The researcher rubs me the wrong way for a few reasons:
1. 15 days for a major company not nearly enough to remedy this issue.
2. The activity log reads like a ransom timeline. This isn't some l33t hacker exploit it's simple session hijack and mac spoof. You're not owed anything for finding this.
Anyone that tries this could tread carefully. If you get caught (chances are slim), it wouldn't be hard to convince a jury that you're hacking an airborne plane's network.
<fun hearted bit of sarcasm>
Did you know a bathroom lock is woefully insecure!?! Time to hold the government ransom about this exploit and collect my millions. If they don't pay, I'll post it on the internet.
</sarcasm>
I was recently disappointed by the huge price hike of gogo in flight. It's been $10 for a flight for quite some time now which I'd felt was perfectly fair considering the quality. On my recent flight to NYC for work and play it was $10 per hour which essentially amounts to a 5x increase. I grabbed it for 2 hours and it was just as bad as always. Fine for email and Facebook but unideal for pushing a significant commit on a large git repo.
On the way home I just didn't bother since I'd spent my whole air-fi budget at the beginning of the trip.
Just seemed like an enormous and unfair price hike for a product that hasn't improved whatsoever.
I was recently disappointed by the huge price hike of gogo in flight
Agreed. If I recall correctly, the all-day pass was close to $30 when purchased while on the plane. By going to their website ahead of time (i.e. while not using gogo's network), their all-day pass is $14.
On a recent flight, I noticed they were asking $10/hr on my laptop but $6/hr on my phone, but they allow you to switch devices (as long as you only use one at a time) so I just bought it on the phone and used it on the laptop (you could also change your headers instead but I think that's technically "hacking"). It was also 3 hours for the price of 2, so it worked out as $12 for 3 hours which seemed almost reasonable.
This looks like it dups a paying customer's IP and MAC addresses. Does that work if both devices are running at the same time? I was under the impression TCP didn't like that.
Agreed, you're basically someone else's session who did the right thing and paid up. I fail to understand why anyone with a decent moral compass would want to do this.
I think it would still work. I think you'll end up both getting all of the network packets, in which case the higher-level protocols will ignore the ones meant for the other device. TCP and UDP both have source ports as well as destination ports, but the source ports are usually picked arbitrarily, so the different devices will have connections on different ports and will discard any packets bound for ports they don't have open. And TCP also has sequence numbers (which should be chosen randomly), so even if you ended up on the same port for a TCP connection, your packets are very likely to have different enough seqnos that you ignore each other's packets.
For anyone who is not played with Dsploit (the network exploitation and analysis tool mentioned in the article), it is fantastic. I followed it in its early days on XDA, where the developer relentlessly answered all user questions, patched bugs, took in many features requests, and genuinely kicked ass.
I respect that dev a lot. I hope other people show his some love.
All the counter-measures I can think of seriously degrade the experience. I can think of approaches that work for HTTP, for example, but I can't see how you would allow e.g. SSH while preventing MAC spoofing.
Not pretty, at least. I'd look towards the TCP fingerprinting techniques that FreeBSD has in its packet filter/firewall.
With that, you could make a rudimentary decision how many machines are on the network, regardless if some are bad actors.
However, we will still get this problem regardless how much security we do over wifi, as wireless is inherently an insecure protocol. Ideally, we could make decent security with IPSEC, but that would be so cumbersome, as well as in opposition to "Pay us money for easy access to internet." A few non-payers aren't that big of a deal, considering the profit margins I would assume that make.
Lots of people have known this for quite a while - nothing new to see here. Here's a blog post by a friend of mine, from 2007 ("Bypass a wifi captive portal"), which includes an example of a script to handle it all: http://www.semicomplete.com/blog/2007/Aug/11
The basic idea is as follows:
1) ping the broadcast/multicast addresses to quickly fill the arp cache
2) change your mac address to that of the detected nodes
3) see if you can access the internet now [repeat step #2-3 until you can]
Although the prices are a bit over the top, I can respect GoGo's customer support. A while back I reported to them how I was able to gain access to Facebook and Youtube almost effortlessly and they gave me two free coupons for unlimited in-flight WiFi as a token of appreciation. I would have informed them directly of this and awaited a response. They appeared to be pretty good at responding to my inquiries.
A full month of notification is plenty. If the vendor acknowledges you and tells you they're working on it and asks you to hold off then that's one thing, but if they basically ignore you for a month then you've done your part. Especially with an exploit like this, you're not opening up access to PII, although it sounds like you are opening the window to possible fraudulent charges.
