Hey guys, thanks for all the comments! I realized that it was not an ethical idea to post, so I decided to take it down. I did not get a cease and desist, but I would appreciate if you could refrain from reposting it.
If you are interested in seeing some of my other (more ethical) work, check out Delphus [1], an open research study management platform which I am working on at my new startup ;)
I'm not sure about this, still. I'd consider it roughly equivalent to posting a POC for an exploit: it could be abused, could be uses for academic learning, or could be used to improve systems. It's not inherently bad.
In the USA this would be a violation of the CFAA https://www.law.cornell.edu/uscode/text/18/1030. Specifically, the router is a "protected computer" and the procedure described here is "exceeding authorised access" because it routes packets around a mechanism that was designed to stop them. Maximum penalty 5 years.
(Some might argue that it was authorised because the computer let him do it. However the CFAA simply doesn't work that way. "Authorisation" is what the designers intended, and the initial paywall made that intention perfectly clear.)
Which highlights a fundamental truth to law - it's only enforced to backstop the status quo. Routing around a wifi paywall rocks the boat, performing invasive surveillance on website visitors doesn't.
So practically yes, let's be aware that the author could indeed be persecuted under the CFAA. But let's not grandstand and pretend that following that law is some sort of moral imperative that benefits everyone. The common individual will be the target of the same attacks with or without that law.
Following the law may not be a moral imperative, but let's not pretend like the author did anything moral here. He knowingly and with intent stole services from the airline. It not only was illegal, it's blatantly immoral.
The thing about morals is that we can disagree. Just because this scenario fits your definition of "stole" does not mean it fits mine.
My perspective is that a fundamental aspect of the Internet and the digital world is that the software-codified rules are basically authoritative. While constructive behavior still does matter - eg knowingly turning off a hospital ventilator is still murder - the only gain here was temporarily obtaining some transit. The real remedy is for the provider to fix their systems.
I suspect you're still associating hacking with other actions that can be facilitated by hacking. But the very next thing I wrote was "knowingly turning off a hospital ventilator is still murder", so it only makes sense to answer as if you strongly intend the "per se".
In isolation, why would finding a hole in someone else's ruleset be immoral? If hacking per se were immoral, then there could be no such thing as a "white hat".
> White hat hacking [is] typically specifically authorized (e.g. red teams)
That is merely one kind of white hat hacking. Another kind would be figuring out an exploit for software that you have a local copy of, even against the wishes of its developer. If we agree that this is moral, then general finding of holes itself cannot be immoral.
I don't think you mean to imply that in locksport, you only pick models of locks that the manufacturer has given you the go-ahead to attack. Rather you're referring to ownership of the physical lock itself, which is merely one type of authorization. I would also guess that the reason the community repeats this prominently is to head off legal entanglement.
To the extent that a given ruleset only exists on a specific device that one does not own, then it is indeed hard to find holes in it without also affecting that device itself. However, it is still important to draw the distinction between any effects and the logical hacking itself, lest minor effects end up being persecuted inequitably.
In the context of the original article, there are essentially no damages and a little bit of unjust enrichment. Yet this whole thread has blown up about a spectre of harsh punishment under the CFAA, when equity is closer to the amount of the access fee.
It’s also immoral to force bad pricing down customer throats. And yet that is the definition of the inflight wifi business.
EDIT: I’m fairly sure at current prices a single flight could pay for a month’s service for a single plane, probably several times over. The profit margins (& I imagine some the cut to the airline) must be enormous, & there is no pretense of fair terms at sale time because a single corporation can entirely monopolize your attention.
The profit margin for luxury addons is always insane. That doesn't make them unethical. In fact, there's a very good argument to be made that luxury pricing is positively ethical, as it allows the base experience to be offered for a lower price to more price-sensitive customers.
> In fact, there's a very good argument to be made that luxury pricing is positively ethical, as it allows the base experience to be offered for a lower price to more price-sensitive customers.
How come that isn't happening here?
Anyway, it's a commodity. The positioning of it as a luxury service amounts to theft.
Not sure if the attack is active. He’s not actively talking to the filtering equipment to try and mess up its configuration or disable it. He’s just sending out packets hoping to reach the internet (a perfectly valid thing to do considering the system is designed to let you access the internet). It just so happens that certain packets manage to slip through the poorly designed filter.
In this case the “door handle” is marked with “pull to access the internet”, and he is pulling on it. The handle is supposed to have a mechanism to demand payment before opening but in this case it failed and opened right away.
Not saying this is ethical (although selling WiFi for 12$ per hour isn’t either) but I wouldn’t go as far as calling this an attack.
>although selling WiFi for 12$ per hour isn’t either
Care to elaborate on this? WiFi on a plane isn’t any kind of thing people are dependent on to survive and satellites are pretty expensive. Airplane WiFi is entirely a luxury good.
Do you feel that charging $12 to watch a movie in a theatre is unethical as well? How about $150k for a Porsche?
So if you go to the top of a mountain and there is a single cabin selling water there, at outrageous prices, you would just help yourself to one bottle, because hey, no competition, captive audience.
The problem is that it’s $12 for an hour, regardless of whether you end up using it, or whether it works at all (do you get a guaranteed bandwidth along with that, and is there some BS filter that’s gonna interfere with certain sites or protocols despite you having paid?).
