Gogo In-Flight
I finally got a chance to sniff Gogo's in-flight Wi-Fi service. It's a big thumbs up for performance and a mild thumbs-down for security. Bottom line recommendation is that you'll probably be happy with the service, but it'd be nice if they offered an encryption option for paying customers.
The first thing that must be said is that the installation was quite professional. Three access points on 2.4 GHz channels (1, 6 and 11, natch) and three more on 5 GHz channels. The 5 GHz setup was odd. At first sniff they used UNII-1 channels 36, 40 and 44. Then later in the flight I noticed a switch to 36, 40 and 40. The switch to two APs on the same channel puzzled me, but that's probably just setting the controller (Cisco, in this case) to auto channel selection.1
I set my Broadcom Client Utility (802.11n) to prefer the 5 GHz band in order to avoid interference. Performance was great; even good enough to watch a baseball game on MLB.tv. I also set my band preference to 2.4 GHz at one point to test for interference. Performance was similarly solid, which makes sense considering that the EVDO Rev. A broadband link should be the bottleneck, not the Wi-Fi.
The performance ended up being better than expected, but alas, security was exactly as bad as expected. Gogo used web-based authentication (sometimes called a Captive Portal), but does not offer any encryption option of any kind. You can set up your own encryption, of course (WiTopia is an option if you've got $60/year to burn), but Gogo gives you bupkis.
As always with paid public Wi-Fi networks, I understand the reasoning behind eschewing encryption. With web-based authentication you can take credit cards in a way that cannot be practically done with 802.1X/EAP authentication. My big question is why don't they provide an alternative SSID for users to login to after they've paid? You already get a login when you pay, so why not make that a login that can access the network using 802.1X/EAP-PEAP? I understand that novice users may have some trouble getting their supplicant configured for EAP-PEAP, but at least the techies would have some security for their wireless traffic.
The other security item some people might find interesting is the strength of Gogo's web-based authentication. As many people know, some web-based systems are not especially good at deterring MAC address spoofing attacks. Gogo did a good job here, at least. When I tried spoofing my iPhone's MAC address with my laptop, Gogo's APs would send a Deauthentication frame after the second association was completed. Now, I don't know if that's a pure MAC layer defense or if there is some other type of anti-spoofing software that runs on Gogo's network somewhere (possibly even in their controllers), but it proved highly effective at preventing multiple devices from using the same MAC address to circumvent their web-based payment system.
The one flaw that I did find related to MAC address filtering is that you could sign up for the service at the cheaper $7.95/flight rate with your mobile device and then spoof the mobile device's MAC address with your laptop. It's a hassle, but laptop access is priced at $12.95/flight, so you'd be saving $5. It's not exactly a noble endeavor (in fact I'm sure it violates their terms of service and it might be outright illegal), but my job is to sniff Wi-Fi, not teach you right from wrong.
1 Auto channel selection stinks. Don't use it. If you don't have time to organize your channel selections manually then I guess it's better than nothing, but I've never seen it work all that well in a tough RF environment.
The first thing that must be said is that the installation was quite professional. Three access points on 2.4 GHz channels (1, 6 and 11, natch) and three more on 5 GHz channels. The 5 GHz setup was odd. At first sniff they used UNII-1 channels 36, 40 and 44. Then later in the flight I noticed a switch to 36, 40 and 40. The switch to two APs on the same channel puzzled me, but that's probably just setting the controller (Cisco, in this case) to auto channel selection.1
I set my Broadcom Client Utility (802.11n) to prefer the 5 GHz band in order to avoid interference. Performance was great; even good enough to watch a baseball game on MLB.tv. I also set my band preference to 2.4 GHz at one point to test for interference. Performance was similarly solid, which makes sense considering that the EVDO Rev. A broadband link should be the bottleneck, not the Wi-Fi.
The performance ended up being better than expected, but alas, security was exactly as bad as expected. Gogo used web-based authentication (sometimes called a Captive Portal), but does not offer any encryption option of any kind. You can set up your own encryption, of course (WiTopia is an option if you've got $60/year to burn), but Gogo gives you bupkis.
As always with paid public Wi-Fi networks, I understand the reasoning behind eschewing encryption. With web-based authentication you can take credit cards in a way that cannot be practically done with 802.1X/EAP authentication. My big question is why don't they provide an alternative SSID for users to login to after they've paid? You already get a login when you pay, so why not make that a login that can access the network using 802.1X/EAP-PEAP? I understand that novice users may have some trouble getting their supplicant configured for EAP-PEAP, but at least the techies would have some security for their wireless traffic.
The other security item some people might find interesting is the strength of Gogo's web-based authentication. As many people know, some web-based systems are not especially good at deterring MAC address spoofing attacks. Gogo did a good job here, at least. When I tried spoofing my iPhone's MAC address with my laptop, Gogo's APs would send a Deauthentication frame after the second association was completed. Now, I don't know if that's a pure MAC layer defense or if there is some other type of anti-spoofing software that runs on Gogo's network somewhere (possibly even in their controllers), but it proved highly effective at preventing multiple devices from using the same MAC address to circumvent their web-based payment system.
The one flaw that I did find related to MAC address filtering is that you could sign up for the service at the cheaper $7.95/flight rate with your mobile device and then spoof the mobile device's MAC address with your laptop. It's a hassle, but laptop access is priced at $12.95/flight, so you'd be saving $5. It's not exactly a noble endeavor (in fact I'm sure it violates their terms of service and it might be outright illegal), but my job is to sniff Wi-Fi, not teach you right from wrong.
1 Auto channel selection stinks. Don't use it. If you don't have time to organize your channel selections manually then I guess it's better than nothing, but I've never seen it work all that well in a tough RF environment.
Comments
Post a Comment