OPINION

Room at the VPN?

Vijay Verghese, Editor, Smart Travel Asia Cybercriminals are prowling the skies 30,000ft aloft prying into your WiFi on the sly. How to get yourself a cyber chastity belt.

by Vijay Verghese/ Editor

JUMP TO Current column

Adam and Eve learned the hard way - a Man in the Middle attack with in-flight WiFi is always a possibility

Adam and Eve learned the hard way: There's always someone lurking in the middle with bad intentions

SOMETIMES it seems the only private space you can find is 30,000ft aloft, albeit with your neighbour’s elbow jammed into your midriff. Still, it’s far from irate bosses, bossy spouses, interminable test-your-patience teen angst, prying NSA eyes, and snooping Yahoo managers eager to serve up your e-mails to anyone in a uniform. You disengage that foreign elbow, lean back politely after the meal service is over, and whip out your iPhone7. Time for some private ‘me’ time and a quick hook-up to onboard WiFi, which is now ubiquitous from Virgin to Vietnam Airlines.

And that’s when it all starts to unravel. You could have experimented with frying eggs on your Samsung Galaxy Note 7, but you did the honourable thing and left it at home, under your mother-in-law’s pillow, so…

Back to WiFi. It may be grindingly slow in US skies where Gogo Inflight scans for and hops from signal tower to signal tower (the newer ‘2Ku’ satellite system on some aircraft promises faster speeds) or relatively snappy in Asian skies where satellite connections are already the norm, but it is far from private.

It is egregiously unsecure, and easy to hack. By almost anyone.

Send us your Feedback / Letter to the Editor

So just because you’re flying on blue-chip United, Delta, British Airways, Lufthansa, Emirates, SIA, or Cathay Pacific, does not mean the information on your laptop or mobile phone is safe, especially when you start transmitting and receiving private data.

{A MiTM (man in the middle) attack is when someone sets up shop between you and your browsing site to capture and sift through your data transmissions...

The security minded should know that inflight WiFi is notorious for the loopholes offered to would-be hackers, apart from the obvious drawback of laptop screens that are in plain view of any passenger en route to the toilet or seated across the aisle.

In early 2015 talk was rife of ‘fake SSL’ Google certificates being served by Gogo – apparently to curb heavy bandwidth hoggers like YouTube. SSL (secure socket layer) is a method of encryption. This, perhaps inadvertently, created a scenario that could be construed as an MiTM (man in the middle) attack where someone sets up shop between you and your browsing site to capture and sift through all your data transmissions. Of course this was not Gogo’s intention and it later decided to employ other techniques to manage bandwidth issues.

Man in the Middle attacks are common on the ground at coffee shops and public hotspots where someone can flip open his laptop, find the WiFi signal, and then proceed to spoof the provider, setting himself up as the legitimate connection. Once anyone logs onto this unsecure connection the man in the middle checks and scans all the data passing through, or simply ‘sniffs’ the data and stores it to go through later. You could suffer an injection of malware and have your laptop turn into a Walking Dead zombie that may be summoned at any time by its new master to launch a DDoS (distributed denial of service) attack on some unsuspecting site that gets brought down when a tsunami of computers attempt to access it at the same time. Everyday Internet-enabled 'intelligent' household items like webcams, baby monitors, garage doors and refrigerators can also be enslaved by malicious code as the late October 2016 attack on Twitter, Spotify and Reddit demonstrated. Aloft, you can be compromised in an instant.

But surely this is impossible inflight where security precautions prevent carrying on even a humble nail clipper? Not at all. It’s as easy in the skies as it is on the ground. Perhaps easier. Inflight WiFi systems may inject java script code into your laptop or mobile device to make the operation smoother. This creates a vulnerability.

It’s a problem for air travellers as well as airlines as these vulnerabilities can be exploited to get into aircraft systems (to control the engines, say) as has been demonstrated by experts.

{A more aggressive and foolproof solution is to use a VPN (virtual private network) that sends all your stuff through a safe encrypted tunnel...

Novices can use simple hacking tools like WiFi Pineapple that is available for purchase. The device is small and easy to carry around. WiFi Pineapple refers to its business as “WiFi auditing”. Its ultra-portable Nano device can “command the WiFi landscape” and even “acquire clients with a comprehensive suite of WiFi man-in-the-middle tools specializing in targeted asset collection.” It’s quite clearly spelled out. The Nano retails at just US$99.99. Forget Vladimir and the Russians. Examine your neighbours and John Smith.

Fortunately it is possible to shield yourself from in-flight hacks and malicious attacks. Common sense solutions include not visiting sensitive sites (like your offshore bank account in the Bahamas), not using your credit card for online payments aloft, and ensuring your firewall is solid.

A more aggressive and foolproof solution is to use a VPN (virtual private network) that sends all your communications through a safe encrypted tunnel. It also disguises your identity. One popular and free but slowish VPN is TOR, a freethinker’s refuge that bounces your communication through a network of computers (run by volunteers around the world) to ensure your location and rants remain utterly anonymous.

Other free VPNs like Hotspot Shield and CyberGhost will do an adequate job, while paid services like PureVPN and HIDEmyASS that charge around US$6-$8 per month for a year, claim to have a mass of servers around the world at the ready to mask your moves. HIDEmyASS has over 57,000 servers in North America, 46,000 in Europe, and over 10,000 in Asia. That’s a lot of locations and identities to pick from.