Finally it’s just way too expensive at that price.
Is it though? The adblocker runs locally on your own computer; it certainly prevents the ads from doing what the designer intended, but it doesn't make the designer's computer (or any computer controlled by the ad network) do anything.
Versus tracking does actually do something on your computer (e.g. running JS to discover fonts). Arguably that is a circumvention of the intentions of the user on their own hardware.
The problem is that the phrase "exceeds authorized access" does not distinguish between the access increasing beyond the authorization and the authorization decreasing below the current access. Suppose I put in my Terms of Service the phrase "Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification." Now, whether or not the HTTP request to the server is authorized depends on what you do with the payload.
This is why the CFAA is such a horribly written law. It takes the ToS, something that should be squarely under civil law, and elevates them to being a felony under federal law.
Some adblockers work outside the browser. They block the hosts with custom /etc/hosts or by using a local proxy that filters out requests to ad servers.
All the js code runs but it doesn't download anything.
Obviously the Terms of Service could prohibit that too.
> Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification.
Refusing to fetch a particular resource would be non-access. You cannot punish non-access as unauthorised access, because no such crime of non-access exists.
What about the reverse of that. When I load a website, I expect it to load the normal information of the page in question (for an article about something, that article). I do _not_ want or grant permission for it to display ads. As such, their host sending ads to my machine is "exceeding authorized access".
I'm curious if it would be feasible to sue a company over sending ads. They have just as much information about what you want displayed on your computer as you have about how they want you to use their apis.
You can't look at the legality of it from the point of what the adblocker does. Software doesn't commit crimes; people do.
The possible crime (if it is one) would be if you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway.
> you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway
Meanwhile the website publisher knows that authorization to run javascript may not include performing surveillance, yet includes circumvention code to perform surveillance anyway. So everybody is violating the law, which is why the CFAA is terrible legislation - it relies completely on selective persecution.
Pontificating about abstract "intent" is not actually useful in the digital realm. Protocols [0] are what ultimately mediate between parties with different desires. The CFAA is merely a relic that gets invoked when some powerful entity gets upset at the outcome of a protocol.
[0] to be clear, I'm talking about de facto protocols as executed, not de jure protocols as written into RFC.
This is an extremely naïve, baseless argument- if you could even call it an argument at all.
So let us turn to the ‘proposed’ argument itself: “Software doesn’t commit crimes; people do” The first thing to notice is that the argument has no stated conclusion. What follows? That there should be no software regulation at all? That there should not be any more software regulation than there already is? That the increase in cybercrimes done with ‘software’ is irrelevant to whether or not there should be cyber regulations? Who knows? An argument without a conclusion is by technical basis, not an argument at all.
The statement under consideration clarifies that, when it comes to crimes committed with software , people are the ultimate cause and software is merely a proximate cause—the end of a causal chain that started with a person deciding to commit cyber crimes. But nothing follows from these facts about whether or not software should be regulated. Such facts are true for all criminal activity, and even noncriminal activity that harms others: The ultimate cause is found in some decision that a person made; the event, activity, or object that most directly did the harming was only a proximate cause. But this tells us nothing about whether or not the proximate cause in question should be regulated or made illegal. For example, consider the following argument:
"Bazookas don't kill people; people kill people."
Although it is obviously true that bazookas are only proximate causes, it clearly does not follow that bazookas should be legal. Yes, bazookas don't kill people, people do—but bazookas make it a lot easier for people to kill people, and in great numbers. Further, a bazooka would not be useful for much else besides mass murders. Bazookas clearly should be illegal and the fact that they would only be proximate causes to mass murders does not change this. In fact, it is totally irrelevant to the issue; it has nothing to do the fact that they should be illegal. Why? Because other things are proximate causes to people’s demise, but obviously shouldn’t be illegal. For example, consider this argument (given in the aftermath of a bad car accident):
"Cars don't kill people; people kill people."
Obviously cars should not be illegal, but notice that this has nothing to do with the fact that they are proximate causes. Of course, they should be regulated; I shouldn't be allowed to go onto the highway in a car with no brakes. But all of that has to do what cars are for (they are not made for killing people), what role they play in society (it couldn't function without them) and so on. It's a complicated issue—one to which pointing out that cars are merely proximate causes to some deaths contributes nothing.
In conclusion- people who make the feeble argument “software doesn’t commit crime; people do” have mistaken the relevance of proximate causation
You have missed the point of my comment. It isn't about what the law should be. Instead, I was discussing whether it is currently legal to use adblock.
As I interpreted it, someone said adblock may be illegal under existing law because you are accessing a server without authorization. Someone else seems to have argued that this isn't true because adblock doesn't cause anything to happen on the server; therefore, adblock must be legal because adblock only affects the client.
My comment was that this reasoning doesn't hold water. Perhaps the owner states that authorization is only granted to people who don't use adblock. (Maybe there's a splash page that informs the user they aren't authorized to proceed to the next page if they have adblock enabled.) What matters is the choices people make, not that the behavior of the software avoids interacting with the server. Your hands are not clean just because your software doesn't take an action.
