Sign Up Data Centre Software Security DevOps Business Personal Tech Science Emergent Tech Bootnotes Vendor Voice

Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

Tue 6 Jan 2015 // 03:59 UTC 9 Got Tips?
Darren Pauli Bio Email Twitter

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Sign up to our NewsletterGet IT in your inbox daily
9 Comments

Keep Reading

FCC boss orders probe into 'unacceptable' T-Mobile US outage after carrier plays dog-ate-my-homework card

Yup, the old 'leased fiber line broke' excuse

As the FCC finally starts tackling its dreadful broadband maps, Georgia reveals just how bad they are

Spoiler alert: Cable companies are ripping Americans off

As nice as Pai: FCC chairman comes out in favour of Ligado Networks' 5G proposal, despite criticism from airlines and military

Updated Backing for use of L-Band spectrum for 5G

FCC lines up $16 billion for broadband across entire US. Well, except New York because, screw them, right?

They’ve got money, explains American watchdog that just can’t help itself

FCC sucks its teeth, clicks its tongue, says: Yeah, AT&T, Sprint, T-Mobile US, Verizon gleefully sold your location data. Guess we should fine them?

How much you make, Randy? Wanna cough up, I dunno, twice that or something?

Your mobile network broke the law by selling location data and may be fined millions... or maybe not, shrugs FCC

US watchdog struggles to do its job over illegal sale of folks' whereabouts

Battle for 6GHz heats up in America: Broadcasters sue FCC to kill effort to open spectrum for private Wi-Fi

Big Tech pushes back, says band use Hertz no one

Congress to FCC: Where’s the damn report on mobile companies selling location data?

Energy and Commerce Committee Democrats not happy with Ajit Pai

FCC boosts broadband competition by, er, banning broadband competition in buildings

Analysis George Orwell's got nothing on this lot with doublespeak

White House creates 'Team Telecom' to probe whether foreign telcos should be allowed near US networks

Speedier license applications possible, uncertainty remains for many

Tech Resources

The Cloud: How CISOs Can Embrace It (Wisely), Not Fear It

Cloud computing is one of the great transformational shifts in corporate information technology.

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Migration Isn't Archiving

Make sure your solutions have the right capabilities to save you the most costs and headaches.