In-Flight WiFi? Not So Safe.

Everyone is used to ubiquitous Internet connectivity. At home, at the office, at the coffee shop—and, increasingly, in the sky. In the United States, 66% of flights now have WiFi, and Honeywell Aerospace’s landmark survey found that 85% of flyers have used it.

But the question is: should they?

Here is an all-too-real scenario. It should caution your company’s users to think twice before jumping online after takeoff.

Let’s put ourselves in the role of one of your business users. She sees that a (legitimate) WiFi service is available on the flight. She’s got an important work deadline a few hours after the plane lands. So she signs up for it, provides her credit card info, and she’s online a few minutes after the plane takes off. So far, so good.

But a malicious hacker has bought a ticket for the same flight. This hacker is sitting two rows behind her and has two routers on his laptop: one to log onto the legitimate in-flight WiFi network, and one to spoof that network. The hacker easily sniffs through the network traffic to see who’s onboard. He focuses on your user and sends a disassociate packet to her laptop, forcing it to disconnect so that she needs to re-authenticate to get back onto the network.

But because the hacker has set up another access point with the same name as the legitimate WiFi network, this time your user logs onto the wrong network. The hacker intercepts her credentials. All her traffic going to and from the Internet passes through the hacker’s machine. And the hacker can now collect any usernames, passwords or other sensitive data sent over the network.

Since your user would be connected to the Internet, she would have no reason to suspect that she’s in trouble. But she is—and so is your company. The hacker now has her username and password to your company’s network, and he’s busy seeking valuable data like customer payment information or personal info such as social security numbers.

So is on-flight WiFi ever safe to use? Yes… when your users have access to a virtual private network (VPN). When the hacker tries to monitor your users’ traffic, all connections will be encrypted.

A VPN leverages the shared public infrastructure while maintaining privacy through security procedures and tunneling protocols, such as the Layer Two Tunneling Protocol (L2TP). These protocols encrypt data as it’s sent and decrypt it when it’s received. This creates a tunnel that cannot be accessed by data that hasn’t been encrypted.

VPNs used to be expensive, complex, difficult to manage—and, essentially, only suitable for enterprises. But recently a host of business-appropriate software-only VPN solutions has come onto the market. They’re relatively easy to configure and deploy, and are quite reasonably priced (some are even free). Logmein Hamachi and Comodo Unite are both good solutions to consider.

Stress to your users this six-step procedure for safe, remote VPN use:

1. Make sure they aren’t signed into any accounts—including email, chat, Outlook, and any other communications applications
2. Clear all cookies
3. Shut down everything on their devices before they board the plane
4. Once onboard, sign onto the in-flight WiFi, making sure that only one page is displayed in their browsers
5. Sign into the VPN
6. Commence work as usual

The takeaway from all this? Give your users access to a VPN when logging in remotely. And make sure to educate them so that they are safe from hackers, even when traveling at 600 miles per hour, 30,000 feet above the planet.

  • J

    How is this different from Starbucks wifi? Couldn’t the same “hacker” spoof a Starbucks network to steal my credentials? If so, then it doesn’t seem like in flight wifi is any more or less safe than any other public or paid network on the ground, and we should be using a VPN all the time.