Hacker News new | past | comments | ask | show | jobs | submit login
How I hacked Gogo inflight wireless Internet with Chrome (andrewboni.com)
32 points by jetcom on Aug 29, 2012 | hide | past | favorite | 86 comments



Issue spotter: I think we've got him on trespass to a protected computer system used in interstate commerce, common law fraud, and theft of services. What other crimes did he just admit to that I missed? (We'll ignore that he hacked a computer while on an airplane, a detail which I would not expect the government to be neutral about.)

Seriously, kids: this is an astoundingly bad idea.


I'm not seeing how this is at all legally problematic. AFAICT there's no TOS violation, and if there were, TOS violations don't make it a crime. The user agent is totally discretionary on the part of the browser and price-discriminating based on one is in no way an access control mechanism.

It seems equivalent to saying "red computers get charged half price", and then objecting when someone snaps a red shell on their laptop.


Do you want me to start quoting Title 18 U.S.C Section 1030 (the Computer Fraud and Abuse Act) or can you Google it yourself? There is no possible reading of these facts that does not run afoul of that law, among others.

There is no affirmative defense "But it was really easy for me to exceed my authorized privileges because their security sucked" provided for in the law.


You are right in spirit but wrong, I think, in the specifics. In spirit: yes, knowingly exceeding your authorized access to a system in order to obtain a personal benefit is a federal crime, described by the CFAA, and I'm pretty sure the TOS on the site does not need to be ironclad to give that force. But in the specifics:

(i) Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

(ii) Did they have an intent to defraud? (This is the key issue and the point I believe you were making)

(iii) Did the actual computer access materially advance their fraudulent scheme? (You can't drag computers into any given fraud case to make it federal)

(iv) Did they obtain anything of value?

So far so bad: the answers to all four questions are "yes".

But: when the object of the fraud is access to the computer system itself --- that is, when the "thing of value" is "use of the computer system in question", there's a fifth test:

(v) Was the total value of the computer usage greater than $5000?

Nope.

Very important to note here though: regardless of the fact that it is vanishingly unlikely that a CFAA case would be brought here, and even less likely that the prosecution would prevail, if by committing this particular little fraud and then bragging about it on the Internet this blog post cost the operators of the service a huge amount of money to strengthen defenses or investigate system usage, the blogger has opened themselves up to a very painful civil case.


Yep, but even if you can't get them for "use of the system", which was legislatively to avoid having "any instruction you cause to operate on a computer 'uses' the computer, therefore this would otherwise criminalize any use of a computer not explicitly OKed in advance if we don't narrow that scope to commercially significant uses", you'd still be able to get them on a) retrieving any information from the computer system (not limited by value of information retrieved -- see a.2.C ) or b) causing any "damage and loss" to the owner of computer system (and theft-of-service-by-fraud will trivially satisfy that -- see a.5.C).


I'm working not from the CFAA itself, but from the US criminal model jury instructions for CFAA cases, which capture a superset of the information in the actual law.


> Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

The answer to that one is "no". He had authorization to both pages. Unless we're going to interpret that authorization was given to each device and not the person.


You're suggesting that the defendant in this case either didn't know the difference between a phone and a computer, or had a reasonable belief that despite the obvious language on those pages, the provider did not care whether he was using a phone or a computer.

Good luck with that argument.


Playing devil's advocate: it seems to me that a laptop is a mobile device.

Further playing devil's advocate: it seems that the system is not so much that the provider cared about whether it was a phone or computer (I bet a galaxy tablet would get the mobile price... and I can use just as much data on that as on a laptop without trying very hard at all), but whether they were using a browser with a mobile user-agent string. They offered a discount for having the right user-agent string, and being willing to browse the mobile version of Gogo's landing page.

Questions this raises: what if my phone browser was not on their list of mobile browser agent strings? Say it was just a custom webkit thing I built? Or a firefox compiled for a tablet? Would I be defrauding by making my user-agent work for my mobile device? What if I had been working with a mobile browser compiled for my laptop, as I was just browsing with it, but not using my phone, so I could get a feel for various quirks it would introduce over a non-mobile browser, in an easy to side-by-side way on my nice big laptop monitor?


Critically: the prosecution of a fraud case must prove beyond a reasonable doubt that the accused acted with the intent to deceive another party in order to gain something of value.


Still playing devil's advocate: If there was a discount based on user-agent string, and that is settable in most browsers, how is taking advantage of a feature "intent to deceive" over "meeting the conditions of the discount". There is really nothing stating that the mobile agent string must actually come from a mobile device.

By analogy, a few years ago, many mobile banking sites worked just fine with firefox, but those users were denied access because it was an "IE only" site. Does changing the user agent to IE to gain access to the bank site then also constitute fraud? Web/interne banking is something of value.

edit: Accidentally said mobile instead of web.


