
Stunnel and Airline Wi-Fi - Pneumaticat
https://potatofrom.space/post/viasat-airline-free-wifi-stunnel/
======
Pneumaticat
Hey guys, thanks for all the comments! I realized that it was not an ethical
idea to post, so I decided to take it down. I did not get a cease and desist,
but I would appreciate if you could refrain from reposting it.

If you are interested in seeing some of my other (more ethical) work, check
out Delphus [1], an open research study management platform which I am working
on at my new startup ;)

[1]: [https://delph.us](https://delph.us)

~~~
bin0
I'm not sure about this, still. I'd consider it roughly equivalent to posting
a POC for an exploit: it could be abused, could be uses for academic learning,
or could be used to improve systems. It's not inherently bad.

------
PaulAJ
In the USA this would be a violation of the CFAA
[https://www.law.cornell.edu/uscode/text/18/1030](https://www.law.cornell.edu/uscode/text/18/1030).
Specifically, the router is a "protected computer" and the procedure described
here is "exceeding authorised access" because it routes packets around a
mechanism that was designed to stop them. Maximum penalty 5 years.

(Some might argue that it was authorised because the computer let him do it.
However the CFAA simply doesn't work that way. "Authorisation" is what the
designers intended, and the initial paywall made that intention perfectly
clear.)

~~~
bobcostas55
How does this not apply to stuff like trackers bypassing anti-fingerprinting
browser protections?

~~~
pmorici
Because a prosecutor hasn't tried to use it in that way.

~~~
mindslight
Which highlights a fundamental truth to law - it's only enforced to backstop
the status quo. Routing around a wifi paywall rocks the boat, performing
invasive surveillance on website visitors doesn't.

So practically yes, let's be aware that the author could indeed be persecuted
under the CFAA. But let's not grandstand and pretend that following that law
is some sort of moral imperative that benefits everyone. The common individual
will be the target of the same attacks with or without that law.

~~~
tidepod12
Following the law may not be a moral imperative, but let's not pretend like
the author did anything moral here. He knowingly and with intent stole
services from the airline. It not only was illegal, it's blatantly immoral.

~~~
SomeOldThrow
It’s also immoral to force bad pricing down customer throats. And yet that is
the definition of the inflight wifi business.

EDIT: I’m fairly sure at current prices a single flight could pay for a
month’s service for a single plane, probably several times over. The profit
margins (& I imagine some the cut to the airline) must be enormous, & there is
no pretense of fair terms at sale time because a single corporation can
entirely monopolize your attention.

~~~
nordsieck
> It’s also immoral to force bad pricing down customer throats. And yet that
> is the definition of the inflight wifi business.

In what bizarro world are people being forced to buy inflight wifi?

------
UperSpaceGuru
Wow, this was an amusing read. I actually helped architect part of the system
that was bypassed at LiveTV (now Thales). We had some serious hackers on the
team and discussed how much probing & prodding it would take to find
vulnerabilities like this, but made the conclusion anyone doing this should be
worried about more serious consequences. I for one, wouldn’t attempt this
myself on the aircraft. The hacker side of me finds this Amusing, but I hope
the author doesn’t face more serious consequences, primarily for having made
this public knowledge. I have a sense the defense company that now owns the
system being bypassed/broken will not find it amusing in the least bit.

Disclaimer: opinions above are my own. I do not speak for or on behalf of any
party in the article.

~~~
pmontra
Definitely, but it's worth for them to defend against or go after the few
people willing to use this method to get free Wi-Fi on planes? IMHO they'll
spend more than what they'll gain.

~~~
UperSpaceGuru
I fear that this would be viewed thru the lens of “PR” & “brand”, thing
companies are rightfully keen in protecting. Unfortunately there’s a legal
component to all this also. The knowledge itself is cool & even actual
instances of a handful of people getting “free” internet probably wouldn’t
register on their radar. But the publicity from being on the top of HN... that
might be of significant concern

------
byteCoder
Illegal and unethical: yes, in this use case.

But, let's give Kevin serious kudos on his clever approach to solving this
problem. This is the true hacker spirit that reaches across the decades.
Bravo!

------
nealabq
The site's down for me.

I got a 404 and a few minutes later a Firefox "Did Not Connect: Potential
Security Issue" followed by this explanation:

    
    
      Firefox detected a potential security threat and did not continue to potatofrom.space because this website requires a secure connection.
    
      What can you do about it?
    
      potatofrom.space has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
    
      The issue is most likely with the website, and there is nothing you can do to resolve it. You can notify the website’s administrator about the problem.

