Go to Homepage


Room at the VPN?

Vijay Verghese, Editor, Smart Travel AsiaCybercriminals are prowling the skies 30,000ft aloft prying into your WiFi on the sly. How to get yourself a cyber chastity belt.


Visit our Fackbook pagePrintE-mail Page

by Vijay Verghese/ Editor

JUMP TO Current column

Adam and Eve learned the hard way - a Man in the Middle attack with in-flight WiFi is always a possibility

Adam and Eve learned the hard way: There's always someone lurking in the middle with bad intentions

SOMETIMES it seems the only private space you can find is 30,000ft aloft, albeit with your neighbour’s elbow jammed into your midriff. Still, it’s far from irate bosses, bossy spouses, interminable test-your-patience teen angst, prying NSA eyes, and snooping Yahoo managers eager to serve up your e-mails to anyone in a uniform. You disengage that foreign elbow, lean back politely after the meal service is over, and whip out your iPhone7. Time for some private ‘me’ time and a quick hook-up to onboard WiFi, which is now ubiquitous from Virgin to Vietnam Airlines.

And that’s when it all starts to unravel. You could have experimented with frying eggs on your Samsung Galaxy Note 7, but you did the honourable thing and left it at home, under your mother-in-law’s pillow, so…

Back to WiFi. It may be grindingly slow in US skies where Gogo Inflight scans for and hops from signal tower to signal tower (the newer ‘2Ku’ satellite system on some aircraft promises faster speeds) or relatively snappy in Asian skies where satellite connections are already the norm, but it is far from private.

It is egregiously unsecure, and easy to hack. By almost anyone.

Send us your Feedback / Letter to the Editor

So just because you’re flying on blue-chip United, Delta, British Airways, Lufthansa, Emirates, SIA, or Cathay Pacific, does not mean the information on your laptop or mobile phone is safe, especially when you start transmitting and receiving private data.

{A MiTM (man in the middle) attack is when someone sets up shop between you and your browsing site to capture and sift through your data transmissions...

The security minded should know that inflight WiFi is notorious for the loopholes offered to would-be hackers, apart from the obvious drawback of laptop screens that are in plain view of any passenger en route to the toilet or seated across the aisle.

In early 2015 talk was rife of ‘fake SSL’ Google certificates being served by Gogo – apparently to curb heavy bandwidth hoggers like YouTube. SSL (secure socket layer) is a method of encryption. This, perhaps inadvertently, created a scenario that could be construed as an MiTM (man in the middle) attack where someone sets up shop between you and your browsing site to capture and sift through all your data transmissions.  Of course this was not Gogo’s intention and it later decided to employ other techniques to manage bandwidth issues.

Man in the Middle attacks are common on the ground at coffee shops and public hotspots where someone can flip open his laptop, find the WiFi signal, and then proceed to spoof the provider, setting himself up as the legitimate connection. Once anyone logs onto this unsecure connection the man in the middle checks and scans all the data passing through, or simply ‘sniffs’ the data and stores it to go through later. You could suffer an injection of malware and have your laptop turn into a Walking Dead zombie that may be summoned at any time by its new master to launch a DDoS (distributed denial of service) attack on some unsuspecting site that gets brought down when a tsunami of computers attempt to access it at the same time. Everyday Internet-enabled 'intelligent' household items like webcams, baby monitors, garage doors and refrigerators can also be enslaved by malicious code as the late October 2016 attack on Twitter, Spotify and Reddit demonstrated. Aloft, you can be compromised in an instant.

But surely this is impossible inflight where security precautions prevent carrying on even a humble nail clipper? Not at all. It’s as easy in the skies as it is on the ground. Perhaps easier. Inflight WiFi systems may inject java script code into your laptop or mobile device to make the operation smoother. This creates a vulnerability.

It’s a problem for air travellers as well as airlines as these vulnerabilities can be exploited to get into aircraft systems (to control the engines, say) as has been demonstrated by experts.

{A more aggressive and foolproof solution is to use a VPN (virtual private network) that sends all your stuff through a safe encrypted tunnel...

Novices can use simple hacking tools like WiFi Pineapple that is available for purchase. The device is small and easy to carry around. WiFi Pineapple refers to its business as “WiFi auditing”. Its ultra-portable Nano device can “command the WiFi landscape” and even “acquire clients with a comprehensive suite of WiFi man-in-the-middle tools specializing in targeted asset collection.” It’s quite clearly spelled out. The Nano retails at just US$99.99. Forget Vladimir and the Russians. Examine your neighbours and John Smith.

Fortunately it is possible to shield yourself from in-flight hacks and malicious attacks. Common sense solutions include not visiting sensitive sites (like your offshore bank account in the Bahamas), not using your credit card for online payments aloft, and ensuring your firewall is solid.

A more aggressive and foolproof solution is to use a VPN (virtual private network) that sends all your communications through a safe encrypted tunnel. It also disguises your identity. One popular and free but slowish VPN is TOR, a freethinker’s refuge that bounces your communication through a network of computers (run by volunteers around the world) to ensure your location and rants remain utterly anonymous.

Other free VPNs like Hotspot Shield and CyberGhost will do an adequate job, while paid services like PureVPN and HIDEmyASS that charge around US$6-$8 per month for a year, claim to have a mass of servers around the world at the ready to mask your moves. HIDEmyASS has over 57,000 servers in North America, 46,000 in Europe, and over 10,000 in Asia. That’s a lot of locations and identities to pick from.

NordVPN uses the TOR network and claims to be “safer than if you were actually at the bank.” It offers a “revolutionary 2048-bit SSL encryption even a supercomputer can’t crack.” This double data encryption VPN service charges US$5.75 per month for an annual subscription. And it does not log your activity on the Web. This last feature – as well as a kill switch that shuts down your connection if the VPN is interrupted – ensures privacy and passwords are fully protected. Some VPNs do log browsing details so check.

Armed thus, not only are you safe from prying eyes aloft but you can access VoIP call services and social media in countries that enjoy censoring stuff. That just leaves Yahoo and its fawning preoccupation with uniforms.

Send us your Feedback / Letter to the Editor

▲ top

Previous Columns















NOTE: Telephone and fax numbers, e-mails, website addresses, rates and other details may change or get dated. Please check with your dealer/agent/service-provider or directly with the parties concerned. SmartTravel Asia accepts no responsibility for any inadvertent inaccuracies in this article. Links to websites are provided for the viewer's convenience. SmartTravel Asia accepts no responsibility for content on linked websites or any viruses or malicious programs that may reside therein. Linked website content is neither vetted nor endorsed by SmartTravelAsia. Please read our Terms & Conditions.