[+] [-] bangbang|12 years ago|reply
1. 15 days for a major company not nearly enough to remedy this issue.
2. The activity log reads like a ransom timeline. This isn't some l33t hacker exploit it's simple session hijack and mac spoof. You're not owed anything for finding this.
Anyone that tries this could tread carefully. If you get caught (chances are slim), it wouldn't be hard to convince a jury that you're hacking an airborne plane's network.
<fun hearted bit of sarcasm> Did you know a bathroom lock is woefully insecure!?! Time to hold the government ransom about this exploit and collect my millions. If they don't pay, I'll post it on the internet. </sarcasm>
[+] [-] mdp|12 years ago|reply
Here's my security disclosure for the day:
You can walk out of most stores without paying for their merchandise if you hide it in your pocket.
Which vendor do I talk to about getting paid for this information?
[+] [-] gonzo|12 years ago|reply
not saying what the OP did is ethical, but .. wow.
[+] [-] jrnkntl|12 years ago|reply
[+] [-] NoodleIncident|12 years ago|reply
[+] [-] enobrev|12 years ago|reply
On the way home I just didn't bother since I'd spent my whole air-fi budget at the beginning of the trip.
Just seemed like an enormous and unfair price hike for a product that hasn't improved whatsoever.
[+] [-] arn|12 years ago|reply
http://www.gogoair.com/gogo/listAllProducts.do
[+] [-] epoxyhockey|12 years ago|reply
Agreed. If I recall correctly, the all-day pass was close to $30 when purchased while on the plane. By going to their website ahead of time (i.e. while not using gogo's network), their all-day pass is $14.
[+] [-] Osmium|12 years ago|reply
[+] [-] jws|12 years ago|reply
[+] [-] biondim|12 years ago|reply
[+] [-] oasisbob|12 years ago|reply
Layer2 attacks like this aren't clever, and can be very difficult to prevent because of the nature of communication at that layer.
In a corporate/campus/hardline environment, there are plenty of reasonable mitigation strategies. (802.1x &c).
For a shared hotspot, this type of behavior is just anti-social.
[+] [-] jackowayed|12 years ago|reply
[+] [-] wesbos|12 years ago|reply
Just change your User Agent (via chrome dev tools) to blackberry. Authenticate and you have free internet!
[+] [-] JaggedJax|12 years ago|reply
[+] [-] sigil|12 years ago|reply
The fact that none of my mobile browsers can change the user agent string pisses me off even more.
[+] [-] rohansingh|12 years ago|reply
[+] [-] 616c|12 years ago|reply
I respect that dev a lot. I hope other people show his some love.
[+] [-] justinsb|12 years ago|reply
All the counter-measures I can think of seriously degrade the experience. I can think of approaches that work for HTTP, for example, but I can't see how you would allow e.g. SSH while preventing MAC spoofing.
[+] [-] kefka|12 years ago|reply
With that, you could make a rudimentary decision how many machines are on the network, regardless if some are bad actors.
However, we will still get this problem regardless how much security we do over wifi, as wireless is inherently an insecure protocol. Ideally, we could make decent security with IPSEC, but that would be so cumbersome, as well as in opposition to "Pay us money for easy access to internet." A few non-payers aren't that big of a deal, considering the profit margins I would assume that make.
[+] [-] gonzo|12 years ago|reply
802.1x
[+] [-] bobf|12 years ago|reply
The basic idea is as follows:
1) ping the broadcast/multicast addresses to quickly fill the arp cache
2) change your mac address to that of the detected nodes
3) see if you can access the internet now [repeat step #2-3 until you can]
[+] [-] kefka|12 years ago|reply
I can get past pretty much any "pay me money for internet" lock. Of course, that makes me a bad netizen.
[+] [-] cybernoodles|12 years ago|reply
[+] [-] KeepTalking|12 years ago|reply
[+] [-] pilom|12 years ago|reply
Hacker: "I'm publishing on the 15th."
Vendor: "We'd like to see your post first"
Hacker: "Ok, here you go"
15th comes and goes
Hacker: "Hey any response?"
Hacker: "Ok its the 18th... I'm publishing"
Is this how this usually works? Or how it should work?
[+] [-] mason55|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] anonu|12 years ago|reply
[+] [-] swalsh|12 years ago|reply
[+] [-] ryanmcdonough|12 years ago|reply