~~~
judge2020
The website itself is up
[https://potatofrom.space/](https://potatofrom.space/) so looks like the
author decided to take it down, odd. Maybe he got a cease and desist from
Viasat.

~~~
Rafert
Still available on the GitLab instance linked from the home page:
[https://gitlab.potatofrom.space/kevin/potatofrom.space/blob/...](https://gitlab.potatofrom.space/kevin/potatofrom.space/blob/0f2048ff5124327e27aca76e2c98d16be076e400/content/post/viasat-
airline-free-wifi-stunnel.md)

------
myrandomcomment
The comment about the 24Mbps is pretty impressive. My experience every month
on the JAL flights SF to Tokyo and Tokyo to $SomeOtherAsianCity is pretty
crappy. I wonder if doing this it also bypasses some QoS filters? For example
on a flight I tried to open the XM app on my iPad and could not stream a thing
(it's pretty low but rate). Slack connects and disconnects all time. Email
works but is slow. Webpages take minutes to load. Every flight for the last
few years so...

~~~
UperSpaceGuru
That’s because you’re traveling in airspace covered by different Satellite
than the one that covers The American continent. Top speed should actually be
~74MBps.

I was one of the people who helped build the system (not at Viasat)

~~~
a012
It's almost a 1Gbps over sat link, are you correct?

~~~
UperSpaceGuru
[https://en.m.wikipedia.org/wiki/ViaSat-1](https://en.m.wikipedia.org/wiki/ViaSat-1)

Apparently it’s been benchmarked doing even better speeds. There was supposed
to be new satellites launched over Europe and Asia, but at the time, this was
the fastest one.

------
nawtacawp
While interesting, I would have an uneasy feeling messing with the WIFI AP on
an airplane. Perhaps there is a U.S. law this type of conduct would fall under
specific to being on an airplane?

~~~
gravitas
The author does not "mess with the WIFI AP on the plane", they exploit a
weakness in the design (failure by viasat to maintain an checksum IP mapping
to their domain for the captive service) to simply bypass a trivial TLS header
check in order to tunnel their traffic.

~~~
behrlich
This is almost definitely “hacking” under federal law.

~~~
gravitas
The person I'm replying to specifically said "mess with the WIFI AP" in order
to present this as harmful or dangerous (FUD), it is not. It's a trivial
header check bypass - whether or not that is "hacking" is a question for
lawyers and a judge.

~~~
pessimizer
I was just bypassing a some trivial key check on the door. To say I was
"messing with the door" is FUD, and whether I was breaking and entering is a
question for lawyers and a judge.

~~~
judge2020
The owner gave me a key to the lobby so I could pay to get an all-access key.
As it turns out, I can just walk past the lobby and that key actually opens
all doors in the building. Whether or not it's illegal to use it to access
whatever I want is a question for lawyers and a judge.

~~~
rebuilder
That's not what's happening here. This is more like trying the key on every
door, finding a cleaning closet unlocked and crawling through the ventilation
ducts to get in.

~~~
judge2020
I think it's pretty close to the reality. The lobby is wide open (viasat's
payment gateway), but if you just use the viasat lobby key (viasat.com SNI) on
any other door (IP address) it allows you access. They could prevent you from
getting to the doors in the first place (whitelisting MAC address to access
anything other than a whitelist of IPs instead of just TLS SNI whitelisting)
but they don't, as it's especially evident when they allow other protocols
when the connection is not encrypted.

~~~
rebuilder
Try this:

The lobby is not locked. Neither are any of the doors leading out from it.
There is a cashier in the lobby and a sign with ticket prices for the
different doors.

~~~
Zak
In that situation, opening the doors without paying is illegal. It would be
treated as trespassing or theft of services. You don't have the right to use
other peoples' stuff without permission just because it's easy to do.

~~~
rebuilder
And that was my point.

