Use VPN to avoid Gogo Man In The Middle vulnerability

3 birds on a wire Google engineer Adrienne Felt recently noticed that Gogo in-flight Wi-Fi was messing with the SSL certificates on secure Google web pages.

Her browser showed a problem with the HTTPs connection, and further investigation showed that the SSL certificate was self signed by Gogo’s own untrusted certificate authority.

This allows them to read all of the supposedly encrypted communications in the clear. That information could include personal, financial, corporate, or other confidential data. It also tends to train users to ignore security alerts, which leaves them vulnerable to any other attacker using the same kind of Man in the Middle attack.

In their response, Gogo EVP / CTO said:

“Gogo takes our customer’s privacy very seriously and we are committed to bringing the best internet experience to the sky. Right now, Gogo is working on many ways to bring more bandwidth to an aircraft. Until then, we have stated that we don’t support various streaming video sites and utilize several techniques to limit/block video streaming. One of the recent off-the-shelf solutions that we use proxies secure video traffic to block it. Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic. These techniques are used to assure that everyone who wants to access the Internet on a Gogo equipped plane will have a consistent browsing experience.

We can assure customers that no user information is being collected when any of these techniques are being used. They are simply ways of making sure all passengers who want to access the Internet in flight have a good experience.”

I am not very reassured by this, particularly given their previous history of going above and beyond requirements to support law enforcement intercepts. Even if they are acting in good faith, this kind of action puts all users at risk. Any compromise of the proxy server would give full clear text access to the communications of everyone on the plane.

To protect yourself, make sure you use a VPN service (like Anonymizer) to encrypt your traffic out to an endpoint beyond Gogo’s reach.

Nokia did something similar a while back.

Even certificate authorities can’t always be trusted.

Thanks to the following articles:

Gogo Inflight Internet is intentionally issuing fake SSL certificates - Neowin

Gogo Inflight Wifi Service Goes Man-In-The-Middle, Issues Fake Google SSL Certificates | Techdirt

Gizmodo - Gogo Wi-Fi Is Using Man-in-the-Middle Malware Tactics on Its Own Users

GoGo in-flight WiFi creates man-in-the-middle diddle • The Register

 

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

A tiny change in iOS 8 prevents WiFi tracking of iOS devices

IOS8 MAC Randomization

News just broke of a new feature in iOS 8 announced at Apple’s WWDC which was not covered in the big keynote. Advertisers and retail outlets have been using Wi-Fi to track mobile devices for some time. I talked about a network of Wi-Fi tracking trashcans last year in the podcast.

This works because, by default, most mobile devices are constantly on the lookout for Wi-Fi networks. The device communicates with visible base stations to see if they are known, if they are secure, and what they are called. That communication reveals the MAC address of the device’s Wi-Fi.

Like the address on your house, your phone number, or IP addresses, MAC addresses are globally unique identifiers. Everything that can speak Wi-Fi has its own individual MAC address. This makes it a great hook for tracking. If someone sets up a bunch of Wi-Fi base stations, most mobile devices going by will try to connect, giving it their MAC address. By looking at the pattern of those connections, the device can be tracked. 

More sophisticated solutions have even used signal strength to triangulate the location of devices within a small area.

The big news is that Apple is going to randomize the MAC addresses of iOS 8 devices when they are probing for networks. If the device were to probe network base stations A, B, and C they would all see different MAC addresses and think that they were tracking different devices. The iPhone or iPad would still use its real MAC when establishing a full connection, but would not provide it to all of the networks it only probes but never actually uses.

This is a really small change which provides significant privacy gains. It is similar to the decision Apple made to use randomized IPv6 addresses by default, rather than ones which uniquely identify the computer or mobile device.

Of course, Apple is also working hard to track us all with iBeacons at the same time….

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

Don't be an Ostrich about open Wi-Fi

Wi-Fi router with lockBack in 2010 I blogged about Google’s legal troubles over capturing sensitive open Wi-Fi data with their Street View cars. In a nutshell, Google was accused of violating the federal Wiretap Act when it intercepted the data on open Wi-Fi networks it passed. The purpose was to capture just the MAC addresses of the base stations to improve their enhanced location services. It appears that recording small amounts of data was accidental. Certainly if they were trying to collect data, they could easily have grabbed much more.

Google lost that case and is now appealing to the Supreme Court, hoping to overturn the decision.

Obviously it was inappropriate for a company like Google to drive around sniffing people’s Wi-Fi traffic, but they are not really the threat. What we all need to be worried about is hackers war driving our neighborhoods, either using our networks to hide their illegal activities, or capturing our personal information for their own purposes.

Whatever the legal outcome of whether it is “OK” to sniff someone’s open Wi-Fi traffic, the reality is that people do, and doing so is trivial. Anyone with a laptop can download free software and be sucking down all the Internet activity in their local coffee shop in just minutes. I think laws like this give a false sense of security. It is like saying that, as you walk down the sidewalk, you can not look in through your neighbor’s big picture window at night when they leave the curtains open.

Thinking that people are “not allowed” to sniff your open Wi-Fi just gives a false sense of security. What we need to do is make sure that ALL Wi-Fi is securely encrypted. Even public Wi-Fi should be encrypted, even if the password is “password” and is posted prominently on the wall. Using encryption changes the situation from looking though a window as you walk by to drilling a peep hole through the wall.

None of should be in denial about this. Open Wi-Fi is insecure. It will be sniffed.

If you find yourself in a situation where you have to use an open Wi-Fi hotspot, for whatever reason, make sure you immediately establish a VPN to protect yourself. I might be biased, but I use Anonymizer Universal for this purpose.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter and Google+.

The Privacy Blog Podcast – Ep.2: Website Pricing Tactics and the Dangers of Using Wi-Fi While Traveling

Welcome to our November 2012 podcast. In this episode, I’ll be talking about the tactics websites use to charge one customer more than a customer in a different city, state, or country. After that, I’ll discuss the dangers of using the Internet while on the road - as many of you are likely to do this holiday season. Don't miss our video showing how your Facebook account can be compromised on an unsecured connection. Follow this link to Anonymizer's site and select 'Video 2'.

Download the transcript here.