Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs


In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Send us news
9 Comments

Back in black: Microsoft Blue Screen of Death is going dark

At least the BSOD acronym will still work

Uncle Sam wants you – to use memory-safe programming languages

'Memory vulnerabilities pose serious risks to national security and critical infrastructure,' say CISA and NSA

CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands

NetScaler vendor issued a patch but otherwise, stony silence

Microsoft admits to Intune forgetfulness

Customizations not saved with security baseline policy update

Microsoft Windows Firewall complains about Microsoft code

Just ignore the warnings. Nothing to see here. Move along

CISA warns the Signal clone used by natsec staffers is being attacked, so patch now

Two flaws in TeleMessage are 'frequent attack vectors for malicious cyber actors'

Ex-NATO hacker: 'In the cyber world, there's no such thing as a ceasefire'

Watch out for supply chain hacks especially

Crims are posing as insurance companies to steal health records and payment info

Taking advantage of the ridiculously complex US healthcare billing system

Aloha, you’ve been pwned: Hawaiian Airlines discloses ‘cybersecurity event’

'No impact on safety,' FAA tells The Reg

Scholars sneaking phrases into papers to fool AI reviewers

Using prompt injections to play a Jedi mind trick on LLMs

Let's Encrypt rolls out free security certs for IP addresses

You probably don't need one, but it's nice to have the option

ChatGPT creates phisher’s paradise by recommending the wrong URLs for major companies

Crims have cottoned on to a new way to lead you astray