------
btgeekboy
If your flight has GoGo, it’s easier to just remember which of your friends
has a T-Mobile number, plug that in, and you’re in. They don’t actually verify
it’s your number.

~~~
dawnerd
They used to offer all flight passes as well instead of the hour limit. I’d
open up safari on my Mac, spoof the UA and have free internet that way.

Also recently I think they’ve stopped giving T-Mobile numbers access to the
higher speeds. Was fun while it lasted. I was able to clock over 50mbps on one
of my flights. Kinda nuts.

------
deanclatworthy
An alternative to this is to scan for active Mac addresses on the WiFi and
steal one and hope it’s someone paying for the premium WiFi already :) This
works on almost all hotel WiFi too.

~~~
baxtr
Wouldn’t than both devices “fight” for the access? Who gets the packages?

~~~
Zenbit_UX
Yes, it makes both connections highly unstable. Not recommended.

~~~
deanclatworthy
It works flawlessly. You can go further to end up kicking them off with some
more shady tools. Not that I’d approve of that.

~~~
baxtr
I guess some friend of a friend told you?

------
INTPenis
As someone who has created captive portal systems I have to say that this is a
very poor system.

My system tagged you in a firewall so your packets were not getting out until
you had authenticated and ended up in an ipset list that bypassed the tag.

~~~
Zenbit_UX
I guess the collected readership of HN wished you didn't do your job so well
then...

------
BearsAreCool
Nice breakdown! This makes me curious of just how many "free" wifi hotspots
that allow access to a specific site can be completely bypassed.

~~~
Pneumaticat
Thank you! I suspect the answer is "most", especially if they allow HTTPS in
any way. The way to solve this issue is to either whitelist IPs/host the site
internally on the local network (e.g. most captive portals).

------
eyeball
I’ve been able to get enough bandwidth to check email on delta by:

1) connect to WiFi and get to the sign up / credit card page 2) turn on PIA
vpn client

Seems to work. Very limited speed though. Email checks and not much else.

------
tbronchain
I'm actually surprised simple tunneling is working and they don't have
additional protections.

From my experience most of public networks won't let you do much this way.
However, it seems it (as most captive portals) has access to DNS servers.

There was this tool people were using to bypass VPNs blocking and throttling
in China called kcptun. It was letting you tunnel tcp traffic over udp, then
SSL tunnel on top of it. With a server listening on port 53, it was working
awesome to avoid QOS and managed to 1- bypass authentication and 2- get
absolutely amazing speeds on some airport wifis for example. You probably
could do the same with an openVPN on UDP 53.

However, it seems most public wifis are smarter and would blacklist your Mac
address if either too much traffic is going through, or you say for too long.
You can change your address, but it's not really usable. Still fun though!

Also, it seems most public wifis now do more DPI and they won't let other
traffic than DNS go on UDP 53.

This in minds, another one I haven't been looking through much is DNS
tunneling - would love to hear anyone's experience about it (I've heard it's
very slow...)

Edit: seeing a few comments about the unethical aspect of this. In some cases,
it might be. In some others, it is about avoiding a system that tracks you and
try to gather and resell as much information as it can about you (it varies a
lot according to which country you're in).

~~~
icebraining
> DNS tunneling

I've done it a bit (using iodine[1]) and while it obviously depends a lot on
the DNS server they're using, it can be surprisingly fast. I think I got over
300kbps regularly, which while not great for video streaming, is more than
enough for HN and such.

iodine in particular tries to use some less common DNS record types like NULL,
which might support up to 65kb/reply, falling back to more common if those are
not supported, so you can get decent download speeds.

[1] [https://code.kryo.se/iodine](https://code.kryo.se/iodine)

------
batbomb
It’s always easier to just wireshark for an IP address that has access (in
hotels too) and then clone the MAC adddress.

~~~
peterwwillis
Yep, this is the easiest & most reliable method.

Other techniques include tunneling over DNS, tunneling over ICMP, finding
flaws in the HTTP parser, scanning the default router for open ports, scanning
intermediate proxies for open ports, exploiting bad proxy redirect rules,
finding protocols and ports that the firewall doesn't block outbound, and
finding holes in the paywall's web apps.

Once upon a time there was a pre-paid mobile internet provider that sold USB
sticks. It turned out that once you had initially activated the stick, even
without an account, it would always default to a paywall until you had an
account paid up. The HTTP parser of the paywall proxy was so bad, it only
filtered connections with CRLF as the line-terminator for HTTP requests... so
a simple proxy that converted CRLF to LF bypassed the paywall.

------
Scea91
This seems quite unethical to me.

