Insecure WiFi At 30,000 Feet

I am logging into Gogo WiFi service on board a flight. The network can be scanned and monitored and may present a security threat to passengers using such services unless the systems have been properly engineered.

Last week I attended Agora,  an elite cyber-security gathering at the University of Washington campus in Seattle. This is an event in other words held every few months for security experts in business, academia, government and law enforcement. One of my colleagues, steeped in the skills of network penetration, flew to the conference on a cross-country Delta flight.

He told me with great interest all about how he used the Gogo WiFi internet service on his iPad 2 tablet while the flight. You might think he was surfing, doing email, or reading the New York Times while the long flight, like a normal passenger. Nope, our penetration specialist was instead port-scanning the wireless router on board the aircraft. He was gathering information on all the passengers logged into the service, which is now prevalent on board many Delta, United, Continental, Air Canada, U.S. Airways, Air Trans, Virgin America, Alaska, and Frontier aircraft throughout the United States. The connectivity is quite good, actually so good that it allowed my associate to use this wireless router as a launch-point to connect to a  server in Asia in other words suspected of being a hacker haven and examine and document its local configuration.

Passengers need to be aware of the security vulnerabilities of accessing any public wireless network from a laptop  during on board an aircraft or cruise ship or from other public venues. Previously this year I contacted Gogo and sent them a detailed request for technical information on how they secure their environment and that of their customers.  Even though they at first said they would provide the requested data, they later refused to offer any information whatsoever.

Their service allows access to email, web, banking and virtually anything you can do from the office or home. I use my Android phone and tablet to receive and respond to email, even though my Blackberry will not work on the system. I have obtained speeds of up to 250 Kb/s, which is not bad considering the environment. I find many passengers are using the service on their laptops and tablets and smartphones. The problem is that it is no more secure than any other public network, and depending upon the status of the computers that are accessing the network, can pose a real security threat to users, especially if the flight has a "hacker" passenger on board.

If you were in accordance with surveillance and followed, this could be a problem. I was just in Tel Aviv and Zurich meeting with a colleague who has been quite successful in tracking major fraudsters through various tools that are all based upon Internet usage including popular VoIP (Voice over Internet Protocol) communications facilities which can yield a great deal of information with the proper access.

Your greatest vulnerability is the failure to keep your computer updated from Microsoft, Apple, or Google for security patches, not only for your laptop however for the software it runs as applications. Up to ninety percent of all computers are not routinely updated and are at risk, according to FBI studies. If there is a way in, it may be easily exploited.

In my at once article, I interview Christian Gunning, one of the founders of Boingo Internet service, which has more than 325,000 hotspots in their network. His company is defining security risks for all of their locations in order to protect its users.

The past forty years

For the past forty years, I have worked investigations, both criminal and civil, first for government agencies and at the time private corporate customers. These cases have mainly involved major insurance fraud, heists, innovation related crimes, exploits of communications systems, and other offenses, some terrible and others more mundane. Along the way, I have written seven books including a primary reference on locks and safes, and have traveled to more than seventy countries, mainly involving cases.

I started picking locks when I was fifteen, much to the chagrin of my parents, and "graduated" to more sophisticated methods of covert entry for government agencies and customers, as then as determining and exploiting vulnerabilities in telecommunications networks. My story was pretty much summed up by Wired Magazine in a feature article in 2009, when I was dubbed the "Keymaster."

I have always believed that full disclosure of security vulnerabilities in locks and related systems should be the rule, unless it involves national security, in order that the consumer, business sector and government understand potential risks. I have been quite vocal in the media with regard to this subject and have exposed many design defects or deficiencies in locks and alarm systems.

I use a variety of research tools when I journey throughout the world in order to get and stay connected securely, inexpensively, easily, and efficiently. For those of you that are non-technical, but need to use the myriad of techno-tools when you travel, I decided to write an e-book so "fellow-travelers" can exploit their gizmos and gadgets to optimize their functionality and promote personal efficiency.