Fortune recently published an article listing the airlines with the best in-flight wifi service. Coming in at the top of the list with the most onboard wifi connections globally were 3 American carriers: Delta, United, and American Airlines, respectively. But what defines best? Security is clearly not part of the equation, as one journalist famously discovered last week on a domestic American Airlines flight. But then again, if we're talking about wifi and commercial aircraft, all airlines get a failing grade.
The incident poses some long overdue questions regarding wifi and air travel, specifically—what will it take to secure the giant, passenger-carrying wifi hotspots that are today's modern commercial aircraft? As you may recall, security researcher Chris Roberts was detained by the FBI and subsequently banned from all United flights last year for the following in-flight tweet:
Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)
— Chris Roberts (@Sidragon1) April 15, 2015
The issue of in-flight wifi and entertainment systems intermingling with mission-critical avionics systems has been discussed in-depth since then. But what about the security of passengers using in-flight wifi to simply check email or surf the web? This question came to light prominently a few days ago when journalist Steve Petrow was hacked in mid-air while—interestingly enough—working on a story covering the Apple/FBI data privacy showdown. He recounts his experience to USA Today, detailing how a hacker on the same flight intercepted the data of virtually everyone using the in-flight wifi service. For those intent on stealing data transmitted over in-flight wifi, commercial airline flights are rife with opportunity.
In fairness, all airlines offering in-flight hotspots get a failing grade for wifi security, not just the aforementioned triumvirate of U.S. air carriers. This has less to do with the specifics of in-flight data security, per se, and more with the fact that wifi was never designed for security.
The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
But what makes the dangers of in-flight wifi different than those of a Starbucks hotspot? Wifi/avionics co-mingling aside, the unique qualities of mass transit and commercial air travel give hackers a plethora of high-value, low-hanging fruit. Despite delineations per seating area, first/business/economy class passengers share the same in-flight wifi connection. So while it's highly unlikely that you'd find yourself sharing a wifi hotspot with Tim Cook at the local Peet's Coffee, it's entirely possible that you could be sharing a wifi connection with a CEO/board member/insert-dignitary-here seated in first class—including Mr. Cook, on any given flight.
So until in-flight wifi (and wifi technology at large) becomes more secure, the best defense is still personal vigilance. When connecting to a public hotspot—midair or otherwise—use VPN to encrypt the data channel. Avoid connecting to unknown networks and always be on the alert for fake hotspot "honeypots" set up by hackers. Last but not least, plan/prepare accordingly for security compromises that are bound to happen. Here at UpGuard, we're staunch proponents of digital resilience. It's likely that you'll suffer a data breach at some point, whether it be on a flight, at home, or in your office. The key is therefore managing the risks/rewards of digitization to both survive inevitable data breaches and thrive in an increasingly harsh cyber threat landscape.