~~~
facorreia
It is theft of services. Ironical in this website since ycombinator companies
are mostly about selling services via the Internet.

~~~
teraflop
Well, the flip side is that Y Combinator has no qualms about funding companies
whose business model relies on ignoring laws that are inconvenient.

Here are two different YC startups that relied on tourists smuggling goods to
avoid import duties:

[https://techcrunch.com/2014/08/13/backpack-connects-you-
with...](https://techcrunch.com/2014/08/13/backpack-connects-you-with-
travelers-so-you-can-purchase-items-in-other-countries/)

[https://news.ycombinator.com/item?id=10998377](https://news.ycombinator.com/item?id=10998377)

~~~
jimhi
You will be happy to know the send it on "airplane as luggage with passengers"
business models are now seen as failures by most Silicon Valley investors as
well as some YC partners. It's been 5 years and there were many of these
companies - the investors got burned

How do I know? I run a YC funded company that legally imports :)

------
thomasfedb
Nice write-up. Found it very clear (and thanks for the SNI primer) except
perhaps the port-soup near the end. Might have benifitted from a little
diagram or flowchart for that bit.

~~~
Pneumaticat
Thanks! Let me see if I can add an mspaint diagram.

edit: added! try refreshing if you don't see it.

------
lefstathiou
@HN admin I think it’s a good idea to remove this post. The author fucked up,
I think it’s worth doing what we can to prevent further collateral damage to
them.

~~~
Topgamer7
Quick, everyone ignore the security issue, if we don't look it's not there!

------
crankylinuxuser
I did this as well using Orbot (Tor software for Android) and an OBFS4 proxy.

In Southwest (the airline), you connect to the wifi for watching the movie and
where you are in air. But if you want internet, you pay.

I have some of my applications always Torified on my phone. I opened my 3d
printer app to view its status, expecting a hard fail. And... it loaded!

~~~
_underfl0w_
Genuine question here - isn't Tor traffic reputed for having a certain
"footprint"? I would be worried about accessing the Tor network over public
WiFi, but maybe that's just me.

~~~
crankylinuxuser
Standard Tor, sure.

But when you start using pluggable transports, like Obfs4, you can defeat
pretty much every captive portal or traffic analyzer. I'm sure there _might_
be a way to detect even these. But remember that the real test of detection is
the GFoC.

Some piddly airline's offering of pay internet is not going to use nation-
state level detection schemes.

------
supahfly_remix
Nice write up. I am curious how DNS works, and if that is an alternative
protocol for tunneling in this situation.

~~~
wdroz
The latest iodine version is quick and works almost everywhere. Should work
fine in the OP scenario. I also use SSH -D, then I use proxychains and it work
fine.

------
themark
Sweet to see another guy that tests with zombo.com!

~~~
AndrewBissell
The infinite is possible!

------
habosa
Last year I was on a flight and my phone buzzed, which was odd. I looked down
and it had somehow connected to the WiFi without my doing anything and started
getting chat messages.

I tested further and my WiFi was totally unrestricted. I was able to download
a show from Netflix at 20Mbps+ ... does anyone know what happened? I didn't
even think planes had WiFi that fast and I definitely thought they blocked all
streaming video domains.

~~~
nirav72
if you're on T-Mobile , then it's possible you got connected via their plan
that allows for free GoGo inflight wifi.

~~~
umvi
No, GoGo is based on HughesNet, whereas OP was using Viasat

------
ajross
tl;dr: The Vianet firewall is trying to do filtering of TLS connections based
on the arbitrary and client-controlled host name string and not the
destination IP address. It has no network-level routing control at all, it
will allow a connection to any host on the internet, but will then terminate
it after it sees that it's not going to (strictly, "doesn't look like it's
going to") a permitted host. So the author set up a ssh server on the HTTPS
port and connected to it with a faked host name.

But seriously folks: this is (1) still a crime in basically all jusisdictions
and (2) a crime _on an airplane in flight_ , so have fun in jail.

~~~
pritambaral
How is this a crime (in _all_ jurisdictions)? The CFAA is US-only, and few
other jurisdictions have as loose terms (or history of abuse) as the CFAA,
when it comes to "hacking".

~~~
ajross
It's straight up unauthorized access to a computer system. They tell you they
don't allow it and you have to pay for it, the author clearly knew that, and
evaded the protections. Cite me a legal environment where that is _not_ a
crime.

~~~
pritambaral
Which computer system does this access that the user was unauthorized to
access? The user's home server?!

The made-for-DRM CFAA that might classify fooling a flimsy filter as
"unauthorized access to a computer system" is very much US-specific. Over here
on the other side of the world, I'm thankful I'm not subject to such
legislation or judicial system, but to one which still has a sensible
definition of "hacking".

