Airplanes, once a refuge from the Internet, are now home to the riskiest Wi-Fi networks you can find. For cybercriminals, Wi-Fi guzzling passengers are like fish in a barrel. Sure, public networks at Starbucks, airports, and elsewhere aren’t particular secure either, but airplanes are unique because they potentially cram hundreds of Internet users into a small space for hours. Cybercriminals have the time to try out everything on unsuspecting victims.
Airline passengers seem painfully unaware of the risks in this hacker’s paradise. Routehappy, a service that ranks flight amenities, reported in January that passengers on U.S. airlines now have a 2/3 chance of getting in-flight Wi-Fi on all the miles they fly. According to the report, the prevalence of domestic in-flight Wi-Fi has grown 1,600-fold since July 2013, and the expansion is of course driven by demand from passengers. Honeywell’s 2014 In-Flight Connectivity Report found that 85 percent of passengers had accessed Wi-Fi on domestic flights, and in-flight Wi-Fi influences flight selection for 66 percent of flyers.
So as travelers sate their appetite for Internet, criminals cash in on their vulnerability. If you pay bills, write work emails, or shop online, a hacker with only modest skills has a chance of getting your data.
Victims make the first mistake when they initially connect to the Wi-Fi network. Windows machines ask if the network is a Home, Work, or Public connection. Users who choose Home are telling their computer that it can share files with everyone else using the Wi-Fi network. That is low hanging fruit for cybercriminals.
Even if you choose Public, hackers have a lot of other attack options. Commercially available hacking devices, like the WiFi Pineapple, are particularly dangerous on flights. The Pineapple pretends to be a home Wi-Fi gateway as it connects unsuspecting users to airline Wi-Fi. This allows the Pineapple hacker to snoop on browsing activity and access files on the computer. The Pineapple could operate in overhead storage, unbeknownst to passengers.
From a technical standpoint, in-flight Wi-Fi connections are not better or worse than public networks on the ground. Airlines shouldn’t necessarily be held to a higher standard. Yes, they could monitor Wi-Fi traffic and detect malicious behavior with products like Silver Tail or FireEye, but it would make in-flight Wi-Fi prohibitively expensive. We pay enough for tickets, baggage, and Wi-Fi as it is.
That said, airlines and passengers can both take steps to minimize the risks of cybercrime at 30,000 feet.
First, airlines need to configure in-flight routers to block peer-to-peer (P2P) traffic – and then change the darned password. When Wi-Fi routers permit traffic between passengers, they create a pathway for attacks even without devices like Pineapple. Often, when routers are set up, the technician turns off P2P traffic yet doesn’t bother to change the manufacturer’s default password. This makes it easy for a hacker to crack the router and reactivate P2P traffic.
Second, my advice to business travelers: If you plan to look at any work data during a flight (email, files, anything), use a VPN connection and file-based encryption. Properly configured VPN networks will funnel all traffic to a proxy server inside your company’s network, where you are much safer.
Now, a lot readers might think, “Oh, well of course the company encrypts our computers.” What you probably have is “full disc” encryption. This only protects data in cases where the laptop is lost or stolen, and it is turned off. It won’t encrypt anything when you’re using in-flight Wi-Fi.
In contrast, “file-based” encryption individually hardens each file before it leaves your computer or device. Thus, if someone did intercept the data, they’d still have to contend with the encryption, which is enough to stymie all but the most elite hackers.
For a leisure traveler hoping to read a blog post or watch YouTube clips on a flight, a personal VPN is probably overkill. Make sure you have a comprehensive and up-to-date malware protection program. Select Public when you designate the Wi-Fi network. Don’t pay any bills or access any sensitive data, and avoid entering any passwords.
Every public Wi-Fi network comes with risks, but in-flight Wi-Fi gives hackers time to try out multiple attacks. If you need to work at 30,000 feet above sea level, take measures to protect yourself and your company.
Dave Bennett is chief technology officer at IONU Security.