Flying High on Free Wi-Fi: A Lesson Learned in DNS Tunnelling
14 May 2020
On a recent trip from San Francisco to Belgium, Cyrex founders and native cybersecurity experts, Mathieu Huysman and Tim De Wachter, spotted a potential threat to profits 30,000 feet above the ground. Naturally they were curious.
When you’ve worked in cybersecurity for as long as we have, it’s so easy to think to yourself that you’ve seen it all. It’s easy also to assume that, after all this time raising awareness about the risks of poorly secured systems and easily bypassed points of vulnerability, that all of the ‘simple’ loose ends have been tied up when it comes to common or ‘obvious’ hacks. That’s why we’re always so surprised (and sometimes excited) when we come across real examples out in the wild. Recently, we came upon one such example and it really got us thinking, so we wanted to take this opportunity to share it with you!
Let’s set the scene
As ethical hackers, so much of our time is spent with our devices. It’s safe to say that we don’t switch off. Ever. As people, it isn’t in our nature. As professionals, it isn’t an option. We need to be connected all the time: a client might have an urgent issue, our team may need to be in touch for some reason, who knows. That’s why we try never to be offline for longer than we need to be.
The story starts as we’re flying back from a games industry conference in San Francisco. Flying from California to Belgium is about a 12-hour trip, which, of course, is an extremely long time without an Internet connection. Thankfully, we were in luck as our flight had on-board Wi-Fi (we would usually give a brief shout-out to the airline at this point but perhaps by the end of the article you’ll be glad we didn’t). The connection was a pay-to-use premium system, pretty standard and definitely not a problem. But then we noticed something and we had a thought…
What if we could hack the plane’s Wi-Fi?
Let’s try to explain this without getting too technical on you. When you try to connect to an airplane’s on-board Wi-Fi system (or any paid/registration system for that matter), very often you’ll be redirected from your browser or device settings menu to a Wi-Fi portal. Again, this is pretty standard. The portal is a very basic application that allows users to sign up to the system or to purchase Wi-Fi credits – in the case of our flight, it also allowed us to scroll through the in-flight food and drinks menu, how considerate!
The function of applications like these are simple: allow the user just enough Internet access to sign up, pay, and perform whatever other small actions you, as a business, want them to perform (e.g. reading food and drinks menus) while limiting their access to other sites that you’d prefer them to be paying to use. All transactions and interactions happen on one native platform without ever having to redirect to a third party. Simple and elegant.
What we noticed, what got our ethical hacker minds racing, was exactly that self-contained system. Or to be more precise, its payment options. We noticed two standard payment options, credit card and PayPal. What occurred to us (and didn’t seem to occur to anyone else on the plane) is that PayPal wasn’t part of that self-contained system. PayPal appeared as a separate website. But we aren’t supposed to be able to access separate websites. We should have to pay for that. Right?
The implication of being able to access PayPal through this self-contained application is that perhaps we can then access other websites. So we set to work. After a little research, we found that there was a lack of secure DNS restrictions on the airplane’s system’s firewall. This allowed us to do what’s called DNS tunnelling.
DNS (domain name system) is a protocol that’s used to resolve a domain name (in this instance ‘www.paypal.com’) to an IP address, which in turn is used to communicate with the website. Still with us?
By abusing the infrastructure of this system, we were able to manipulate the DNS protocol in a way that allowed us to overlay (or ‘tunnel’) different protocols over it (TPC/UDP). With these protocol tunnels in place, we were free to access any website. With an emphasis on the ‘free’.
So you hacked an airplane?! Should I be worried?
Yes and no. We hacked the airplane’s on-board Wi-Fi system, nothing else. It’s also worth noting that actually exploiting this kind of vulnerability is a lot more difficult than fixing it. We did need to work for it. But this is besides the point.
The point is that this tiny hack is extremely avoidable. By doing something as simple as implementing the correct access configuration options (Intrusion Prevention Detection) on the airplane’s firewall, these types of hacks would be automatically identified and blocked. Almost every modern, industry-standard firewall should be able to prevent hacks of this kind and those that can’t are easily patched with very little effort.
Never Fly Blind
While this small hack didn’t at any point pose a threat to the airplane itself or any of its passengers, it would be a mistake to think that there were no potential victims. Even a small number of attacks of this level on a regular basis can cause a real dent in a company’s profits and the fact that a major player in the vast and hyper-profitable aviation industry can fall prey to such an easily solved hack should be all the sign you need to know that everyone has blind spots. Regardless of how big or how infallible your industry or company may seem, never rule out the fact that there could be something you’re forgetting. Sure, some blind spots may not be as high priority as, say, a passenger’s safety on an airplane, but when those blind spots are left unchecked who knows how much money you could be losing? And the fact that it can happen at 30,000 feet in the air means it can happen anywhere.
Vulnerabilities like these are not unique to the aviation industry. Premium platforms like this exist everywhere: shopping centres, public transport, online payment portals, the list goes on… The most unfortunate part all this is that solving a potential DNS tunnelling issue, or even preventing one from the outset, is so simple that it could be done in less than the time it would take to exploit it. Though, let’s be honest, it’s pretty cool to think that we’ve just founded the hacker mile high club.