> the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
The information they were accessing didn't come from the computer. And this doesn't say anything about using a computer service in an unauthorized way, which is what it sounds like you're describing here
The output buffer on the Internet side of the router is information in the computer. It was modified without authorization when packets were sent through it.
Not really. If the plane has open Wlan or a well-known password (ie in the info stuff) then all you need to is connect. No further authorization needed. There is simply no need to open a browser.
These sorts of technicalities don't play well with juries, but neither do large airlines or ~phone companies charging $15 for two hours of 1Mbps internet.
It is computer abuse as he continued doing it repeatedly and looked up for different workarounds, after getting an unauthorised way to access. A more severe offense than simple unauthorised access.
Wouldn't this be excluded anyway since the only thing "fraudulently obtained" was "use of the computer or system" worth less than $1,000 per year?
Even if that language weren't in 18 USC 1030(a)(4), the guidelines sentence assuming no priors would look to be 0-6 months and $250-$5000 fine, assuming you couldn't plea out to something less. I doubt the federal authorities are even going to waste their time looking at $12 of "fraudulent access" that will likely lead to almost no jail time.
It depends on whether someone wants to make something of it. The costs taken into account by the CFAA include the costs of investigating the incident and repairing any damage, and courts in the past have tended to accept pretty much any assertions about these costs. They probably wouldn't blink if the entire cost of fixing the exploit were attributed to the OP.
Criminally charging someone under the CFAA for what is essentially a TOS violation has come under fire before, and frankly I don't think many prosecutors want to be the one to get that legal theory thrown out.
> However the CFAA simply doesn't work that way. "Authorisation" is what the designers intended, and the initial paywall made that intention perfectly clear.
That might be the case but it's also nuts. It encourages litigation over better design and makes public enemies out of security professionals, ultimately driving away those professionals from the US and making US developed tech weak.
I think the local culture needs to be taken into account. Suppose I walk onto your porch, see something I want, and take it with me. That's pretty plainly theft, right? Now suppose I am eight years old, taking candy from a bowl left out on Halloween. That's pretty plainly not theft. To somebody unfamiliar with the cultural practice of trick-or-treating, they might assume that it is theft.
The internet has different cultural norms than physical space. One-to-one analogies are useful for exploring those differences, but not for arguing what they should be. If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.
That is not to say that people should take advantage of these social norms. If I find a bowl of car keys left on a front porch, even if it is Halloween, I should inform the owner of the house that they probably don't want to do that. If I find incremental IDs that lead to other customers' personal information, I should inform the company, and the other customers if necessary.
There's not a matter of perception or culture as the candy was intentionally left out for a trick or treater to take. And since it's a well known holiday, the intent has been communicated.
And that's exactly my point: the cultural norms dictate whether something is an offer or not. For Halloween, the placing of candy outside one's door indicates that it is intended to be shared. For WiFi networks, in the absence of any other indication, not placing a password indicates that it is intended to be used.
>If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.
If your door is open can I take a shower and cook a meal for myself in your house?
>If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.
Lol. I don't know where you got this impression, but no, it absolutely is not.
Not only is it not, but you can absolutely be prosecuted and imprisoned for accessing those networks/servers without permission.
Furthermore, that doesn't really apply in this case because not only was he not given "implicit permission to use it", the in-flight WiFi system explicitly bars you from using the internet without paying for it.
Open WiFi is like a water fountain, or a bench, in a pubic place to me. There's no explicit sign telling you to use it but who'd put it there of it were not to be used? I'm in the UK.
So, for example if I'm out and about and there's an open WiFi I'll connect to it without seeking permission .. in fact I think it would be weird to go and ask (if you could work out who to ask).
In the UK, what you're doing is illegal under the Computer Misuse Act. I don't think the police are out scouring the streets for people stealing wifi, so you probably won't be prosecuted for it. But still, it is technically illegal. Example: https://uk.reuters.com/article/uk-britain-wireless/two-cauti...
(It's also very, very, very terrible practice for your own security. Don't do it.)
It would be illegal if it were unauthorised, I'm not checking it's authorised because you'd have to be a moron to have published your open router if you didn't intend to have an open router being published. Whilst there's a chance that when I go to McDo that I'm not actually authorised and to use the published open wifi, it's so slim that it's not worth me tracking down the router owner to ask them -- if that were even possible to do.
If you place a bench in public and you don't want anyone to sit on it then you need to notify people explicitly ... it's the same, I don't find the owner of benches and ask them.
Are there any attacks that work just by connecting to someone's wifi, obviously I'm only using it for non-sensitive traffic unless it's a recognised provider, it's certainly part of my security considerations. Are there specific attacks you're thinking of? Such attacks would work equally if I had explicit authorisation, of course.
Re your link, last time I looked it was allowed to have open shared wifi, and the way you indicate it's open for sharing is having it open and shared. That's probably why the police gave cautions, it placates the complainant and they didn't have to lose in court.
Connecting to open WiFi for internet access is just as secure as connecting to WiFi with WPA enabled. There are so many insecure hops between you and your destination that the last mile access mode is irrelevant.
>Furthermore, that doesn't really apply in this case because not only was he not given "implicit permission to use it", the in-flight WiFi system explicitly bars you from using the internet without paying for it.
Then it should do so. If I connect and I can use the network without paying, that's not my fault.
