Flyers who don't want their data intercepted by Gogo LLC, or unnecessarily fall into the hands of law enforcement, might want to reconsider using the inflight WiFi service after it was found to be using fake Google SSL certificates.
The practice, which essentially sets up a man-in-the-middle (MitM) attack of sorts, was discovered by Google engineer Adrienne Porter Felt, who logged into Gogo WiFi during a recent flight.
After seeing a telltale red “x” in her address bar, warning that the certificate for a site “was signed by an untrusted issuer,” Felt realized that Gogo, not Google, had signed it.
The engineer took to Twitter to question Gogo, tweeting “Hey @Gogo, why are you issuing *.google.com certificates on your planes?”
Felt's tweet drew speculation—and accusations—from other Twitter users regarding Gogo's motivations. One user that goes by the handle @monsters77 called the practice “nefarious,” while Dan Tentler, co-founder and chief technologist at Carbon Dynamics tweeted that the company's actions show “they MITM your connection and pipe absolutely everything to law enforcement. This has been documented.”
Indeed, Gogo has come under fire in the past for too readily offering law enforcement easy access to intercept data.
In a letter to the Federal Communications Commission (FCC) in 2012 Gogo noted that it “worked with federal agencies to reach agreement regarding a set of additional capabilities to accommodate law enforcement interests,” which by its own admission exceeded the requirements of the Communications Assistance for Law Enforcement Act (CALEA). “Gogo then implemented those functionalities into its system design,” the letter said.
After Felt's discovery of the fake certificates, Gogo issued a statement from Anand Chari, Executive vice president and CTO at Gogo, saying the company takes customer privacy seriously and is “committed to bring the best internet experience to the sky.” Noting that the service “is working on many ways to bring more bandwidth to an aircraft.” To that end, currently the company does not support “various streaming video sites” and uses “several techniques to limit/block video streaming.”
An off-the-shelf solution used by Gogo “proxies secure video traffic to block it,” said Chari. “Whatever technique we use to shape bandwidth, It impacts only some secure video streaming sites and does not affect general secure internet traffic.”
Chari went on to “assure customers that no user information is being collected when any of these techniques are being used” but rather they represent “ways of making sure all passengers who want to access the Internet in flight have a good experience.”
Regardless of the motivation behind using the fake Google SSL certifications, the consensus among security pros, is that Gogo's actions eliminated a layer of security for its customers and made them vulnerable to potential malicious attacks.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, in a prepared statement sent to SCMagazine.com called the risk pervasive.
“It is increasingly difficult for both end users and businesses to understand if secure communications can be trusted,” he said. “It's best if business providers like Gogo don't complicate the matter by creating more confusion and risk with what looks like malicious certificates that could be used to spoof and monitor private communications.”
Bocek noted that “last year, Facebook and Carnegie Mellon University found more than 6,000 forged certificates that represented Facebook, some of them were actively used by malicious software” with Gartner concluding “that ‘certificates can no longer be blindly trusted' from back in 2012 continues to play out in 2015” and that “Intel expects the next major cybercriminal marketplace to be the sale of compromised digital certificates.”
Calling “forged, compromised, and misused certificates and keys…a major threat” for the enterprise, he said , “It's clear, however, that bad guys know how to use them against us.”