Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs


In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news
9 Comments

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Microsoft's bug bounty turns 10. Are these kinds of rewards making code more secure?

Katie Moussouris, who pioneered Redmond's program, says folks are focusing on the wrong thing

Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Rights warriors claim online ad auction data a danger to national security

'The industry can not be allowed to put elected leaders, military personnel at risk'

New Relic warns customers it's experienced a cyber … something

Users told to hold tight and await instructions as investigation continues

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

How to give Windows Hello the finger and login as someone on their stolen laptop

Not that we're encouraging anyone to defeat this fingerprint authentication

Ukraine cyber spies claim Putin's planes are in peril as sanctions bite

Aeroflot fleet still has a smoking section, but not for tobacco

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim

Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

Plus: VMware closes critical hole, Adobe fixes a whopping 76 flaws

Japan's space agency suffers cyber attack, points finger at Active Directory

JAXA is having a tough time in cyberspace and outer space, the latter thanks to an electrical glitch

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams