In-flight Wi-Fi, Careful You might get hacked!

In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors. Sometimes convenience isn’t all it is cut up to be. When it comes to privacy and security — in-flight Wi-Fi network services such as GoGo Wireless may not have your best interests at heart.

Remember this: It’s no secret that GoGo (in a letter leaked to Wired) in 2012 worked out an agreement with the feds to provide additional capabilities to accommodate law enforcement interests, and also implemented those functionalities into its system design. When it comes to security — I’m my own best “techdirt” and a rabid scavenger for company history.

Hacker does a good turn!

USA Today columnist, Steven Petrow (while enroute on an American Airlines flight from Dallas to Raleigh last month), experienced a crazy ending upon flight departure — (unknown to Petrow while in-flight) his device had been compromised by a hacker while using GoGo’s in-flight Wi-Fi service.

When the plane landed, the hacker blatantly approached Petrow stating that he needed to speak with him and told Petrow to wait for him at the gate. The hacker knew Petrow was a reporter and hacked his email, (as he had done to most passengers on that particular flight). The hacker also provided verbatim details on the email content that he had intercepted in-flight. Petrow stated in USA Today:

“One of my emails was pretty explicit about the focus of my story and I had emailed Bruce Schneier, a security expert who had previously written in the Washington Post about this very issue.”

Petrow’s story could have taken a twist for the “bad, the ugly and the vile” — he was fortunate that this particular hacker portrayed some semblance of conscience. Though Petrow (prior to the incident) thought he really did not have to worry about his online privacy and was of the mindset “I’ve got nothing to hide. And who would want to know what I’m up to, anyway?”

This time the hacker did him a good turn. Next time — the hack could belong to a bad actor who turns over company secrets or sensitive information to the underground for further nefarious purposes.

Read the policies first

GoGo states in their privacy policy:

“The connection through which you access the Services is an SSL-encrypted link. However, following such initial access, due to multiple users of our inflight Wi-Fi access point, Gogo does not provide an encrypted communication channel, such as Wired Equivalent Privacy (WEP), or Wi-Fi Protected Access (WPA2), between our in-flight Wi-Fi access point and your Device.”

Though GoGo recommends the use of a VPN (let’s give them a pat on the back for that one), they also state in their privacy policy that “sensitive or private information should not be accessed via or transmitted over an un-encrypted connection.”

My bottom line

Hands down — I refuse to connect to in-flight Wi-Fi. Though I do use a VPN — VPN connections have been known to drop. I’m far too security and privacy conscious to feel comfortable with the possibility of a hacker intercepting my personal data. I also feel a responsibility to protect contacts, email communications, social media accounts, company information, and sensitive data from the bad guys.

If you feel that you must absolutely utilize in-flight Wi-Fi (even after reading their terribly inadequate privacy and security policies) — here is some security hygiene advice:

In-flight information security best practices

  1. Always verify the Wi-Fi network name.
  2. Use strong passwords.
  3. Keep all devices updated and protected.
  4. Turn off Bluetooth.
  5. Turn off Wi-Fi when not in use.
  6. Double check website addresses for https.
  7. Use a VPN service. This will deter sniffing and encrypts your traffic.
  8. Do not perform any online sensitive/financial transactions.
  9. When logging off from in-flight Wi-Fi be sure to forget the network.
  10. Turn off file sharing on laptops and use a good firewall.
  11. All devices should use encryption (FileVault, BitLocker).
  12. Use a password manager (LastPass, Dashlane).

Last but not least — tattoo this to your memory bank:

“With most airline Wi-Fi providers there is no encryption between your device and the airplanes wireless access point. Even if you use a good VPN, it is still prone to disconnection. A word to the wise: Avoid working on sensitive company documents while on in-flight Wi-Fi and save your financial transactions for home.” — Dell PowerMore

For the record — I am not just picking on GoGo (they were simply a convenience), I feel the same way about all in-flight Wi-Fi services. Do you agree or disagree?

It’s not if, not when, but what are you going to do when you’re hacked? — John Millican, CERM

Be sure to check out: A Well Prepared InfoSec Traveler by josephpizzo

This article was originally published at the Fortscale Insider Blog.