If you knowingly and with intent use that network without paying, even when knowing that the owner of the network wants all users to pay, it absolutely is your fault. The airline could literally put zero restrictions on their network access, but as long as they put up a sign that says "internet is only for those who pay for it", it would be both illegal and wrong for you to access that internet without paying.
I honestly can't believe we're even having this conversation. It is theft, period. Not only is it illegal, it's blatantly immoral.
>I honestly can't believe we're even having this conversation. It is theft, period. Not only is it illegal, it's blatantly immoral.
It's not theft. It's not immoral either. Open wlan means exactly that, so where is the sign? You are on HN, so using something like a VPN is not uncommon, regardless of what network you are using.
> It's illegal to come into my house and take my stuff even if I forget to lock my back door.
For some reason, on HN when I've made this argument before, the resulting comments have been that the internet is somehow different, and that real-world analogies don't exist. Using equipment that you don't own in a way the owners don't intend is apparently well-accepted.
This is a business and satellite bandwidth is fairly precious.
A better analogy would be going into a restaurant with big “No Outside Food” signs with a sandwich you made at home, hiding the sandwich in a false compartment to get past a check at the door, printing the restaurant’s name on your sandwich wrapper so it looks like you bought it there, and then eating it at a table meant for paying customers.
I love these analogies, but that's wrong. A better analogy would be you use their raw ingredients to make your own food, bring your own utensils and plates, and sit at their restaurant to eat. Basically, you're leasing their bandwidth without payment. Airlines are paying viasat or some other company for access to their satellites and expecting customers to pay the cost for usage (and probably make some profit).
Regardless of the criminality a real world analog would be more akin to someone taking a chair in a starbucks without paying - maybe there's room, and maybe it doesnt burden them unduly - but the company definitely pays a cost for each table aggregated across its customers.
It's not victimless, the loser is the service provider whose bandwidth is consumed. The line many draw is that corporations aren't people and can't be the victim, this is a false analogy.
Thus: let's switch who is penalized: everyone else on the flight. Bandwidth isn't unlimited, without payment it's hard to justify increasing bandwidth if it isn't profitable.
What should the author do? Report it. If he didn't, maybe you can submit it to the company. If they have a bug bounty, you may get paid (if this happens: would you give the money to the original author?)
If you run a company: you should determine how to insensitivise reporting, it's possible in this case: not fixing it spreads awareness, most people can't/don't exploit it.
What you're describing (someone entering your property, having their lunch in your garden and cleaning up before leaving) meets all the elements of physical trespass if the owner of the property didn't grant permission, and is unlawful. Now, the damages might be minimal, but it's still unlawful.
In the U.S., property law is about the right to control access and use -- harm is a secondary concern.
Well, mentally ill people sometimes do break into houses and do harmless things, like making a sandwich or taking a shower, and this generally has severe consequences for them even though it was not malicious, and is of course experienced as a shock and/or violation by the owner who discovers it.
It's really weird that this is presented as normal so frequently in a virtual context.
Granted that's still a crime. You probably won't use the video recording of that guy to file a police report (unless you suspect he did something else on your property, which would be like the author also running aggressive nmap scans) just as viasat is probably not going to file a lawsuit.
maybe more like someone entering a restaurant, sitting down at one of their tables and eating a lunch they brought themselves, or just reading a book, taking up that table during a busy lunch period.
Equating entering buildings with communicating with computers on the internet really is an awful analogy. You can stand in front of a building and be able to tell whether it's a house or a store, i.e. a building meant for private access or for public access. You can also tell a difference between a back door and a front door by looking from afar. You can do neither of these things with computers. You can't look at it from afar to give you clues, you need to communicate with it. The way computers communicate is dictated by protocols. Protocols will tell you stuff like whether you're allowed to talk to them or not. TCP includes telling you whether you're allowed or not via its protocol. HTTP will tell you whether you're allowed or not via its protocol. If the protocols don't tell you they're unwilling to talk, and continue by talking to you, you can only assume its ok for them to talk to you.
When you first try to communicate with a computer, you can't even know it exists until it replies to you. For the analogy with entering buildings to hold, everybody must be blind and deaf and all buildings must be the same from the outside. Under these conditions, you need to lock your doors, because the only way for anyone to be able to differentiate a house from a store is whether or not the door is locked (TCP connection accepted or rejected). When they approach a door, they can't even tell if the door is really there. They might just grasp the air when they reach out with their hand (TCP timeout from lack of response).
A better analogy is people talking. Everybody is still blind but not deaf. Let's say your robot slaves are talking. Your robot, probably bored, calls out to somebody, "Robot 10?". A robot replies, "yeah?". So, now you know they exist and they're willing to talk to you; you've initiated a TCP connection. "So, how's it going?" your robot asks; HTTP GET /. "My master got married last week.", he responds; HTTP 200 OK. Then comes out his master from behind the curtain, and says "No! It was never my intention for my robot to give out this information. In fact, it was never my intention for my robot to reply to anything anyone ever said. This is your fault!", pointing at you. "You called out to Robot 10, and he replied when it was never my intention for him to reply. He should have said, 'Sorry, I don't talk to strangers' (TCP connection rejection or HTTP 403 Forbidden) or refused to talk (TCP timeout from lack of response) or something. I could have told him to keep quiet, that such things are confidential, but... but... but you should not have called out to Robot 10! You're a criminal! Don't ever do that again. I may just have configured him incorrectly to die whenever he hears a greeting and that will be your fault too if you greet him! I'll charge you with murder for greeting him! and I'll sue you for compensation for the damages I incurred from my robot not being able to do some work for me while being dead."
