Monday, August 03, 2009

@30k feet

I'm logged on to the Internet (for $10) on Delta using "gogo internet", a WiFi service on the plane. So, I pulled out my WiFi tools to see what was going on.

Here is my speedtest. It claims I should be getting 1.7-mbps down with 128-ms latency, but subjectively it feels slower. As I'm browsing, it can suddenly stop and take many seconds for a website to appear. I bet that it's because the wireless connection to the ground isn't continuous, but keeps coming and going.

The network is 802.11abg (2.4-GHz and 5-GHz). Unfortunately, my tools only run on 'bg' adapters, but NetStumbler uses the 'a' adapter built into the laptop to show all the possible access points, as shown in the picture below:

There appear to be three access points at three locations in the plane (on three channels 1 6 and 11). I can tell they are at three spots because their signal strengths are different. I'm guessing they are in the front, middle, and back of the plane. These are Cisco access points that create multiple virtual access points for each physical access-point. Of these virtual access-points, one is open with a visible SSID of "gogointernet", the others are WEP and WPA encrypted and invisible. I have no idea why they are there. Notice also that we see the obligatory laptop with the peer-to-peer network "Free Internet WiFi" somewhere on the plane.

When I look at channel 1, I see a Blackberries and iPhones connected. I see these throughout the airport (along with Nintendo DSs and PSPs). I think these devices are automatically connecting to whichever access-point they can without their owner's knowledge. I walked down the plane and didn't see anybody with their phone out, so I'm guessing their phone is in their pocket/bag (and not turned off like they were asked).

If we look at the raw beacon packet, we can see that these devices are typical Cisco access points:

From a security point of view, there is nothing too interesting here. Like the inflight entertainment systems, the gogo WiFi service isn't interconnected with anything else in the plane, so there is no danger to the plane from this system being hacked. Ultimately, it's the same threat as any other WiFi hotspot (i.e. your cookies/passwords can be stolen if you don't encrypt everything).


Adam said...

The reason you loose connection is because it is ground based and has to switch between towers. There was a decent write a while back about these. I think it was on RWW. The interesting thing I found was that some voice apps (skpye and the like) were blocked but I was able to call out via my softphone to a Internet accessible PBX. So, it appears they try to filter some content but not all.

I said...

What is Squirrel? Where can i get more info about it?

Anonymous said...

You should check out Luiz "effffn" Eduardo's talks from recent DEFCON 17 and ToorCon X.

ibneko said...

I actually did a scan while I was on a Virgin American flight that had wifi. They too had a few hidden access points, with WEP (or WPA - I don't recall) turned on. Didn't really both digging deeper though.

I suspect the secured hidden access points might be for handheld credit card / purchase devices for when the flight attendant makes their rounds.

Robert said...

Hey where can I get a copy of that Squirrel wifi software in the image that you posted. I googled it but didn't find any good links.



Anonymous said...

Hello Robert,

In a few planes from United it seems the same that they have serveral AP's on it. I have no clue why and I assume that they are only for tests and not regular because they do not announced them.

On the screenshots you show a nice plugin for firefox (Squirrel WiFi Monitor 1.0).
Do you have written it yourself or is it possible to get it somewhere.
I do not find it.


le said...

that's pretty much it... :-)

apparently the other ssids are gonna be used for "not-hotspot use".

I will soon post my final slides from Sunday's talk

le said...

Video from DefCon is up