Gogo Inflight Internet serves up 'man-in-the-middle' with fake SSL

When a third party inserts itself between a user and a destination website and uses fake SSL certificates in an attempt to cover it up, it's usually known as a "man-in-the-middle" attack, and offers an opportunity for outsiders to eavesdrop on conversations and steal credentials.

Four days ago, Google Chrome security engineer Adrienne Porter Felt was on an flight where she was using Gogo's in-flight Internet -- and discovered that Gogo was issuing fake Google certificates.

According to Gogo, there was nothing malicious about this, just an attempt to conserve bandwidth by blocking online video streaming.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it," said Gogo CTO Anand Chari in a statement yesterday.

The technique is only used for some streaming site, and does not affect general Internet traffic, he added.

"We can assure customers that no user information is being collected when any of these techniques are being used," he said. "They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience."

However, security experts say that there are many other ways of blocking online video without adopting a technique normally used by cybercriminals.

"There are about a dozen ways of doing this that are more effective than setting up a man-in-the-middle," said Jean Taggart, senior security researcher at San Jose, CA-based Malwarebytes Corp.

Taggart recommended that business travelers use either their company's VPN or a commercial VPN service to ensure that communications are secure through untrusted networks.

For some regulated industries, such as health care, not using a VPN could be a violation of the law, he added.

However, for the average user, a VPN isn't always an option, he added.

"In the case of Gogo, most people who are affected are everyday users who don't have a fully-staffed IT team to set up their machine," he added.

And those users might be making a deliberate decision to use SSL because they care about their security, said Martin Walter, Director of Product Management at Sunnyvale, Cal.-based security firm RedSeal, Inc. For example, they might want to protect their user credentials.

"Breaking a security protocol is definitely the wrong way to go," he said.

For example, Gogo could simply redirect users away from streaming sites to a page that explains that there is a limit to the available bandwidth, or redirect users based on how much bandwidth they are using.

"Communicate with the user," he urged.

This is particularly relevant for Gogo, he added, because the company has a history of privacy violations.

A couple of years ago, Gogo told the FCC that they willingly went beyond what the law required to implement "a set of additional capabilities to accommodate law enforcement interests."

"Because of the issues in the past, they should really be worried about reestablishing trust with their customers," Walter said. "And performing a man-in-the-middle is the wrong way to go about that."

According to Francis Turner, VP of Research at Carlsbad, CA-based ThreatSTOP Inc., Gogo's approach also has usability consequences.

A user who is, say, visiting one of the sites that Gogo set up the proxy for would set of browser alarms because there is no way to distinguish between Gogo's fake certificate and a malicious one.

Chrome, for example, detects that the certificate is invalid and makes it hard to continue to the site, said Turner.

Matt Nelson, president and CEO of Alabama-based AvaLan Wireless Systems, Inc., a wireless hardware manufacturing firm, said that new laws are needed to make this kind of activity illegal.

"This is equivalent to wiretapping or recording of phone conversations without the person's knowledge," he said. "While I appreciate the airlines wanting to keep things safe, there should be limits to how much personal information is needed in order to hop onto a plane and use their WiFi."

Join the CSO newsletter!

Error: Please check your email address.

Tags Googlesecuritycloud securityMalwarebytesGogo

More about FCCGoogleInc.Malwarebytes

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts