Wednesday, May 6, 2009

Aircell GoGo Inflight Internet - Hackers on a plane

GoGo Inflight Internet is a Wi-Fi service provided by AirCell and offered to an increasing number of airline passengers. This service enables users to connect to the Internet while in transit for business or pleasure. While the service is a great idea, its implementation is flawed and as such its users are put at risk. This blog entry is our effort to help educate GoGo Inflight Internet users about the risks involved so that they can make an informed decision about its use.

Over the past month we've made a continued strong effort to establish communications with AirCell regarding this issue.  We have not yet received any response from AirCell other than email disposition notifications and their CTO commenting on a blog.  We want to know what AirCell is going to do to protect its users and secure its Wi-Fi Access Points.  It is important to understand that public Wi-Fi isn't easy to secure by its very nature, but it shouldn't be completley open.  Especially since many of its users are business users who connect to their business networks while in-flight  (updated on 05/27/2009).

Lets begin...

The problem with GoGo Inflight Internet is that it doesn't offer any link layer security to its users. An example of Link layer security is Wi-Fi Protected Access (WPA) which provides a mechanism for encrypting wireless transmissions so that they are not intelligible to would be attackers. WPA is offered by most ground based Hot-Spot Wi-Fi providers including Starbucks which is the most commonly used Internet Cafe/Wi-Fi Hot-Spot.

Instead of GoGo Inflight Internet protecting its users at the link layer, it openly transmits its users network traffic in much the same way that a radio station transmits music. The primary difference between the two is that the GoGo Inflight Internet Wi-Fi transmission is bidirectional and radio stations are unidirectional. That means that anyone can listen to the network data being sent by the GoGo Inflight Internet service (or any unprotected hot-spot) and they can transmit to it.

This also means that a hacker can listen in on all network conversations and record all data that is sent or received by GoGo Inflight Internet users. Because the vulnerability exists at the link layer, there's no way to establish a trustworthy SSL connection or VPN connection. This means that a hacker can capture credit card information while GoGo Inflight Internet users purchase their in-transit internet service. This credit capture is done by using a Man-in-the-Middle attack to defeat the security of the SSL or VPN connection during the initialization process. Here's one example of an SSL Man-in-the-Middle from the SANS Institute.

Unfortunately the risk doesn't end there, and it is also possible to gain access to business networks by exploiting users of the GoGo Inflight Internet service (or any other unprotected Wi-Fi Hot-Spot). Remember, the attacker can receive and send network data. This means that the attacker can inject malicious content into a users network stream, or redirect the user to a malicious location. In both cases the attacker can gain access to a GoGo Inflight Internet users computer and even infect it with a worm, trojan, etc.

Once the attacker has access to the users computer there are two possible ways to get into the users business network. The most effective way would be to install a program on the laptop that calls home when the laptop is connected to the business network (bots do this). Once the computer calls home, the attacker would be able to establish a reverse connection into the business network and its game over at that point.

The other option might not be as successful depending on what sort of VPN client the user is using. But it is sometimes possible to wait for a victim to establish a VPN connection and then for the attacker to ride in on the VPN connection. In other words, the user won't be the only person using the VPN to access his or business network, the attacker will be there too.

Its important to understand that the risks associated with using an unprotected Wi-Fi network are well documented and have been for quite some time now. That begs the questions as to why Aircell didn't implement some form of link layer security for their users. More importantly, what is Aircell going to do to protect its users? While we did make multiple efforts to establish a communication channel with Aircell, we have yet to hear back from them aside from email return receipts.

We did however read some of their comments on the Economist, so we'll address those here. Aircell's CTO Joe Cruz said "Our capabilities are not much different from what you encounter in hotel rooms, in Starbucks and in public hotspots," he tells me. "And if you're on the ground, you're actually more susceptible to spamming because hackers know where you are."

We've already addressed his first point about "hotel rooms, in Starbucks and in public hotspots" and demonstrated that they do in fact offer WPA2 to their users. His second point about being more susceptible "to spamming because hackers know where you are" is inaccurate. Firstly, spamming has nothing to do with wether or not you're on an airplane, but the threat does. The fact of the matter is that on an airplane you are likely at a higher threat level than if you were on the ground.

Here's why...

If you think about the audience on an airplane and compare that to the audience in an internet cafe or other ground based Wi-Fi Hot-Spot there are two significant differences. The first is that the airplane will likely have a higher concentration of business people than the internet cafe. The second is that the Wi-Fi users on an airplane are likely to stay connected during the duration of the flight, while in an internet cafe they are likely to be connected quickly to check email or something similar. As a result, the Wi-Fi capable airplane is a much more high value target for malicious hackers than a cyber-cafe.

Joe Cruz goes on to say ""If you’re in an airplane, you’re with a select group of people," he says. "One of the great screeners is the $365 you pay to get on the plane." He's right about the select group of people, if one of them is a malicious hacker then you're effectively held captive until the plane lands. With respect to his comment about the $365 screener, a malicious hacker would think of that as a minor investment when compared to how much money can be made by doing the hack right.