We could disregard a computer's configuration as indication of their master's intent. However, that doesn't mean not entering someone's house via the back door. It means not talking to anyone ever for fear of them turning around and accusing you for talking to them or for hearing stuff they willingly told you.
The path between two cities is privately owned and the owner charges people to walk through it. There is a side gate for bathroom access. This is akin to going up to the gate and telling the owner "I'm just here to use the bathroom" (sni:viasat) and then after going through the gate just continuing to the other city.
Sure it's illegal, but hardly worth 5 years and I doubt there's a judge who would give more than community service for a stunt like this. But who knows, people get a lot more sensitive when it happens with computers or if it involves air travel.
> It's illegal to come into my house and take my stuff even if I forget to lock my back door.
This is such a poor analogy. You are conflating access with use... someone "steeling your stuff" is what they do with the access, access is figuring out how to open the door which is the focus of what this guy was doing...
This is where all physical world analogies basically end, the closest would be a lock picking enthusiast, but digital access is a huge complicated world that is conflated with the concept of selling communication.
The so-called US law talks of intent, so why not talk about intent of the "accused" here: This clearly isn't some average freeloader interested in saving $12, the interest is far deeper, the challenge in overcoming the access and then presenting what he found out "isn't this interesting" - is that really the behavior of someone intent on "steeling your stuff". No.
If you really want to talk about what he "stole" as a process of that intent, it's literally utility, like a bathroom with a $12 lock... of which it is of course not even clear how much he used, the focus was all about figuring out how to gain access, not seeing how much netflix he could download.
If you do it by accident? Sure. If you discover that you can trigger the bug by unplugging the router at 11:59PM and take advantage of this to blow through your limits? That’s not so legal, no.
It is not unauthorised access when you exceed your bandwith quota. It is simply another debt, even if it is not billed correctly yet. Most will lose internet subscription if it were considered unauthorised access.
Has it, though, in practice? The CFAA has been in effect for over 30 years. If this law actually had the chilling effect you claim it does, we would already have observed a significant security talent exodus from the U.S. My observation from having worked in Silicon Valley throughout the past 20 years suggests there's still plenty of talent to go around and plenty of lawful work being done.
The reason it hasn't is because the CFAA's track record as a prosecutorial tool is mixed at best. Of the 8 or so high profile cases using it only one conviction has actually held up. As a result, prosecutors are understandably hesitant about leaning on it.
Wow, this was an amusing read. I actually helped architect part of the system that was bypassed at LiveTV (now Thales).
We had some serious hackers on the team and discussed how much probing & prodding it would take to find vulnerabilities like this, but made the conclusion anyone doing this should be worried about more serious consequences. I for one, wouldn’t attempt this myself on the aircraft. The hacker side of me finds this Amusing, but I hope the author doesn’t face more serious consequences, primarily for having made this public knowledge. I have a sense the defense company that now owns the system being bypassed/broken will not find it amusing in the least bit.
Disclaimer: opinions above are my own. I do not speak for or on behalf of any party in the article.
We shouldn't let defense companies push around the general public. I'm glad that the author is willing to shoulder that risk, we need more people like them.
I agree with the sentiment. As a fellow geek & rebel, I can empathize. But if the author were my friend, I would point to past examples of how these things typically don’t end well for us. Not worth upending your life for karma or likes or whatever. The world needs more geeks that love what they do and can contribute significantly to society. That does not happen if you’re fighting court cases or on the run from authorities. General Public will rarely, if ever, stand up for you.
It’s relevant because it effects their “brand” and also culture plays a role in how they may perceive the situation. I have no idea if this even registers on their radar and it’s pure speculation on my part. Certainly not a sleeping bear I would poke.
I absolutely hope that’s the outcome of this whole thing. Unfortunately beyond the actual security vulnerability, companies often view these things as a “brand” or “PR” issue. I sincerely wish Kevin the best & hope this results positively as an internship or bug bounty.
Definitely, but it's worth for them to defend against or go after the few people willing to use this method to get free Wi-Fi on planes? IMHO they'll spend more than what they'll gain.
I fear that this would be viewed thru the lens of “PR” & “brand”, thing companies are rightfully keen in protecting. Unfortunately there’s a legal component to all this also. The knowledge itself is cool & even actual instances of a handful of people getting “free” internet probably wouldn’t register on their radar. But the publicity from being on the top of HN... that might be of significant concern
This is a level of probing anyone with a good understanding of HTTPS could do. It's not like mac spoofing or or setting up a honeypot (have fun stopping those). I think you set your bar one or two notches too low for what someone in tech can do. Practically, though, your bar is fine because this isn't actually a "security" vulnerability in the sense that something was leaked (worry more about honeypots), just that one or two people per flight might be mooching, and that's not worth engineering for.
It's interesting that you and your team thought of legal consequences before asking if this is an edge case that's not worth engineering for.
