I have wanted to try using the Internet on an airplane, not because I ever needed it, but just for the experience. Yet, the few times the opportunity presented itself, I didn't trust that the system would securely deal with my credit card. Just a hunch.
A couple days ago, while flying on a Gogo equipped Virgin America plane, I decided to look into the security a bit. In retrospect, my earlier hesitation seems to have been justified.
I started with the WiFi Analyzer app on an Android device to check on the available networks. Two of them were hidden, which makes a bad first impression since hiding a network offers very little security.
One of the hidden networks used WEP security, and I almost turned off my device right there.
What does it say about the techies that setup the networks that they would allow something as insecure as WEP on the plane? Nothing good. Perhaps it's a honeypot?
The other hidden network was protected with WPA2 PSK. It had seven Access Points some on the 2.4GHz band, some on the 5GHz band.
According to WiFi Analyzer, all the networks are using Cisco hardware for their access points. All but one, that is. There was also a network created by an iPhone, which struck me as sad. Some Apple user has no idea how to turn off the hotspot feature on their phone.
As for the main network, the one that the passengers are supposed to use, it is wide open. That is, there is no WEP, WPA or WPA2 encryption. In other words, it's the most dangerous type of Wi-Fi network, one that lets bad guys easily watch what you are doing online.
To deal with danger of open networks, the standard advice is to use a VPN*. In other words, bring your own encryption. I doubt many airplane passengers do this.
Turning off encryption to get ease of use is all too common. Not only don't end users have to enter a password, they also don't have to be educated as to what the password is.
But this is an education failure. Wi-Fi security can be greatly enhanced with very little effort. I just saw an example of this at the BSides security conference.
The conference used the network name to inform users of the password.
Their public WiFi network was protected with WPA2-PSK-CCMP and their network name (SSID) was BSidesPublicPassord:BSidesLV. Granted, thats a bit long, a network name of "The password is 123rabbit" would do just as well. Even using one password for an entire airline, while far from perfect, would be a step up the security ladder.
I suspect that the airlines and Gogo, in their desire to profit from the Wi-Fi service, are afraid of raising the barrier to entry. Passwords are a pain. But making it more secure might encourage more users. I can't wait for the first airline that advertises the security of their Wi-Fi networks rather than the speed. Maybe I shouldn't hold my breath.
The main network was called "gogoinfight". There were two access points on the 2.4GHz band and two on the 5GHz band. On the 2.4GHz band it was using channels 1 and 11, which is good.
As soon as I connected, from an Android 4.4 device, the system warned that I needed to sign in to the network. This is Androids way of saying that the network uses a captive portal and the first thing you need to do is run a web browser. There was, actually, no need to sign in to anything. As with many public captive portals, the new user just has to agree to the terms of service.
Once in, I looked at the prices. On the plane, the cheapest option was 30 minutes of Internet access. When I had checked on the ground, beforehand, the cheapest option was for an hour of time.
I started to make a purchase to check on the security.
The first thing I noticed was that the Gogo website was not using an Extended Validation (EV) certificate. There is no excuse for this.
An EV certificate shows the end user the name of the company they are dealing with. In contrast, a cheaper Domain Validated (DV) certificate only offers encryption, but no authentication.
To illustrate the difference, consider the Gogo company itself. Few people know the name of their website. Is it gogo.com, gogo.net, gogoinflight.com, gogointernet.com, gogointheair.com? The owner of a scam domain, such as gogoinflite.net, can get a DV certificate. However, only the actual Gogo company can get an EV certificate because the extended validation verifies that the company is actually who they claim to be. With the cheaper DV certificate, no one verifies that the owner of gogoinflite.net has any association with Gogo.
Any company selling stuff online should have an EV certificate. It is the cost of doing business.
Gogo especially needs one because they use more than one domain name. In the air, they use gogoinflight.com. On the ground, they go by gogoair.com.
Another missing security feature on the Gogo website is Perfect Forward Secrecy (the link is to my 2013 blog on the subject). Suffice it to say that without Forward Secrecy, it can be argued that online security is a scam.
Finally, I looked for another wireless security feature: isolation.
You typically see isolation offered on the Guest networks created by routers. Guest networks share a similar goal with the wireless network on an airplane: they want users to be able to access the Internet and nothing else. That is, they want to isolate Guest network users from anything and anyone else that may be on the network.
The configuration options for the Guest network created by a TP-LINK Archer C8 router, shown below, are a great example of this.
The first option determines whether guest users can see each other, the second option controls whether they can see other devices (such as a network printer) on the Local Network. It is simple and clearly explained.
To test if the Cisco devices running the "gogoinfight" network were also preventing clients from seeing each other, I ran the Fing LAN scanner on my Android device.
Fing found 22 other WiFi users. The cheap consumer router, the Archer C8, offers better isolation security than the expensive Cisco devices at 30,000 feet.
Another Android LAN scanner, PingTools, has a Bonjour browser. I am not familiar with Bonjour, other than the fact that it is used on iOS and OS X for discovering devices and services on a network. Sure enough, the Bonjour browser found an Apple user on the network.
Clearly, users are not isolated from each other which opens them up to Man-In-The-Middle attacks.
Using ARP poisoning (a.k.a. ARP spoofing) a bad guy on the network can pretend to be the Cisco access point. Victims are normally unaware that anything bad has happened since the bad guy continues to provide Internet access, but, it all goes through him. That is, the bad guy on the network can see everything coming and going from the victimized Wi-Fi devices.Even worse, the bad guy can change data in-flight (no pun intended). Even normally secure HTTPS/SSL/TLS traffic can fall victim to a Man-In-The-Middle attack.
ARP poisoning, by the way, is not a Wi-Fi thing, it goes back to the days when all networks used wired Ethernet.
Clearly, security was not on the radar screen (this pun was intended) of Gogo when they setup their Internet access. The Defensive Computing thing to do then, is to treat an airplane as a Wi-Fi free zone.
*Tor would also work, but its slow enough without adding 30,000 feet of slowness to it. Techies may also opt for SSH.