~~~
ajross
Sigh. Routers are computers too.

~~~
pritambaral
Sigh. There's no _unauthorized access_ of a router here; neither the wireless
network nor the router login were cracked.

------
cwyers
I'm seeing a lot of people say that airplane wifi is overpriced, and I'm kind
of baffled. Yes, compared to terrestrial wifi it's expensive. But... you're in
a fast moving object communicating with satellites (satellite launches are
expensive!) and I don't really understand why people are so eager to call this
bad pricing.

~~~
maxerickson
I don't fly enough to care, but the pricing model has become a death of one
thousand cuts. I can see why that is bothersome, even if it can be described
as fair exchange of value or whatever.

~~~
Sebb767
Well it turns out people prefer to pay 10$ and 5*12$ instead of 70$ for a
flight, probably because it feels like you can save a bit.

At the end the airline needs to get its bottom line green and airplanes and
satellite wifi are not cheap, not to speak of the highly paid people needed to
run it all.

It's one thing to call that unethical, but at the end the market decides and
it seems that all-inclusive deals simply do not resonate as well.

------
makefu
I was pleasantly surprised to see the appropriate NixOS configuration in the
middle of the article. NixOS stream-lines the whole configuration process to a
couple of lines of configuration which can be copy-pasted without changing
anything.

------
ksahin
A bit off-topic but I'm curious: Which laws applies on a plane?

~~~
MrMorden
Whatever country's airspace you're in and whatever country the plane is
registered in. (Probably an oversimplification, but IANAL and I definitely
ANYL.)

------
Asooka
I can't open this page on my chromebook, I'm getting a

NET::ERR_CERT_COMMON_NAME_INVALID

Subject: dns.google

Issuer: Google Internet Authority G3

Expires on: 10 Sep 2019

Current date: 20 Jul 2019

With a further message that

You cannot visit potatofrom.space right now because the website uses HSTS.

~~~
casefields
Cached view:
[http://web.archive.org/web/20190720131624/https://potatofrom...](http://web.archive.org/web/20190720131624/https://potatofrom.space/post/viasat-
airline-free-wifi-stunnel/)

------
NKosmatos
Nice post and well written. I’ll have to try something similar with stunner
for my office connection (heavily filtered and firewalled), to allow me to
reach my raspberry back home.

~~~
spydum
not sure office == work place, but most workplaces have policies around
intentionally bypassing network security/firewall rules. If your workplace has
any kind of security operations/threat detection, you could find yourself
explaining why exactly your host is reaching out over suspiciously encrypted
channels?

~~~
ThrowawayR2
Specifically,
[https://en.wikipedia.org/wiki/Egress_filtering](https://en.wikipedia.org/wiki/Egress_filtering).
If the OP's company has restrictive firewalling and filtering already, they
also probably have egress filtering and monitoring as well.

~~~
NKosmatos
I agree with you, this will surely raise a red flag in our administrators
panel and this isn't my intention. I'm mainly interested on the technical side
of things.

I know that most ports and traffic types are already blocked. What about
outgoing https traffic, this is encrypted and should be allowed to
pass...something like an https tunnel.

------
sitkack
Reminds me a of a 2600Hz article from the 90s.

~~~
anonu
Too bad that magazine has fallen to the way side. I still purchase it every
now and then (when I'm in a Barnes and Noble).

The letters from readers surprise me quite a bit: seems like it has decent
circulation in the prison population. wonder why that is...

------
Hitton
Too bad he didn't try other protocols. I wouldn't be surprised if DNS or ICMP
tunnel worked too.

~~~
Pneumaticat
But iodine [1] is very slow ;) (Also with the satellite roundtrip, it probably
would've worked, but super slowly.)

[1]: [https://code.kryo.se/iodine/](https://code.kryo.se/iodine/)

------
hansdieter1337
Reminds me of DNS tunneling. But this approach is probably faster.

------
sabujp
another way is to use DNS. Most captive portals allow UDP/DNS. You can craft a
proxy to do proxy via 53/udp.

------
jitbit
Meanwhile the site is down (503)

------
nabakin
Anyone else getting a 404 error?

