Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

Darren Pauli Tue 6 Jan 2015  //  03:59 UTC

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®
Send us news
9 Comments

Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz

How Chocolate Factory hopes to double down on enterprise-sec

CISA spots spawn of Spawn malware targeting Ivanti flaw

Resurge an apt name for malware targeting hardware maker that has security bug after security bug

Uncle Sam kills funding for CVE program. Yes, that CVE program

Because vulnerability management has nothing to do with national security, right?

As CISA braces for more cuts, threat intel sharing takes a hit

How will 'gutting' civilian defense agency make American cybersecurity great again?

CVE fallout: The splintering of the standard vulnerability tracking system has begun

MITRE, EUVD, GCVE … WTF?

Krebs throws himself on the grenade, resigns from SentinelOne after Trump revokes clearances

Illegitimi non carborundum? Nice password, Mr Ex-CISA

LLMs can't stop making up software dependencies and sabotaging everything

Hallucinated package names fuel 'slopsquatting'

CVE program gets last-minute funding from CISA – and maybe a new home

Uncertainty is the new certainty

Cyber congressman demands answers before CISA gets cut down to size

What's the goal here, Homeland Insecurity or something?

Wyden blocks Trump's CISA boss nominee, blames cyber agency for 'actively hiding info' about telecom insecurity

It worked for in 2018 with Chris Krebs. Will it work again?

Hacking US crosswalks to talk like Zuck is as easy as 1234

AI-spoofed Mark joins fellow billionaires as the voice of the street – here's how it was probably done

Oracle hopes talk of cloud data theft dies off. CISA just resurrected it for Easter

Some in the infosec world definitely want to see Big Red crucified