Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

Darren Pauli Tue 6 Jan 2015  //  03:59 UTC

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®
Send us news
9 Comments

So … Russia no longer a cyber threat to America?

Mixed messages from Pentagon, CISA as Trump gets pally with Putin and Kremlin strikes US critical networks

How NOT to f-up your security incident response

Experts say that the way you handle things after the criminals break in can make things better or much, much worse

We call this kernel saunters: How Apple rearranged its XNU core with exclaves

iPhone giant compartmentalizes OS for the sake of security

CISA pen-tester says 100-strong red team binned after DOGE canceled contract

Election infosec advisory center also shuttered

Expired Juniper routers find new life – as Chinese spy hubs

Fewer than 10 known victims, but Mandiant suspects others compromised, too

The Badbox botnet is back, powered by up to a million backdoored Androids

Best not to buy cheap hardware and use third-party app stores if you want to stay clear of this vast ad fraud effort

Strap in, get ready for more Rust drivers in Linux kernel

Likening memory safety bugs to smallpox may not soothe sensitive C coders

Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks

Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox

US Cyber Command reportedly pauses cyberattacks on Russia

PLUS: Phishing suspects used fishing gear as alibi; Apple's 'Find My' can track PCs and Androids; and more

This is the FBI, open up. China's Volt Typhoon is on your network

Power utility GM talks to El Reg about getting that call and what happened next

Allstate Insurance sued for delivering personal info on a platter, in plaintext, to anyone who went looking for it

Crooks built bots to exploit astoundingly bad quotation website and made off with data on thousands

Cybereason CEO leaves after months of boardroom blowups

Complaint alleges 13 funding proposals foundered amid battle for control