Sometimes you read something and it just ruins your mood.
For fellow business travelers, this will be one of those posts.
I guess I was burying my head in the sand up until now. This makes perfect sense even though I wasn’t thinking it through.
The WiFi on a plane, whether it is GoGo like on American or United or Global Eagle like on Southwest, is just another non password protected public WiFi hotspot and subject all of the possible attacks that the WiFi hotspot in your local coffee shop or deli is.
USA Today columnist Steven Petrow learned that the hard way recently. Following a recent flight, he was approached by a man who showed him some of his emails from sources for a story he was writing.
Hopefully the story was not confidential because if there is anything that Snowden told us that you should take to heart, if you want any chance of an email being private you need to use and end to end encryption solution like PGP or Absio. DO NOT rely on ANYTHING that your mail provider tells you is secure. IT IS NOT. Period. End of conversation. It is just. not. secure.
This particular attack is simple and maybe could be fixed, but there may be a conflict of interest. Read on.
When you are on a public WiFi you give up a lot of information. A lot of the traffic you are sending is not encrypted. A lot of email is sent unencrypted all the way from sender to receiver.
But in this case, it is a case of this guy creating a fake WiFi hotspot and then getting the reporters computer to connect to it. Since there is no password on it, if you force the reporter’s computer/phone/tablet to disassociate from the real hotspot, and the new (fake) hotspot has a stronger signal – with no password required – his computer will just automatically connect to it and now the hacker is in the middle of every conversation.
Even if the traffic is encrypted, he can execute a man in the middle attack, decrypt the traffic in his fake hotspot and reencrypt it and send it on it’s way. Except for a few websites, like ones that pin certificates, that will work and since airplane WiFi is so slow anyway, who the hell would notice.
I have noticed before – especially at hotels – that they intentionally do decrypt at their proxy gateway and many times your browser gives you a warning. That is the first sign to disconnect from the hotel WiFi.
I actually carry my own WiFi puck with me that I pay for separately just to avoid having to use hotel WiFi. I also carry a Tiny Hardware Firewall ($100 a year including their VPN service). You can also use your phone, but my puck is from a different carrier than my phone, so I get two chances to get crappy cell service – or a 50/50 chance of getting decent cell service, depending on whether you are an optimist or pessimist.
For those who wear tin foil hats – at least sometimes – you could say this is a conspiracy. Gogo said, in a filling with the FCC, that they worked closely with law enforcement to incorporate functionalities and protections that would serve public safety and national security.
I would read this to mean that they worked with the feds to make sure that the feds could see anything they wanted to see, sans warrant. If it isn’t protected, eavesdropping is likely OK. You shouldn’t expect anything to be private. It is just listening to the airwaves.
But that reporter was sure surprised that his sources weren’t private any more.
And, when you are connected to the hacker’s fake WiFi, it is certainly possible that the hacker could inject malware into your computer. No guarantee, but definitely possible. Maybe even likely.
So much for working on the plane, while online. Offline is still good. BUT MAKE SURE YOU DISABLE THE WIFI SO THAT IT DOESN’T BEACON OUT TO THE HACKER AND CONNECT SILENTLY.
Don’t say I didn’t tell you.
Information for this post came from Ars Technica.