NordVPN uses the TOR network and claims to be “safer than if you were actually at the bank.” It offers a “revolutionary 2048-bit SSL encryption even a supercomputer can’t crack.” This double data encryption VPN service charges US$5.75 per month for an annual subscription. And it does not log your activity on the Web. This last feature – as well as a kill switch that shuts down your connection if the VPN is interrupted – ensures privacy and passwords are fully protected. Some VPNs do log browsing details so check.

Armed thus, not only are you safe from prying eyes aloft but you can access VoIP call services and social media in countries that enjoy censoring stuff. That just leaves Yahoo and its fawning preoccupation with uniforms.

Send us your Feedback / Letter to the Editor

▲ top

Previous Columns

2016

How big can be beautiful Why it's brand on the run Premeditation and physics Samsonite in a snit Bogged down by blogs Right brain has the right stuff Who's the fairest of them all?How have you been lately?Got a Black Magic Woman The rebranding of Asia

2015

Smoke gets in your eyes The devil beaters of Hong Kong The lure of Instafame Yes, still number one Still tripping up online Better late than never Can you read bar codes?Domo arigato misuta roboto Fast and furious - 2 Terminal Man – the true story How bad ads kill good ones A matter of time

2014

Are you kidding me?Time to face the facts The decline of recline Art of hitchhiking Shot out of the sky Lies and statistics Bottoms up for gold Shanghai surprise Now, fake festivals Why ghetto is good Frequently flummoxed flyers Laughing to the exits

2013

A matter of pride Speak and it shall be understood Let's go phishing Asia's best travel brands Bad scrambled eggs How to pick a happy flight The Wild Waist aloft Clicks come a clattering Brand on the run The unfair fares affair Safe on cloud nine?Man-eaters of Mumbai

2012

The fine art of goodbye Stay fit or fake it More than words Why hotels and pigs can’t fly To B or not to B737 Are you being hacked?Snap-happy hounds beware Delhi daze in springtime Let's celebrate with Kitty Hide your prying eyes Pilot project for beginners Green flights of fancy?

2011

The art of arriving late When life drives you potty Airports, awards, and alarm A fright for sore eyes Dry skin wet eyes Back to the Tunnel of Love Why fearless flyers won't flee fees More wind in the hair Travel tremors after Japan The case of the intact bags End of the OTA-man empire?A picture says a thousand words

2010

Only Engrish spoken here Voices in the sky A tale of three airports What's in a brand A big bite of a bad Apple Now haste to the hustings Just 400 homicides and all's well No sex please, we're British Some minor details aloft Highway to the heavens You look radiant darling Good info a needle in a haystack

2009

Please watch that safety drill A classic cycle folderol Utterly eggcentric behaviour The price is right Flashing in public is a crime [Offset] my kingdom for a horse Your cash or I'll sneeze The greening of the world Do broccoli need passports?Could I see your profile?Great Scott! Empty seats Travel in an age of terror

2008

There is no free lunch Another Night in Bangkok Beatings on the beach Travelling with Teenage Kids Whither Wi-Fi at 30,000ft?Are you locked in the toilet?Charge of the Flight Brigade Across the Universe Baby it's cold outside Why I'm dying to travel A key question Gorillas in the mist

2007

Confounding customs When blackmail works By taxi through Asia A really cheap date Make a meal of it Tales of two teeth Putting curbs on carbs Dial R for rip-off The New Math aloft Why boutique is best Are you terminally mad?Heavy question, ladies

2006

The secret of good sleep Just bring Pluto back A fluid situation aloft Why Friday's the best Nothing but the truth Gone in 60 seconds Just use your imagination Free flights for all Is your travel in vein?Pet peeves and solutions Viral travellers welcome Yes it's safe to step out

2005

A passage to India It is a "brand" new Asia The show must go on Criminally good holidays The accidental tourist It's a free ride Sleep tips for the road I'll follow the sun A good pillow fight A bridge too far?World's safest spots The need for speed

2004

Small is beautiful, sometimes Bumming around Asia Samsonite and Delilah Just one good book Space, the final frontier Extreme Travel for Real Men Just grin and bare it Unfazed by phrase Honey, I Shrunk My Brain Miss World to the Rescue When things go bump To catch a croc, in Hongkong

2003

A thrilla in Manila The Steamy truth about Spas Are Travel Agents Dinosaurs?The Hub of the Matter Win a second wife - free!Forget inflight TV, try DVT Adventures of the Green Man Hongkong's Masked Ball Travels in War and Peace Advice on travel advisories Pound of flesh

NOTE: Telephone and fax numbers, e-mails, website addresses, rates and other details may change or get dated. Please check with your dealer/agent/service-provider or directly with the parties concerned. SmartTravel Asia accepts no responsibility for any inadvertent inaccuracies in this article. Links to websites are provided for the viewer's convenience. SmartTravel Asia accepts no responsibility for content on linked websites or any viruses or malicious programs that may reside therein. Linked website content is neither vetted nor endorsed by SmartTravelAsia. Please read our Terms & Conditions.