Does the offer clearly say there's one price for using the Internet from your phone, and another price for using the Internet from your computer?

Then what are we arguing about? The way they enforce that restriction is relevant only to the extent that someone could accidentally violate it. You can't accidentally commit fraud.


This actually goes back to my original devil's advocate point: the screen caps don't show anything suggesting "phone only". One is called gogo mobile, the other gogo.

As I said, a laptop is arguably a mobile device. Further, there is nothing there that states it is for a mobile device, just that it is the mobile page. It doesn't say "for phone users only".

As for my analogous situation: My bank said I could only sign in through IE to access my web banking. Does this mean I committed fraud to access via a Firefox with changed agent string? I used that log in to transfer money to my debit card account and get some cash. Definitely a deceit with value. (Note, the account was in fact mine).


No, because you had no intent to deceive and obtained no undue value from your bank. The bank in no way made it clear that they were requiring you to use IE as a term of service; the IE system requirement is for compatibility, and that's how reasonable people understand it.

On the other hand, when you see $7.99 for phone service and $25.99 for computer service, it's clear to a reasonable person what the intent of that price difference is: the company wants to charge more to computer users.

As for the clearness or not-clearness of the message: there's a lot of reasons why I think this case isn't going to the Supreme Court. If you want to suggest that the clarity of the pricing message is one of those reasons, I'm not going to disagree too strongly --- though I do disagree.


2 things: first of all, the "you need to use IE, to use this website, your browser is unsupported" message, is in fact much clearer on the bank site than the subtle difference in name for "mobile", and ambiguous term at best. I don't understand why one case of user string subversion is different than another, even if the clearness of terms is equal.

Second, what is the real line between say a macbook air or other keyboarded computer and an ipad or galaxy table or kindle fire or... they all run operating systems that let me use more or less the same software and access the same network resources.

The combination is really the difficult part for me, given I can do the same things - look at the same sites, get the same utility, and otherwise use the same bandwidth in both cases, particularly when usb tethering is a real option giving me the same deal but now without the act you are calling fraud, how is it even reasonable to think that the "mobile" case is other than a discount for some magic words?


Reasonable people all understand that the reason why an ISP would offer a lower rate to phone users is the anticipation that either phone users would use the service less, or that users who have only phones and not computers are less interested in paying a premium for Internet access.


> Does the offer clearly say there's one price for using the Internet from your phone, and another price for using the Internet from your computer?

<devil's advocate> Well, in this case: No. The plan seen on the phone is simply labeled as "GoGo Mobile Pass". The plan seen on the laptop is labeled "GoGo Flight Pass". They do not clearly list any examples of what devices they think should be "mobile". It is not unreasonable to make the assertion that a laptop is a mobile device. Not recognizing the laptop as a mobile device sounds like a bug. This guy was able to find a work around for that bug. </devil's advocate>


I'm not saying there's not a case for fraud, but the answer is resoundingly NO to this question: (i) Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

It's a public facing website. He has authorization to access it. I don't see any other viable interpretation.


My reading: he purchased authorization to use the system from a phone. He instead used the system from a computer, without authorization for doing that.

Whether or not Gogo should price discriminate like that, it seems clear that they want more money in exchange for authorizing use from a laptop.


Again, this branch was to the specific question referenced by tptacek:

(i) Did the defendant knowingly access a system used by the federal government, a financial institution, or a system used in interstate commerce without authorization?

My beef is with GoGo's price difference in the first place.


I'm not seeing why you think the answer is "no," then.

(a) Knowingly? The blog post (and the changing and then changing-back of the UA) makes this clear. (Though if he had happened to inadvertently had his UA set to mobile before hand, maybe to test something the day before, and never even saw the other screen... but once he saw it, and consciously decided to get around the higher price, it hits the "knowingly" requirement.)

(b) "Access a system used by the federal government, a financial institution, or a system used in interstate commerce"? The Gogo system seems pretty clearly an interstate commerce system to me, what with the whole used-across-the-country thing and the charging-for-access part.

(c) Without authorization? He specifically notes that he saw they charged different prices for different devices and purchased the option for a device that was not the type he was using. So he did not purchase authorization to use it from a laptop.


No contest to (a) and (b) - I agree there.

As to (c) I was reading "system" as the two signup pages, not the overall wifi system. Still, unless there's a difference between the mobile and laptop services, they're the same product regardless of type of device used to access the system, and you're paying for the service.

It would be like an all you can eat restaurant charging extra if you were over certain weight/height thresholds.


well... most buffets I've been to have a reduced price for children since they are typically going to eat less. But it is hard to make good analogies between physical/virtual things.


True those analogies are very hard to make, as evidenced by the media piracy debate and "you wouldn't download a car, would you?"

I think the majority of my vitriol comes because it's an asinine way to split up service based on what we're assuming is bandwidth concerns. If they want a tiered service, then put in a tiered rate structure. The "laptop" rate gets you 300kbps, the "mobile" gets you 100kbps. Simple.


