Wednesday, May 6, 2009

Aircell GoGo Inflight Internet - Hackers on a plane

GoGo Inflight Internet is a Wi-Fi service provided by AirCell and offered to an increasing number of airline passengers. This service enables users to connect to the Internet while in transit for business or pleasure. While the service is a great idea, its implementation is flawed and as such its users are put at risk. This blog entry is our effort to help educate GoGo Inflight Internet users about the risks involved so that they can make an informed decision about its use.

Over the past month we've made a continued strong effort to establish communications with AirCell regarding this issue.  We have not yet received any response from AirCell other than email disposition notifications and their CTO commenting on a blog.  We want to know what AirCell is going to do to protect its users and secure its Wi-Fi Access Points.  It is important to understand that public Wi-Fi isn't easy to secure by its very nature, but it shouldn't be completley open.  Especially since many of its users are business users who connect to their business networks while in-flight  (updated on 05/27/2009).

Lets begin...

The problem with GoGo Inflight Internet is that it doesn't offer any link layer security to its users. An example of Link layer security is Wi-Fi Protected Access (WPA) which provides a mechanism for encrypting wireless transmissions so that they are not intelligible to would be attackers. WPA is offered by most ground based Hot-Spot Wi-Fi providers including Starbucks which is the most commonly used Internet Cafe/Wi-Fi Hot-Spot.

Instead of GoGo Inflight Internet protecting its users at the link layer, it openly transmits its users network traffic in much the same way that a radio station transmits music. The primary difference between the two is that the GoGo Inflight Internet Wi-Fi transmission is bidirectional and radio stations are unidirectional. That means that anyone can listen to the network data being sent by the GoGo Inflight Internet service (or any unprotected hot-spot) and they can transmit to it.

This also means that a hacker can listen in on all network conversations and record all data that is sent or received by GoGo Inflight Internet users. Because the vulnerability exists at the link layer, there's no way to establish a trustworthy SSL connection or VPN connection. This means that a hacker can capture credit card information while GoGo Inflight Internet users purchase their in-transit internet service. This credit capture is done by using a Man-in-the-Middle attack to defeat the security of the SSL or VPN connection during the initialization process. Here's one example of an SSL Man-in-the-Middle from the SANS Institute.

Unfortunately the risk doesn't end there, and it is also possible to gain access to business networks by exploiting users of the GoGo Inflight Internet service (or any other unprotected Wi-Fi Hot-Spot). Remember, the attacker can receive and send network data. This means that the attacker can inject malicious content into a users network stream, or redirect the user to a malicious location. In both cases the attacker can gain access to a GoGo Inflight Internet users computer and even infect it with a worm, trojan, etc.

Once the attacker has access to the users computer there are two possible ways to get into the users business network. The most effective way would be to install a program on the laptop that calls home when the laptop is connected to the business network (bots do this). Once the computer calls home, the attacker would be able to establish a reverse connection into the business network and its game over at that point.

The other option might not be as successful depending on what sort of VPN client the user is using. But it is sometimes possible to wait for a victim to establish a VPN connection and then for the attacker to ride in on the VPN connection. In other words, the user won't be the only person using the VPN to access his or business network, the attacker will be there too.

Its important to understand that the risks associated with using an unprotected Wi-Fi network are well documented and have been for quite some time now. That begs the questions as to why Aircell didn't implement some form of link layer security for their users. More importantly, what is Aircell going to do to protect its users? While we did make multiple efforts to establish a communication channel with Aircell, we have yet to hear back from them aside from email return receipts.

We did however read some of their comments on the Economist, so we'll address those here. Aircell's CTO Joe Cruz said "Our capabilities are not much different from what you encounter in hotel rooms, in Starbucks and in public hotspots," he tells me. "And if you're on the ground, you're actually more susceptible to spamming because hackers know where you are."

We've already addressed his first point about "hotel rooms, in Starbucks and in public hotspots" and demonstrated that they do in fact offer WPA2 to their users. His second point about being more susceptible "to spamming because hackers know where you are" is inaccurate. Firstly, spamming has nothing to do with wether or not you're on an airplane, but the threat does. The fact of the matter is that on an airplane you are likely at a higher threat level than if you were on the ground.

Here's why...

If you think about the audience on an airplane and compare that to the audience in an internet cafe or other ground based Wi-Fi Hot-Spot there are two significant differences. The first is that the airplane will likely have a higher concentration of business people than the internet cafe. The second is that the Wi-Fi users on an airplane are likely to stay connected during the duration of the flight, while in an internet cafe they are likely to be connected quickly to check email or something similar. As a result, the Wi-Fi capable airplane is a much more high value target for malicious hackers than a cyber-cafe.

Joe Cruz goes on to say ""If you’re in an airplane, you’re with a select group of people," he says. "One of the great screeners is the $365 you pay to get on the plane." He's right about the select group of people, if one of them is a malicious hacker then you're effectively held captive until the plane lands. With respect to his comment about the $365 screener, a malicious hacker would think of that as a minor investment when compared to how much money can be made by doing the hack right.

