from the SANS Institute.

Unfortunately the risk doesn’t end there, and it is also possible to gain access to business networks by exploiting users of the GoGo Inflight Internet service (or any other unprotected Wi-Fi Hot-Spot). Remember, the attacker can receive and send network data. This means that the attacker can inject malicious content into a users network stream, or redirect the user to a malicious location. In both cases the attacker can gain access to a GoGo Inflight Internet users computer and even infect it with a worm, trojan, etc.

Once the attacker has access to the users computer there are two possible ways to get into the users business network. The most effective way would be to install a program on the laptop that calls home when the laptop is connected to the business network (bots do this). Once the computer calls home, the attacker would be able to establish a reverse connection into the business network and its game over at that point.

The other option might not be as successful depending on what sort of VPN client the user is using. But it is sometimes possible to wait for a victim to establish a VPN connection and then for the attacker to ride in on the VPN connection. In other words, the user won’t be the only person using the VPN to access his or business network, the attacker will be there too.

Its important to understand that the risks associated with using an unprotected Wi-Fi network are well documented and have been for quite some time now. That begs the questions as to why Aircell didn’t implement some form of link layer security for their users. More importantly, what is Aircell going to do to protect its users? While we did make multiple efforts to establish a communication channel with Aircell, we have yet to hear back from them aside from email return receipts.

We did however read some of their comments on the Economist, so we’ll address those here. Aircell’s CTO Joe Cruz said “Our capabilities are not much different from what you encounter in hotel rooms, in Starbucks and in public hotspots,” he tells me. “And if you’re on the ground, you’re actually more susceptible to spamming because hackers know where you are.”

We’ve already addressed his first point about “hotel rooms, in Starbucks and in public hotspots” and demonstrated that they do in fact offer WPA2 to their users. His second point about being more susceptible “to spamming because hackers know where you are” is inaccurate. Firstly, spamming has nothing to do with wether or not you’re on an airplane, but the threat does. The fact of the matter is that on an airplane you are likely at a higher threat level than if you were on the ground.

Here’s why…

If you think about the audience on an airplane and compare that to the audience in an internet cafe or other ground based Wi-Fi Hot-Spot there are two significant differences. The first is that the airplane will likely have a higher concentration of business people than the internet cafe. The second is that the Wi-Fi users on an airplane are likely to stay connected during the duration of the flight, while in an internet cafe they are likely to be connected quickly to check email or something similar. As a result, the Wi-Fi capable airplane is a much more high value target for malicious hackers than a cyber-cafe.

Joe Cruz goes on to say “If you’re in an airplane, you’re with a select group of people,” he says. “One of the great screeners is the $365 you pay to get on the plane.” He’s right about the select group of people, if one of them is a malicious hacker then you’re effectively held captive until the plane lands. With respect to his comment about the $365 screener, a malicious hacker would think of that as a minor investment when compared to how much money can be made by doing the hack right.

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.