Gogo inflight wi-fi uses man-in-the-middle malware tactics

Gogo wi-fi service has been found to be using fake Google SSL certificates on aircraft to prevent passengers from accessing video streaming services like You Tube.  

The practice, which essentially sets up a man-in-the-middle (MitM) attack of sorts, was discovered by Google engineer Adrienne Porter Felt, who logged into Gogo WiFi during a recent flight and noticed the telltale red “x” in her address bar, warning that the certificate for a site “was signed by an untrusted issuer”. Gogo, not Google, had signed it.

The engineer took to Twitter to question Gogo, tweeting “Hey @Gogo, why are you issuing *.google.com certificates on your planes?” Felt's tweet drew speculation—and accusations—from other Twitter users regarding Gogo's motivations.

After Felt's discovery of the fake certificates, Gogo issued a statement from the company’s CTO Anand Chari saying the company takes customer privacy seriously and is “committed to bring the best internet experience to the sky.” Noting that the service “is working on many ways to bring more bandwidth to an aircraft.”

To that end, currently the company does not support “various streaming video sites” and uses “several techniques to limit/block video streaming.” 

An off-the-shelf solution used by Gogo “proxies secure video traffic to block it,” said Chari. “Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic.”

Chari went on to “assure customers that no user information is being collected when any of these techniques are being used” but rather they represent “ways of making sure all passengers who want to access the internet in flight have a good experience.”

Regardless of the motivation behind using the fake Google SSL certifications, the consensus among security pros, is that Gogo's actions eliminated a layer of security for its customers and made them vulnerable to potential malicious attacks.

What’s more there is speculation in regards to what Gogo may do with any data it intercepts as the organisation has previously come under fire in the past for too readily offering law enforcement easy access to intercept data. 

In a letter to the Federal Communications Commission (FCC) in 2012 Gogo noted that it “worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests,”  which by its own admission exceeded the requirements of the Communications Assistance for Law Enforcement Act (CALEA). “Gogo then implemented those functionalities into its system design,” the letter said.

Copyright © SC Magazine, Australia