Someone in tech can do a lot. But anonymity of the web vs being 1/~120 on an aircraft where you gave your name and other vital info before boarding is a little different. Anyone going to extremes (like using fake travel docs) likely has far more nefarious intent than getting a little free WiFi.
But, let's give Kevin serious kudos on his clever approach to solving this problem. This is the true hacker spirit that reaches across the decades. Bravo!
I got a 404 and a few minutes later a Firefox "Did Not Connect: Potential Security Issue" followed by this explanation:
Firefox detected a potential security threat and did not continue to potatofrom.space because this website requires a secure connection.
What can you do about it?
potatofrom.space has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.
The comment about the 24Mbps is pretty impressive. My experience every month on the JAL flights SF to Tokyo and Tokyo to $SomeOtherAsianCity is pretty crappy. I wonder if doing this it also bypasses some QoS filters? For example on a flight I tried to open the XM app on my iPad and could not stream a thing (it's pretty low but rate). Slack connects and disconnects all time. Email works but is slow. Webpages take minutes to load. Every flight for the last few years so...
That’s because you’re traveling in airspace covered by different Satellite than the one that covers The American continent. Top speed should actually be ~74MBps.
I was one of the people who helped build the system (not at Viasat)
Apparently it’s been benchmarked doing even better speeds. There was supposed to be new satellites launched over Europe and Asia, but at the time, this was the fastest one.
I bet that viasat.com "connections" are given priority and not throttled for bandwidth - or perhaps since he never registered with the system, it never applied a throttle, under the assumption that blocking access negated the need for a throttle.
While interesting, I would have an uneasy feeling messing with the WIFI AP on an airplane. Perhaps there is a U.S. law this type of conduct would fall under specific to being on an airplane?
While in general bypassing Wi-Fi restrictions is indeed dubious from legal standpoint, it’s most likely as safe on an airplane as anywhere else. If in-flight Wi-Fi provider’s AP was in any way part of aircraft control system network, I would be surprised if overseeing such a design flaw weren’t a crime.
The author does not "mess with the WIFI AP on the plane", they exploit a weakness in the design (failure by viasat to maintain an checksum IP mapping to their domain for the captive service) to simply bypass a trivial TLS header check in order to tunnel their traffic.
This is hacking under federal law, as it should be. Likewise that if I break into your house by merely exploiting a weakness in the design of the lock, I am still committing a crime.
If someone charges for tours of part of their house, has two prices of tour, and you change the colour of your badge to let you access the part you haven't paid for, is that a crime?
Sounds like some form of fraud to me. What's the difference between that and simply forging a ticket to an event instead of buying one? Or forging a currency note?
OK, the better example from further down. You realise your badge lets you into areas of the premium tour, it opens all doors, not just the ones you paid for it to open.
And even if it is fraud of some kind, the bar for charging someone with fraud (instead of just suing for damages) is fairly high...
Well yes, but bandwidth is practically free anyway. I'm not actually stealing computer resources. It's more akin to looking at the Mona Lisa through one of the Louvre's windows using a pair of binoculars.
The person I'm replying to specifically said "mess with the WIFI AP" in order to present this as harmful or dangerous (FUD), it is not. It's a trivial header check bypass - whether or not that is "hacking" is a question for lawyers and a judge.
I was just bypassing a some trivial key check on the door. To say I was "messing with the door" is FUD, and whether I was breaking and entering is a question for lawyers and a judge.
The owner gave me a key to the lobby so I could pay to get an all-access key. As it turns out, I can just walk past the lobby and that key actually opens all doors in the building. Whether or not it's illegal to use it to access whatever I want is a question for lawyers and a judge.
That's not what's happening here. This is more like trying the key on every door, finding a cleaning closet unlocked and crawling through the ventilation ducts to get in.
I think it's pretty close to the reality. The lobby is wide open (viasat's payment gateway), but if you just use the viasat lobby key (viasat.com SNI) on any other door (IP address) it allows you access. They could prevent you from getting to the doors in the first place (whitelisting MAC address to access anything other than a whitelist of IPs instead of just TLS SNI whitelisting) but they don't, as it's especially evident when they allow other protocols when the connection is not encrypted.
The lobby is not locked. Neither are any of the doors leading out from it. There is a cashier in the lobby and a sign with ticket prices for the different doors.
In that situation, opening the doors without paying is illegal. It would be treated as trespassing or theft of services. You don't have the right to use other peoples' stuff without permission just because it's easy to do.
Judges tend to be less impressed by technicalities than seems to be commonly believed. If you know that a network operator intends to route traffic only for paying customers, and you intentionally trick its router into routing your traffic without payment, the judge will probably see that as intentional unauthorized access.
I think that's legally reasonable, almost. It's the intent that matters here; if my use of Cloudflare DNS instead of what your DHCP server provides for performance and privacy reasons happens to bypass your insecurely implemented captive portal that asks for payment, there's no intent. If I employ a complex tunneling scheme specifically designed to bypass your payment check, that's theft.
