<

Go Premium for a chance to win a PS4. Enter to Win

x

Using in-flight Wi-Fi? You might get hacked!

Published on
27,700 Points
24,400 Views
3 Endorsements
Last Modified:
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Sometimes convenience isn’t all it is cut up to be. When it comes to privacy and security—in-flight Wi-Fi network services such as GoGo Wireless may not have your best interests at heart.

Remember this: It’s no secret that GoGo (in a letter leaked to Wired) in 2012 worked out an agreement with the feds to provide additional capabilities to accommodate law enforcement interests, and also implemented those functionalities into its system design. When it comes to security—I’m my own best “techdirt” and a rabid scavenger for company history.

 

Using in-flight Wi-Fi? You might get hacked!

March 10, 2016 by Bev Robb
LinkedInTwitterFacebookGoogle+Share

Hacking wifi inflight
Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors. Sometimes convenience isn’t all it is cut up to be. When it comes to privacy and security—in-flight Wi-Fi network services such as GoGo Wireless may not have your best interests at heart.

Remember this: It’s no secret that GoGo (in a letter leaked to Wired) in 2012 worked out an agreement with the feds to provide additional capabilities to accommodate law enforcement interests, and also implemented those functionalities into its system design. When it comes to security—I’m my own best “techdirt” and a rabid scavenger for company history.
 

In-Flight Wi-Fi “insecurity”

 

USA Today columnist, Steven Petrow (while enroute on an American Airlines flight from Dallas to Raleigh last month), experienced a crazy ending upon flight departure—(unknown to Petrow while in-flight) his device had been compromised by a hacker while using GoGo’s in-flight Wi-Fi service.
 

When the plane landed, the hacker blatantly approached Petrow stating that he needed to speak with him and told Petrow to wait for him at the gate. The hacker knew Petrow was a reporter and hacked his email, (as he had done to most passengers on that particular flight). The hacker also provided verbatim details on the email content that he had intercepted in-flight. Petrow stated in USA Today:
 


One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue.
 

Petrow’s story could have taken a twist for the “bad, the ugly and the vile”—he was fortunate that this particular hacker portrayed some semblance of conscience. Though Petrow (prior to the incident) thought he really did not have to worry about his online privacy and was of the mindset “I’ve got nothing to hide. And who would want to know what I’m up to, anyway?”

This time the hacker did him a good turn. Next time—the hack could belong to a bad actor who turns over company secrets or sensitive information to the underground for further nefarious purposes.
 

Read the policies first

 

GoGo states in their privacy policy:




The connection through which you access the Services is an SSL-encrypted link. However, following such initial access, due to multiple users of our inflight Wi-Fi access point, Gogo does not provide an encrypted communication channel, such as Wired Equivalent Privacy (WEP), or Wi-Fi Protected Access (WPA2), between our in-flight Wi-Fi access point and your Device.


Though GoGo recommends the use of a VPN (let’s give them a pat on the back for that one), they also state in their privacy policy that “sensitive or private information should not be accessed via or transmitted over an un-encrypted connection.”
 

My bottom line

 

Hands down—I refuse to connect to in-flight Wi-Fi. Though I do use a VPN—VPN connections have been known to drop. I’m far too security and privacy conscious to feel comfortable with the possibility of a hacker intercepting my personal data. I also feel a responsibility to protect contacts, email communications, social media accounts, company information, and sensitive data from the bad guys.
 

If you feel that you must absolutely utilize in-flight Wi-Fi (even after reading their terribly inadequate privacy and security policies)—here is some security hygiene advice:
 

In-flight information security best practices
 

  1. Always verify the Wi-Fi network name.
  2. Use strong passwords.
  3. Keep all devices updated and protected.
  4. Turn off Bluetooth.
  5. Turn off Wi-Fi when not in use.
  6. Double check website addresses for https.
  7. Use a VPN service. This will deter sniffing and encrypts your traffic.
  8. Do not perform any online sensitive/financial transactions.
  9. When logging off from in-flight Wi-Fi be sure to forget the network.
  10. Turn off file sharing on laptops and use a good firewall.
  11. All devices should use encryption (FileVault, BitLocker).
  12. Use a password manager (LastPass, Dashlane).

Last but not least—tattoo this to your memory bank:


With most airline Wi-Fi providers there is no encryption between your device and the airplanes wireless access point. Even if you use a good VPN, it is still prone to disconnection. A word to the wise: Avoid working on sensitive company documents while on in-flight Wi-Fi and save your financial transactions for home. —Dell PowerMore
 
For the record—I am not just picking on GoGo (they were simply a convenience), I feel the same way about all in-flight Wi-Fi services. Do you agree or disagree?
 


It’s not if, not when, but what are you going to do when you’re hacked?  —John Millican, CERM
This article was originally published at the Fortscale Insider Blog.


3
Comment
Author:Teksquisite
2 Comments
 
LVL 6

Author Comment

by:Teksquisite
Good grief the submit button was way at the bottom!
0
 
LVL 1

Expert Comment

by:SINC_dmack
The connection between a smart phone and an email server should always be SSL encrypted.  It doesn't matter if the wifi connection is insecure, as the 2048-bit (or higher) level of encryption used by the mail server's SSL certificate is more than sufficient to keep hackers out.  If a hacker was able to intercept Steven Petrow's email and/or mail server credentials, it is because the mail server itself was inadequately secured, such as if it was a legacy unencrypted POP3-based server.  

The onus for that lapse lies with whoever is responsible for determining what is acceptable for the mail server's configuration, and on the user for relying on such an insecure method for using email.  All of the major free email providers (Gmail, Yahoo, Hotmail) provide encrypted connections, and so do properly-configured Microsoft Exchange servers.  But people using fly-by-night "100 mailboxes for $20 per month" or whatever services may well not have any encryption.  Where people can really run into problems is if they use insecure email services AND use the same password for other services.  For example, if Steven Petrow had used the same credentials for his email and for his credit card website, a hacker who got the email credentials could have sniffed his wifi traffic to see what credit card website Steven went to, and then attempted to use those credentials there.  But since the credit card website would be SSL encrypted, if Steven had used different credentials for email and the credit card website, then the hacker would have, at best, just been able to see that Steven was going to a credit card website, but not intercepted his credentials or any data sent or received to that website.

Sure, a VPN will alleviate the problem of having an insecure email server (and it's never a bad idea to have an extra layer of encryption), but who is going to start up a VPN every time they want their phone to check their email?  Pretty much nobody.  Rather than advise people to take a bunch of steps that ought to be unnecessary, suggest that they ensure that any services they access over the internet are properly SSL-encrypted.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Join & Write a Comment

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month