The researcher rubs me the wrong way for a few reasons:
1. 15 days for a major company not nearly enough to remedy this issue.
2. The activity log reads like a ransom timeline. This isn't some l33t hacker exploit it's simple session hijack and mac spoof. You're not owed anything for finding this.
Anyone that tries this could tread carefully. If you get caught (chances are slim), it wouldn't be hard to convince a jury that you're hacking an airborne plane's network.
<fun hearted bit of sarcasm>
Did you know a bathroom lock is woefully insecure!?! Time to hold the government ransom about this exploit and collect my millions. If they don't pay, I'll post it on the internet.
</sarcasm>
arp -a gives you a list of other connected devices on the network with their IP and mac address. For a paid-for hotspot this usually means devices that have paid for access and are active.
the ifconfig command changes your mac address into one of the chosen above; the AP thinks you're one of the earlier connected devices and gives you access to the internet.
I was recently disappointed by the huge price hike of gogo in flight. It's been $10 for a flight for quite some time now which I'd felt was perfectly fair considering the quality. On my recent flight to NYC for work and play it was $10 per hour which essentially amounts to a 5x increase. I grabbed it for 2 hours and it was just as bad as always. Fine for email and Facebook but unideal for pushing a significant commit on a large git repo.
On the way home I just didn't bother since I'd spent my whole air-fi budget at the beginning of the trip.
Just seemed like an enormous and unfair price hike for a product that hasn't improved whatsoever.
Interesting. My memory is a bit hazy, but I assume their all-day pass either wasn't available, easy to find, or that price. I only say that because I've purchased an all-day pass for a multi-leg flight in the past, so there must have been good reason for me not to use it this time. Or it could be as simple as grogginess from catching a 7am flight.
FWIW, they've changed the menu - there's still a "Flight Pass" that's within a dollar or two of what it's always been, but you have to do some more hunting to find it. It's annoying, because every flight now I spend a few minutes paranoid that they removed the option that I'm looking for.
I was recently disappointed by the huge price hike of gogo in flight
Agreed. If I recall correctly, the all-day pass was close to $30 when purchased while on the plane. By going to their website ahead of time (i.e. while not using gogo's network), their all-day pass is $14.
On a recent flight, I noticed they were asking $10/hr on my laptop but $6/hr on my phone, but they allow you to switch devices (as long as you only use one at a time) so I just bought it on the phone and used it on the laptop (you could also change your headers instead but I think that's technically "hacking"). It was also 3 hours for the price of 2, so it worked out as $12 for 3 hours which seemed almost reasonable.
This looks like it dups a paying customer's IP and MAC addresses. Does that work if both devices are running at the same time? I was under the impression TCP didn't like that.
Agreed, you're basically someone else's session who did the right thing and paid up. I fail to understand why anyone with a decent moral compass would want to do this.
This will be exploited by people without a moral compass. What are you trying to get at? The author isn't suggesting this as a life hack for free internet, he's just showing that it can be done.
"The author isn't suggesting this as a life hack for free internet"
The HN Title is (I can't see the actual article as the machine is hosed):
"How to get Gogo in-flight wireless internet for free"
and the URL is
gogo-in-flight-wireless-internet-free
Both of which, I would suggest, propose an article about "How to get internet for free", specifically "How to get Gogo in-flight wireless internet for free".
Yes, you're missing something. The article is a disclosure of a security vulnerability that has already been reported to the company responsible, including notice that it would be published and a request for confirmation that it has been fixed. (Edit: but your response is reasonable - I can see how the article title is misleading.)
I think it would still work. I think you'll end up both getting all of the network packets, in which case the higher-level protocols will ignore the ones meant for the other device. TCP and UDP both have source ports as well as destination ports, but the source ports are usually picked arbitrarily, so the different devices will have connections on different ports and will discard any packets bound for ports they don't have open. And TCP also has sequence numbers (which should be chosen randomly), so even if you ended up on the same port for a TCP connection, your packets are very likely to have different enough seqnos that you ignore each other's packets.
For anyone who is not played with Dsploit (the network exploitation and analysis tool mentioned in the article), it is fantastic. I followed it in its early days on XDA, where the developer relentlessly answered all user questions, patched bugs, took in many features requests, and genuinely kicked ass.
I respect that dev a lot. I hope other people show his some love.
All the counter-measures I can think of seriously degrade the experience. I can think of approaches that work for HTTP, for example, but I can't see how you would allow e.g. SSH while preventing MAC spoofing.
Not pretty, at least. I'd look towards the TCP fingerprinting techniques that FreeBSD has in its packet filter/firewall.
With that, you could make a rudimentary decision how many machines are on the network, regardless if some are bad actors.
However, we will still get this problem regardless how much security we do over wifi, as wireless is inherently an insecure protocol. Ideally, we could make decent security with IPSEC, but that would be so cumbersome, as well as in opposition to "Pay us money for easy access to internet." A few non-payers aren't that big of a deal, considering the profit margins I would assume that make.
Lots of people have known this for quite a while - nothing new to see here. Here's a blog post by a friend of mine, from 2007 ("Bypass a wifi captive portal"), which includes an example of a script to handle it all: http://www.semicomplete.com/blog/2007/Aug/11
The basic idea is as follows:
1) ping the broadcast/multicast addresses to quickly fill the arp cache
2) change your mac address to that of the detected nodes
3) see if you can access the internet now [repeat step #2-3 until you can]
Although the prices are a bit over the top, I can respect GoGo's customer support. A while back I reported to them how I was able to gain access to Facebook and Youtube almost effortlessly and they gave me two free coupons for unlimited in-flight WiFi as a token of appreciation. I would have informed them directly of this and awaited a response. They appeared to be pretty good at responding to my inquiries.
A full month of notification is plenty. If the vendor acknowledges you and tells you they're working on it and asks you to hold off then that's one thing, but if they basically ignore you for a month then you've done your part. Especially with an exploit like this, you're not opening up access to PII, although it sounds like you are opening the window to possible fraudulent charges.
No, disclosure timelines only make sense if the public is at risk. There is nothing like that here. The outcome is gogo not getting paid. This is just grandstanding a fairly unsophisticated bug in their service. The end result is that gogo will end up with more money.
> disclosure timelines only make sense if the public is at risk
The post says that fraudulent charges can be made without a password or credit card number by using this exploit.
I would bet that you can access account info as well which means there is some PII leaking. I would consider PII + fraudulent transactions to be a step above gogo losing oney.
1. 15 days for a major company not nearly enough to remedy this issue.
2. The activity log reads like a ransom timeline. This isn't some l33t hacker exploit it's simple session hijack and mac spoof. You're not owed anything for finding this.
Anyone that tries this could tread carefully. If you get caught (chances are slim), it wouldn't be hard to convince a jury that you're hacking an airborne plane's network.
<fun hearted bit of sarcasm> Did you know a bathroom lock is woefully insecure!?! Time to hold the government ransom about this exploit and collect my millions. If they don't pay, I'll post it on the internet. </sarcasm>