Where I do have a problem with the law is that its digital nature is given special treatment and greatly enhanced penalties. If I walk into a store and steal a USB Wifi adapter worth $20, I have committed a misdemeanor. If I'm caught, I'll probably be given a summons, not arrested, and my penalty will probably be a fine or community service. If I use that adapter to steal access to $20 worth of in-flight Wifi, I've committed a felony, for which the penalty includes loss of civil rights, and probable incarceration.
Right. I think all he’s trying to say is that it might be worse to hack something on a plane vs some other kind of computer system. I don’t think they were implying harm was being done to the ap. Colloquially I would definitely call this messing with the ap :)
IANAL and all that, but my perception is that "hacking" is usually about breaking into someone else's computer / breaching someone else's privacy / accessing data that isn't yours / etc. If that perception is accurate, then I think it's really a stretch to call this "hacking". You're just moving bits around on network infrastructure designed to move bits around. Maybe I'm just looking for a loophole because wishful thinking, but this seems like a decent argument to me.
Now, you could be violating their terms of service. But in this case there may be a good argument that you never accepted their terms of service since you wouldn't have had to click the "accept" button to do what the post describes.
Was going to write the same. Prosecutors would have easy time convincing judge that hacking+ doing so while airborne should result in many years behind the bars, especially knowing how punitive the legal system in the US can be. The article itself is very interesting though.
They'd have your stunnel server IP, so if they were really, really determined they could probably track you down by forcing your ISP/VPS provider to identify you.
I doubt they'd bother for $45 worth of WiFi, but personally I would err on the side of caution.
My guess would be that getting caught doing this could get you federal terrorism charges. I don't even think it's a safe assumption that the network is isolated or properly insulated from pilot instrumentation.
If that assumption isn't safe, then neither is the plane.
Having ANY access AT ALL whether via "hidden" backdoor or authorized login to plane instrumentation from the WiFi would be an insane setup. Just because they're both invisible to you doesn't mean they're connected in some way.
Could you imagine the attack surface?
We'd be hearing about terrorist attacks leveraging that design flaw.
If your flight has GoGo, it’s easier to just remember which of your friends has a T-Mobile number, plug that in, and you’re in. They don’t actually verify it’s your number.
They used to offer all flight passes as well instead of the hour limit. I’d open up safari on my Mac, spoof the UA and have free internet that way.
Also recently I think they’ve stopped giving T-Mobile numbers access to the higher speeds. Was fun while it lasted. I was able to clock over 50mbps on one of my flights. Kinda nuts.
An alternative to this is to scan for active Mac addresses on the WiFi and steal one and hope it’s someone paying for the premium WiFi already :) This works on almost all hotel WiFi too.
As someone who has created captive portal systems I have to say that this is a very poor system.
My system tagged you in a firewall so your packets were not getting out until you had authenticated and ended up in an ipset list that bypassed the tag.
Thank you! I suspect the answer is "most", especially if they allow HTTPS in any way. The way to solve this issue is to either whitelist IPs/host the site internally on the local network (e.g. most captive portals).
I'm actually surprised simple tunneling is working and they don't have additional protections.
From my experience most of public networks won't let you do much this way. However, it seems it (as most captive portals) has access to DNS servers.
There was this tool people were using to bypass VPNs blocking and throttling in China called kcptun. It was letting you tunnel tcp traffic over udp, then SSL tunnel on top of it. With a server listening on port 53, it was working awesome to avoid QOS and managed to 1- bypass authentication and 2- get absolutely amazing speeds on some airport wifis for example. You probably could do the same with an openVPN on UDP 53.
However, it seems most public wifis are smarter and would blacklist your Mac address if either too much traffic is going through, or you say for too long. You can change your address, but it's not really usable. Still fun though!
Also, it seems most public wifis now do more DPI and they won't let other traffic than DNS go on UDP 53.
This in minds, another one I haven't been looking through much is DNS tunneling - would love to hear anyone's experience about it (I've heard it's very slow...)
Edit: seeing a few comments about the unethical aspect of this. In some cases, it might be. In some others, it is about avoiding a system that tracks you and try to gather and resell as much information as it can about you (it varies a lot according to which country you're in).
I've done it a bit (using iodine[1]) and while it obviously depends a lot on the DNS server they're using, it can be surprisingly fast. I think I got over 300kbps regularly, which while not great for video streaming, is more than enough for HN and such.
iodine in particular tries to use some less common DNS record types like NULL, which might support up to 65kb/reply, falling back to more common if those are not supported, so you can get decent download speeds.
Other techniques include tunneling over DNS, tunneling over ICMP, finding flaws in the HTTP parser, scanning the default router for open ports, scanning intermediate proxies for open ports, exploiting bad proxy redirect rules, finding protocols and ports that the firewall doesn't block outbound, and finding holes in the paywall's web apps.
Once upon a time there was a pre-paid mobile internet provider that sold USB sticks. It turned out that once you had initially activated the stick, even without an account, it would always default to a paywall until you had an account paid up. The HTTP parser of the paywall proxy was so bad, it only filtered connections with CRLF as the line-terminator for HTTP requests... so a simple proxy that converted CRLF to LF bypassed the paywall.
You will be happy to know the send it on "airplane as luggage with passengers" business models are now seen as failures by most Silicon Valley investors as well as some YC partners. It's been 5 years and there were many of these companies - the investors got burned
How do I know? I run a YC funded company that legally imports :)
This feels more like a complicated version of telling the world some grocery store entered store brand canned sardines wrong in their system and they'll ring up as $0.
