While interesting, I would have an uneasy feeling messing with the WIFI AP on an airplane. Perhaps there is a U.S. law this type of conduct would fall under specific to being on an airplane?
While in general bypassing Wi-Fi restrictions is indeed dubious from legal standpoint, it’s most likely as safe on an airplane as anywhere else. If in-flight Wi-Fi provider’s AP was in any way part of aircraft control system network, I would be surprised if overseeing such a design flaw weren’t a crime.
The author does not "mess with the WIFI AP on the plane", they exploit a weakness in the design (failure by viasat to maintain an checksum IP mapping to their domain for the captive service) to simply bypass a trivial TLS header check in order to tunnel their traffic.
This is hacking under federal law, as it should be. Likewise that if I break into your house by merely exploiting a weakness in the design of the lock, I am still committing a crime.
If someone charges for tours of part of their house, has two prices of tour, and you change the colour of your badge to let you access the part you haven't paid for, is that a crime?
Sounds like some form of fraud to me. What's the difference between that and simply forging a ticket to an event instead of buying one? Or forging a currency note?
OK, the better example from further down. You realise your badge lets you into areas of the premium tour, it opens all doors, not just the ones you paid for it to open.
And even if it is fraud of some kind, the bar for charging someone with fraud (instead of just suing for damages) is fairly high...
Well yes, but bandwidth is practically free anyway. I'm not actually stealing computer resources. It's more akin to looking at the Mona Lisa through one of the Louvre's windows using a pair of binoculars.
The person I'm replying to specifically said "mess with the WIFI AP" in order to present this as harmful or dangerous (FUD), it is not. It's a trivial header check bypass - whether or not that is "hacking" is a question for lawyers and a judge.
I was just bypassing a some trivial key check on the door. To say I was "messing with the door" is FUD, and whether I was breaking and entering is a question for lawyers and a judge.
The owner gave me a key to the lobby so I could pay to get an all-access key. As it turns out, I can just walk past the lobby and that key actually opens all doors in the building. Whether or not it's illegal to use it to access whatever I want is a question for lawyers and a judge.
That's not what's happening here. This is more like trying the key on every door, finding a cleaning closet unlocked and crawling through the ventilation ducts to get in.
Judges tend to be less impressed by technicalities than seems to be commonly believed. If you know that a network operator intends to route traffic only for paying customers, and you intentionally trick its router into routing your traffic without payment, the judge will probably see that as intentional unauthorized access.
I think that's legally reasonable, almost. It's the intent that matters here; if my use of Cloudflare DNS instead of what your DHCP server provides for performance and privacy reasons happens to bypass your insecurely implemented captive portal that asks for payment, there's no intent. If I employ a complex tunneling scheme specifically designed to bypass your payment check, that's theft.
Where I do have a problem with the law is that its digital nature is given special treatment and greatly enhanced penalties. If I walk into a store and steal a USB Wifi adapter worth $20, I have committed a misdemeanor. If I'm caught, I'll probably be given a summons, not arrested, and my penalty will probably be a fine or community service. If I use that adapter to steal access to $20 worth of in-flight Wifi, I've committed a felony, for which the penalty includes loss of civil rights, and probable incarceration.
Right. I think all he’s trying to say is that it might be worse to hack something on a plane vs some other kind of computer system. I don’t think they were implying harm was being done to the ap. Colloquially I would definitely call this messing with the ap :)
IANAL and all that, but my perception is that "hacking" is usually about breaking into someone else's computer / breaching someone else's privacy / accessing data that isn't yours / etc. If that perception is accurate, then I think it's really a stretch to call this "hacking". You're just moving bits around on network infrastructure designed to move bits around. Maybe I'm just looking for a loophole because wishful thinking, but this seems like a decent argument to me.
Now, you could be violating their terms of service. But in this case there may be a good argument that you never accepted their terms of service since you wouldn't have had to click the "accept" button to do what the post describes.
Was going to write the same. Prosecutors would have easy time convincing judge that hacking+ doing so while airborne should result in many years behind the bars, especially knowing how punitive the legal system in the US can be. The article itself is very interesting though.
They'd have your stunnel server IP, so if they were really, really determined they could probably track you down by forcing your ISP/VPS provider to identify you.
I doubt they'd bother for $45 worth of WiFi, but personally I would err on the side of caution.
My guess would be that getting caught doing this could get you federal terrorism charges. I don't even think it's a safe assumption that the network is isolated or properly insulated from pilot instrumentation.
If that assumption isn't safe, then neither is the plane.
Having ANY access AT ALL whether via "hidden" backdoor or authorized login to plane instrumentation from the WiFi would be an insane setup. Just because they're both invisible to you doesn't mean they're connected in some way.
Could you imagine the attack surface?
We'd be hearing about terrorist attacks leveraging that design flaw.