11 comments:

  1. interesting... thanks for the heads up

    ReplyDelete
  2. [quote] Because the vulnerability exists at the link layer, there's no way to establish a trustworthy SSL connection or VPN connection. [/quote]

    Please explain this. How will the attacker forge the SSL or VPN certificate? If he doesn't I will get a very big warning about my SSL or VPN connection. I know there is SSLstrip, but that wouldn't fool me personally.

    ReplyDelete
  3. RichieB: You're partially right. The security savvy user may be able to detect the Man in the Middle attack depending on how it is crafted. The truth is that the average AirCell GoGo Inflight Internet user isn't going to be that security savvy. Our opinion is based on our past testing experience with SSL subversion attacks.

    Taking it a step further, there was a recent white paper released by the SANS Institute about defeating SSL seamlessly. In other words, its possible to subvert an SSL connection without generating that error message.

    Lastly, does the fact that you might be able to detect a Man in the Middle attack mean that the technology isn't vulnerable? The very fact that I can launch such an attack is proof of risk. The risk needs to be resolved, don't you agree?

    ReplyDelete
  4. They didn't implement WPA2 because it causes much more of a headache than it helps in this kind of situation. The crew of the plane would somehow have to get the key to users who wanted to purchase the service. What's more, the security it adds is almost nil because anyone with the key would still be able to monitor and inject traffic.

    ReplyDelete
  5. Anonymous, interesting points and we can't say that we disagree. Never the less, the lack of a viable solid solution doesn't mitigate the risks discussed here. Instead is means that the risks are there and there's nothing much that can be done to address them. Maybe its time someone addressed those risks?

    That said, using WPA2 will protect paying users from non-paying users. So it does add some level of security, but not enough.

    There are technologies that exist that offer one key per user, but those technologies might not be the right solution here either. If anyone has any ideas as to what the right solution is we'd love to hear them. The risks are very real, people need to be protected.

    ReplyDelete
  6. So implementing link layer security will stop this problem?

    The attacker will just authenticate to the network using the credentials supplied by the GoGo inflight internet company. Unless they are using separate SSID's with separated VLAN'ing and well that is just stupid.

    The inflight internet is no more vulnerable than an internet cafe and companies should be aware of this issue and build this type of protection into company laptops and/or make their users aware of the issue and how unsafe wireless networks are.

    ReplyDelete
  7. In response to Anonymous: Most internet cafe's impliment WPA2, so the level of security is different. Other than that you are right, once the attacker gets the key, its the same as no key. As stated previously, we've seen solutions where individual users get individual keys, but those solutions aren't easy to impliment and aren't cost-effective yet. So while the risks are very real and very serious, there is no solid solution yet.

    What makes GoGo Inflight Internet more interesting to us than other open Wi-Fi Access Points is its captive audience. You don't have a group of business people using an open wi-fi connection for extended periods of time in an internet cafe, but you do on an airplane.

    Never the less, a good solution does not yet exist, so at the very least they should impliment WPA2. WPA2 is more secure than no WPA2 and it will protect paying users from the non-paying users.

    ReplyDelete
  8. I guess I have to wonder how VPN is supposed to be cracked, besides just normal SSL. Most VPN's I've seen will full encrypt the link and push all of the traffic through that. While the Wi-Fi packets themselves are open, it's really just the link layer headers, the data payloads would be encrypted all the way up to the VPN app layer. Perhaps there's a concern about giving the credit card over SSL in the beginning, but I don't see it being too easy to crack the VPN. Now, if someone gets into the machine prior to the VPN and puts a bot on there, then sure, but that's what firewalls are for. I don't see how WPA2 or any link layer encryption is going to help. It's a shared medium, the keys would be easy to maintain and I thought WPA2 had been cracked anyways. Good firewalls and VPN software should handle many issues. Beyond that, provide a ethernet jack in the seats, Even then, it wouldn't take that much to get into the gateway or do any "normal" hacking on the network.

    ReplyDelete
  9. Regarding this quote: Joe Cruz goes on to say "If you’re in an airplane, you’re with a select group of people," he says. "One of the great screeners is the $365 you pay to get on the plane."

    Yes heaven forbid a malicious hacker has a day job that requires him to take a plane flight, even occasionally.

    ReplyDelete
  10. That's why many airlines still doubt about this new technology. Even though there's a huge benefits for them and for their passengers, still many prioritize the safetiness of their clients.

    ReplyDelete
  11. One thing I would say is that there is a relatively easy way on WAP's to secure the traffic. No one has talked about putting the WAP in to AP Isolation mode. By doing that and then giving WPA2 you effectively offer a much greater security (not perfect or even great) than what is currently in place. With the WAP in Isolation mode its not going to allow the lateral traffic between the users at all, period the end.

    ReplyDelete