Sure, they're free, for now, but do you really want all those canned sardines?
Nice write-up. Found it very clear (and thanks for the SNI primer) except perhaps the port-soup near the end. Might have benifitted from a little diagram or flowchart for that bit.
@HN admin I think it’s a good idea to remove this post. The author fucked up, I think it’s worth doing what we can to prevent further collateral damage to them.
Genuine question here - isn't Tor traffic reputed for having a certain "footprint"?
I would be worried about accessing the Tor network over public WiFi, but maybe that's just me.
But when you start using pluggable transports, like Obfs4, you can defeat pretty much every captive portal or traffic analyzer. I'm sure there might be a way to detect even these. But remember that the real test of detection is the GFoC.
Some piddly airline's offering of pay internet is not going to use nation-state level detection schemes.
I find that iMessage always works on my flights with United. No images though. I was surprised since the cell was off and it remembered the Wi-Fi but messages came through.
The latest iodine version is quick and works almost everywhere. Should work fine in the OP scenario. I also use SSH -D, then I use proxychains and it work fine.
Last year I was on a flight and my phone buzzed, which was odd. I looked down and it had somehow connected to the WiFi without my doing anything and started getting chat messages.
I tested further and my WiFi was totally unrestricted. I was able to download a show from Netflix at 20Mbps+ ... does anyone know what happened? I didn't even think planes had WiFi that fast and I definitely thought they blocked all streaming video domains.
tl;dr: The Vianet firewall is trying to do filtering of TLS connections based on the arbitrary and client-controlled host name string and not the destination IP address. It has no network-level routing control at all, it will allow a connection to any host on the internet, but will then terminate it after it sees that it's not going to (strictly, "doesn't look like it's going to") a permitted host. So the author set up a ssh server on the HTTPS port and connected to it with a faked host name.
But seriously folks: this is (1) still a crime in basically all jusisdictions and (2) a crime on an airplane in flight, so have fun in jail.
How is this a crime (in _all_ jurisdictions)? The CFAA is US-only, and few other jurisdictions have as loose terms (or history of abuse) as the CFAA, when it comes to "hacking".
It's straight up unauthorized access to a computer system. They tell you they don't allow it and you have to pay for it, the author clearly knew that, and evaded the protections. Cite me a legal environment where that is not a crime.
Which computer system does this access that the user was unauthorized to access? The user's home server?!
The made-for-DRM CFAA that might classify fooling a flimsy filter as "unauthorized access to a computer system" is very much US-specific. Over here on the other side of the world, I'm thankful I'm not subject to such legislation or judicial system, but to one which still has a sensible definition of "hacking".
Indeed, I was unclear. But the features are tied at the hip. SNI exists because TLS needs a way to discriminate separate certificates for the benefit of requests on the same port using distinct HTTP/1.1 Host headers. In my experience it's absolutely routine to talk about them using the same terminology.
I'm seeing a lot of people say that airplane wifi is overpriced, and I'm kind of baffled. Yes, compared to terrestrial wifi it's expensive. But... you're in a fast moving object communicating with satellites (satellite launches are expensive!) and I don't really understand why people are so eager to call this bad pricing.
I don't fly enough to care, but the pricing model has become a death of one thousand cuts. I can see why that is bothersome, even if it can be described as fair exchange of value or whatever.
Well it turns out people prefer to pay 10$ and 5*12$ instead of 70$ for a flight, probably because it feels like you can save a bit.
At the end the airline needs to get its bottom line green and airplanes and satellite wifi are not cheap, not to speak of the highly paid people needed to run it all.
It's one thing to call that unethical, but at the end the market decides and it seems that all-inclusive deals simply do not resonate as well.
I was pleasantly surprised to see the appropriate NixOS configuration in the middle of the article. NixOS stream-lines the whole configuration process to a couple of lines of configuration which can be copy-pasted without changing anything.
Whatever country's airspace you're in and whatever country the plane is registered in. (Probably an oversimplification, but IANAL and I definitely ANYL.)
Nice post and well written.
I’ll have to try something similar with stunner for my office connection (heavily filtered and firewalled), to allow me to reach my raspberry back home.
not sure office == work place, but most workplaces have policies around intentionally bypassing network security/firewall rules.
If your workplace has any kind of security operations/threat detection, you could find yourself explaining why exactly your host is reaching out over suspiciously encrypted channels?
Specifically, https://en.wikipedia.org/wiki/Egress_filtering. If the OP's company has restrictive firewalling and filtering already, they also probably have egress filtering and monitoring as well.
I agree with you, this will surely raise a red flag in our administrators panel and this isn't my intention. I'm mainly interested on the technical side of things.
I know that most ports and traffic types are already blocked. What about outgoing https traffic, this is encrypted and should be allowed to pass...something like an https tunnel.
Fully agree with you, this is something that needs to be treated seriously especially in a professional business environment. I'm mainly interested on the technical side of things and on what is feasible, not on ways to bypass security for illegal purposes.
If you are interested in seeing some of my other (more ethical) work, check out Delphus [1], an open research study management platform which I am working on at my new startup ;)
[1]: https://delph.us