[Full-disclosure] [NETRAGARD SECURITY ADVISORY] [AirCell GoGo Inflight Internet -- No Encryption ][NETRAGARD-2009042]

********************** Netragard, L.L.C Advisory* **********************
Penetration Testing - Vulnerability Assessments - Web Application Security

SNOsoft Research Team
http://www.netragard.com -- "The Specialist in Anti-Hacking"

If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com

[Advisory Information]
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20090427
Product Name : GoGo Inflight Internet
Product Version : Unknown
Vendor Name : Aircell LLC.
Type of Vulnerability : No link layer security option
Impact : Varies
Vendor Notified : 20090427

[Product Description]
"As a service of Aircell LLC, Gogo provides all passengers access to the
Internet, email, text messaging and corporate VPNs from the comfort of
their seats while airborne. Aircell has been authorized by the FAA and
FCC to use cellular frequencies for inflight broadband communications,
leading a Wi-Fi revolution 35,000 feet above the ground. Think of it as
a mobile hotspot, equipped with twin turbines and 50,000 lbs of thrust.

Partnering with a variety of carriers, Gogo provides coast-to-coast,
border-to-border connectivity for all passengers. Launching with American
Airlines in 2008, Gogo will continue to expand, giving everyone the
ability to stay in touch, in flight®."

Taken From:

[Technical Summary]
The GoGo Inflight Internet service does not encrypt wireless connections
between GoGo Inflight Internet users ("Users") and the GoGo Inflight
Internet Wireless Access Points ("WAP"). As a result any Users connection
can be intercepted by another user and the data that they transmit can be
stolen or their respective connections can be hijacked.

[Impact varies from installation to installation]

- Theft of customer data
- Access to business networks
- Infection of Users computer systems
- Theft of personal information
- Theft of Social Security Numbers
- Theft of Credit Card numbers
- Manipulation of in-transit data
- etc.

[Proof Of Concept]
Connect to GoGo Inflight Internet on your next flight and you will see that
the connection between your device and the WAP is not encrypted. Connecting
does not require paying for the service, it only requires establishing a
connection to the WAP.

Important Notes:
Because this vulnerability exists at the link layer it is possible for an
attacker to defeat or subvert a users SSL based connection. This subversion
would enable the attacker to capture credit card information or any other
information submitted over the web.

It may also be possible to subvert, defeat or hijack VPN connections as
the attacker can interfere with the entire connection process.

[Vendor Status and Chronology]

Current Vendor Status: Unable to establish communications with vendor.

09/04/2009 07:11:57 PM EST - Vulnerability Discovered
09/27/2009 14:15:53 PM EST - Vendor Notified
04/28/2009 09:18:17 AM EST - Requested vendor feedback via email
04/28/2009 09:19:17 AM EST - Email Read Receipt Received
04/30/2009 11:40:25 AM EST - No response from vendor
04/30/2009 11:41:25 AM EST - Requested vendor feedback via email
04/30/2009 11:46:58 AM EST - Email Read Receipt Received
05/04/2009 09:00:00 AM EST - Began advisory release process
No vendor response.

Implement WPA2 at the link layer.

--------------------------------http:// www.netragard.com---------------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] TCP/IP Stack Vulnerability
    ... Compiles and runs ok on *BSD and Linux. ... No sign of DoS on either side of the connection. ... No wonder people you sent the advisory to didn't bother to respond ...
  • [NEWS] Wonderware SuiteLink Denial of Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vendor Information, Solutions and Workarounds ... Core sends the advisory draft to Wonderware support team. ...
  • [NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... discovered a number of implementation specific vulnerabilities in the ... The severity of these vulnerabilities varies by vendor. ...
  • Re: Malicious use of grc.com
    ... addressed or referenced in the advisory. ... So notifying the vendor in order to get a needed patch ... to monitor all "public settings". ... GeoCities - quick and easy web site hosting, ...
  • [NT] w3wp DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... 1/12/2006 - Vendor requested for additional info ... recv(conn_socket, szBuffer, 256, 0); ...