Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

By Darren Pauli

9 SHARE

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

US govt confirms FCC's broadband speeds and feeds stats are garbage

GAO report on tribal land may open up rigged system

When uploading comments to the FCC, you can now include malware

And this is the agency that wants to regulate the internet

Having ended America's broadband woes, the FCC now looks to space

Satellite operators reminded they need permission to relay broadband internet. Looking at you, Swarm…

FCC boss to block 'national security risk' companies (cough, Huawei, ZTE) from US's $8.5bn broadband pot

Bye bye, says American Pai. Throw my server in the levy

You can hear a PIN drop... All quiet on the mobile broadband speed front, says network watcher OpenSignal

UK operators this summer look much like they did last year

FCC gives Google's broadband balloons 'experimental license' in Puerto Rico

Project Loon gets its chance to beam relief broadband

Mobe networks battle to bring comms back after Hurricane Michael smashes US Gulf Coast

'Unprecedented' fibre damage from deadly storm, says Verizon

Huawei pleads with FCC to overturn US ban, says it's 'anticompetitive'

While Japan mulls own action against Chinese comms giant

FCC taps the brakes on fudging US broadband speed amid senator fury

Tell me again why slower internet is a good thing?

US broadband is scarce, slow and expensive. 'Great!' says the FCC

Analysis There's a problem with America's internet? La la la can't hear you, la la la