Security

GoGo in-flight WiFi creates man-in-the-middle diddle

Join the mile-high club by getting screwed with fake certs

By Darren Pauli

9 SHARE

In-flight wifi service GoGo, once accused of facilitating excessive interception access for US law enforcement, has now been spotted using fake Google SSL certificates to spy on net traffic and prevent passengers from accessing video streaming services.

Google engineer Adrienne Porter Felt (@__apf__) noticed the fake SSL certificate which masqueraded as orginating from her employer and publicly called on the company to explain its actions.

Chief technology officer Anand Chari said only that it used the certificates to block streaming services while it upgraded network capacity and did not collect user data.

"Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don't support various streaming video sites and utilise several techniques to limit or block video streaming," Chari said in a statement.

"One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it.

"Whatever technique we use to shape bandwidth, it impacts only some secure video streaming sites and does not affect general secure internet traffic."

But there were as Felt said "better ways to do it" other than creating a man-in-the-middle attack against users.

The company's willingness to exceed the mandatory requirements for the provision of telecommunications interception discovered by American Civil Liberties Union technologist Chris Soghoian and detailed by Wired extended the concerns beyond a debate on the legitimate use of bogus SSL certficates.


In September last year the company revealed in a letter (pdf) submitted to the Federal Communications Commission that it exceeded the requirements of the Communications Assistance for Law Enforcement (CALEA)

Gogo said at the time that an additional capability seemingly the use of CAPTCHA to prevent remote access was an apparent lone function that was not related to traffic monitoring.

The news should serve as a warning to onboard users wishing to keep their data out of government hands. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

Congress to FCC: Where’s the damn report on mobile companies selling location data?

Energy and Commerce Committee Democrats not happy with Ajit Pai

FCC boosts broadband competition by, er, banning broadband competition in buildings

Analysis George Orwell's got nothing on this lot with doublespeak

Huawei with you! FCC's American Pai proposes rip-and-replace of scary Chinese comms kit

ZTE also on hit list

Phew! All that competition in the US mobile industry was exhausting. Thank God for the FCC, am I right?

Analysis Regulator OKs Sprint-T-Mobile US merger because... 5G? Higher prices?

The latest FCC plan to boost US broadband? Prevent competition in apartment blocks

Ajit Pai turns logic on its head while doing Big Cable's bidding

FCC boss blesses T-Mobile US-Sprint merger amid sketchy promises, lashings of incoherency

Analysis American tech regulation reduced to: If the telcos want it, it must be a good thing

China Mobile, you can kiss good Pai to America: FCC to ban 'spy risk' telco from US

Welcome to the free market as defined by right-wing politics

Satellite operators' shares plummet as FCC plumps for public 5G spectrum auctions

You win some, you lose… 75 per cent of your share value

Phuck off, phishers! JPMorgan Chase crafts AI to sniff out malware menacing staff networks

Machine-learning code predicts whether connections are legit or likely to result in a bad day for someone

White House and FCC announce big, broken solutions to America's pitiful broadband

Why fight an oligopoly when you can subsidize it?

Whitepapers

Endpoint Detection and Response

EDR solutions come in a variety of implementations and can vary significantly in scope and efficacy. Choosing the best solution can be challenging.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

IT Service Excellence Toolkit

How to meet and exceed customer expectations to ensure customer retention