Do I Believe That GoGo Makes Airplanes Safer? Yes!
Since I'm typing this during the intermission of the U.S. Hockey team's attempt to upset the heavy favorites for the gold medal, I thought I'd appropriate the famous line from the Miracle on Ice 30 years ago for today's blog headline. After analyzing the security of the in-flight WiFi offering six months ago, it's time to revisit the GoGo offering and discuss why it really makes things safer for the data security on airplanes as a whole.
Gogo is an airplane-based Internet WiFi service available from several airline carriers on flights across the continental United States. Gogo is a fee-based service that costs $30 for a 30 day pass (which I am grateful for due to having four cross-country Delta trips in a twelve day period) or $13 for a single day pass (handheld devices get a $5 discount on the daily price).
Gogo security is what could be described as borderline negligent in a typical WiFi guest access environment. Essentially, they are mainly protecting themselves. They have web-based authentication to make sure that customers pay before using the WiFi, but they offer no encryption to keep people from eavesdropping on wireless data and no MAC layer authentication to prevent evil twin AP attacks that could lead to man-in-the-middle, Wi-Phishing, etc. I will give Gogo credit for enabling intra-BSS blocking (also known as host-to-host blocking) to keep customers from attacking each other.
Now, at this point the title and the body of this article seem to contradict each other. One says that Gogo enhances safety and the other says that they are doing a poor job. Could both be true? I say yes, and here's why.
Gogo enhances safety because the existence of in-flight WiFi has reduced the dangerous station behavior of probing for previously associated SSIDs.
You see, most WiFi client software builds a preferred networks list from SSIDs that a station connects to. When the WiFi radio gets turned on, the client software looks to associate to an AP using an SSID from the preferred networks list. As part of this process of searching for a preferred network, most client utilities (though not the APple Airport Client or the Windows Vista/7 client) cause the WiFi radio to send probe request frames containing the SSID of the networks they're looking for. That means if you're using the Intel ProSet utility, the Dell TrueMobile utility or any of a host of other Windows and Linux-based clients, anyone running a WiFi sniffer near your laptop may find out which SSIDs you're looking for. If the person running the sniffer also has software that can turn a station into an AP (as devices that support the forthcoming WiFi Direct certification will do), they could create an AP with an SSID that matches one that the station is probing for and create an evil twin attack.
On planes without Gogo, running a WiFi sniffer makes me want to tweet "smh". I almost always capture dozens of probe requests from preferred networks lists, many of which represent unencrypted WLANs. (SSIDs to unencrypted WLANs makes evil twin attacks more effective because then the hacker doesn't need to attach a key or passphrase to the SSID when creating the evil twin AP.) That's because the typical behavior of a laptop user on an airplane is the following:
1) Turn on laptop.
2) Open Microsoft Office.
3) Remind me why I'll never be rich*
Typically the step, "Turn off WiFi radio to prevent evil twin AP attacks," appears nowhere on that list. The end result is a smorgasbord of attacking options for a savvy wireless hacker.
On Gogo-equipped flights like the one I'm currently on, the behavior changes to the following:
1) Turn on laptop
2) Connect to the "gogoinflight" SSID
3) Choose not to pay $13**
4) Advance to steps 2 and 3 above.
The important part of this behavior is step 2. By connecting to the Gogo WiFi network, people are inadvertantly saving themselves from a potential attack. When a WiFi station associates, client utilities cease probing for other SSIDs. So while a hacker could still setup their own AP with a matching SSID of "gogoinflight" and attempt an evil twin AP attack, it has a much more remote chance of working.
I noticed this phenomenon after taking United and Delta flights on back-to-back days earlier this month. On the United flight, my probe request filter in Wireshark filled up with SSIDs immediately, some of them known to be unencrypted ("Boingo Hotspot" and "co_presidents_club" to name two). On the Delta flight, all I got were two: "attwifi" and "nomad".
Again, I'm not here to say that Gogo does a great job with security. They don't. But even with their poor setup the fact that in-flight WiFi exists is making the skies safer for wireless networking.
Gogo is an airplane-based Internet WiFi service available from several airline carriers on flights across the continental United States. Gogo is a fee-based service that costs $30 for a 30 day pass (which I am grateful for due to having four cross-country Delta trips in a twelve day period) or $13 for a single day pass (handheld devices get a $5 discount on the daily price).
Gogo security is what could be described as borderline negligent in a typical WiFi guest access environment. Essentially, they are mainly protecting themselves. They have web-based authentication to make sure that customers pay before using the WiFi, but they offer no encryption to keep people from eavesdropping on wireless data and no MAC layer authentication to prevent evil twin AP attacks that could lead to man-in-the-middle, Wi-Phishing, etc. I will give Gogo credit for enabling intra-BSS blocking (also known as host-to-host blocking) to keep customers from attacking each other.
Now, at this point the title and the body of this article seem to contradict each other. One says that Gogo enhances safety and the other says that they are doing a poor job. Could both be true? I say yes, and here's why.
Gogo enhances safety because the existence of in-flight WiFi has reduced the dangerous station behavior of probing for previously associated SSIDs.
You see, most WiFi client software builds a preferred networks list from SSIDs that a station connects to. When the WiFi radio gets turned on, the client software looks to associate to an AP using an SSID from the preferred networks list. As part of this process of searching for a preferred network, most client utilities (though not the APple Airport Client or the Windows Vista/7 client) cause the WiFi radio to send probe request frames containing the SSID of the networks they're looking for. That means if you're using the Intel ProSet utility, the Dell TrueMobile utility or any of a host of other Windows and Linux-based clients, anyone running a WiFi sniffer near your laptop may find out which SSIDs you're looking for. If the person running the sniffer also has software that can turn a station into an AP (as devices that support the forthcoming WiFi Direct certification will do), they could create an AP with an SSID that matches one that the station is probing for and create an evil twin attack.
On planes without Gogo, running a WiFi sniffer makes me want to tweet "smh". I almost always capture dozens of probe requests from preferred networks lists, many of which represent unencrypted WLANs. (SSIDs to unencrypted WLANs makes evil twin attacks more effective because then the hacker doesn't need to attach a key or passphrase to the SSID when creating the evil twin AP.) That's because the typical behavior of a laptop user on an airplane is the following:
1) Turn on laptop.
2) Open Microsoft Office.
3) Remind me why I'll never be rich*
Typically the step, "Turn off WiFi radio to prevent evil twin AP attacks," appears nowhere on that list. The end result is a smorgasbord of attacking options for a savvy wireless hacker.
On Gogo-equipped flights like the one I'm currently on, the behavior changes to the following:
1) Turn on laptop
2) Connect to the "gogoinflight" SSID
3) Choose not to pay $13**
4) Advance to steps 2 and 3 above.
The important part of this behavior is step 2. By connecting to the Gogo WiFi network, people are inadvertantly saving themselves from a potential attack. When a WiFi station associates, client utilities cease probing for other SSIDs. So while a hacker could still setup their own AP with a matching SSID of "gogoinflight" and attempt an evil twin AP attack, it has a much more remote chance of working.
I noticed this phenomenon after taking United and Delta flights on back-to-back days earlier this month. On the United flight, my probe request filter in Wireshark filled up with SSIDs immediately, some of them known to be unencrypted ("Boingo Hotspot" and "co_presidents_club" to name two). On the Delta flight, all I got were two: "attwifi" and "nomad".
Again, I'm not here to say that Gogo does a great job with security. They don't. But even with their poor setup the fact that in-flight WiFi exists is making the skies safer for wireless networking.
Comments
Post a Comment