GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.

In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news

Google says Android runs better when covered in Rust

Banishing memory safety bugs cuts critical vulnerabilities

FBI warns about Cuba, no, not that one — the ransomware gang

Critical infrastructure attacks ramping up

Rackspace rocked by ‘security incident’ that has taken out hosted Exchange services

Warns recovery could take several days and pledges better support after customer complaints

Nvidia patches 29 GPU driver bugs that could lead to code execution, device takeover

Take a break from the gaming and fix these now

UK bans Chinese CCTV cameras on 'sensitive' government sites

Agencies told to rip 'em off core networks and replace 'em whenever and wherever possible

Medibank prognosis gets worse after more stolen data leaked

Plus Australia launches an investigation into insurer's data privacy practices

Google warns of commercial Heliconia spyware hitting Chrome, Firefox, Microsoft Defender

Meanwhile NSO faces new lawsuit over Pegasus flying onto journalists' phones

Intruders gain access to user data in LastPass incident

Password manager says credentials safely encrypted, confirms link to August attack

Cloudflare finds a way through China's network defences

Teams with locals to allow consistent security policy to make it through the Great Firewall

Criminals use trending TikTok challenge to make data-stealing malware invisible

PSA: Don't download unknown apps even if they promise naked people

US Air Force reveals B-21 Raider stealth bomber that'll fly the unfriendly skies

'Digital bomber' will bring 'peace through deterrence'

Facebook approved 75% of ads threatening US election workers

Not a good look for Meta's content moderation team