Agreed. It is totally asinine.


You're confusing Gogo's website with Gogo's WiFi network. It's not too hard to argue that he had authorization to access Gogo's WiFi network from a phone, but not from a laptop.


I disagree that's a "resounding no".


What is your reasoning there? Remember, we're not talking about the overall fraud case, just the answer to this question.


I believe that any reasonable person viewing those offerings would understand that the cheaper price was for phone Internet, and the more expensive price was for computer Internet. I also believe that the author of this post made it completely clear that they were getting one over on the ISP, which does not at all help their case.

That's about as far as I'd like to go with this particular branch of the discussion, if that's OK with you.


That's fine with me. You've shifted the argument back to the overall case and refused to address my specific concern about the answer to question (i), so I'm just going to declare myself the winner of this branch, if that's OK with you.


So what? Everyone of us probably runs afoul of hundreds or thousands of bogus laws every day. It's time to start encouraging people to be bolder and violate more laws, as far as I'm concerned.

Now excuse me while I go listen to some Judas Priest... \m/


The idea behind computer fraud laws, and fraud laws in general, is that tricking people to obtain valuable services at the expense of the victim is dishonest. People and companies should be able to offer services assuming that their counterparties are honest. When dishonest people abuse company offerings, they impose a cost on everyone in the market. In this specific case, the prospect of fraudulent access requires the wireless ISP to spend money strengthening their security controls; the costs associated with that are passed on to the market, as are the inconveniences associated with new controls.

In other words: the law sees it as a bad thing that ISPs should have to bulletproof their offerings so that when they make a service available to phones, it isn't easy to trick those systems into providing service to computers. The law says, "it is silly that the market should have to bear the cost of that engineering, because it's undertaken solely to prevent dishonest people from obtaining undue benefit".

The only question you really have to ask here is, "am I tricking a business into offering me something with a dollar value without paying for it?" Yes? That's fraud. It's the definition of fraud.

People probably do violate all sorts of stupid laws all the time. But that's a very different point than "people commit all sorts of frauds all the time". They do not. Fraud is invariably wrong.


The only question you really have to ask here is, "am I tricking a business into offering me something with a dollar value without paying for it?" Yes? That's fraud. It's the definition of fraud.

He did pay. The question now is, is this something roughly akin to switching price stickers on merchandise in a store. Since there's no specific requirement that a browser return an "accurate" UA string (whatever "accurate" even means for a UA string), this is closer to a company putting out a bucket with a sign saying "Honor System: suggested donation: $7.95 for phones, $15.95 for computers" and having somebody throw in $7.95 while using a computer. Not noble, but hardly something they should be punished for.


He paid for product "A" and used product "B", and then wrote about the sticker price difference between "A" and "B" on a public website. Again: this is the definition of fraud. Your point is just that it's a small fraud.

To the extent that the insignificance of this fraud will preclude it from becoming a federal case, I agree.

In general: don't lie to people to win deals for yourself. At all.


Unless there's something differentiating the two services, product "A" and product "B" are the same product, with different prices.

I find GoGo's double pricing to be the most morally objectionable thing about this whole situation.


> The only question you really have to ask here is, "am I tricking a business into offering me something with a dollar value without paying for it?" Yes? That's fraud. It's the definition of fraud.

What services did he steal? He paid for wifi services for the duration of the flight. The device by which he enjoys that service should be of no consequence.


He paid for wifi services for his computer for the duration of the flight. The fact that you do not recognize the legitimacy of a commercial offering does not give you the right to invent your own terms; you take the terms as offered, or you don't do business at all.


He received what he paid for: wifi services for that flight.

I still don't see fraud here.


He paid for a WiFi connection between a phone and the internet. He received a connection between a laptop and the internet.


He paid for a WiFi connection between a device and the internet. He received a connection between a device and the internet.

If GoGo can't tell the difference between a laptop and a mobile phone, that's their problem. And no, the UA string doesn't guarantee that and there is no law that I've heard of that prevents users from altering their UA string (or anything for that matter). They showed him a price for a service on his device, and he bought that service.


Ha, good luck trying to argue that. The Gogo website makes it clear that there are separate services for phones and laptops. Their website automatically detects what kind of device you have, if they make a mistake then it's their problem if they don't offer you the means to correct it. But if you deliberately circumvent their system to save money, then you're committing a fraud.

I'd urge you to learn a little more about the law if you think that a UA string specific law is needed, or even a computer-specific law. Intent and personal gain are more an enough.


If you think you are participating in civil disobedience, you will have better luck if you are not gaining something of value while doing so.


Judas Priest should be charged for making foul music.


Actually, please do clarify. I am genuinely curious as to your reasoning. Consider also that there is no TOS violation as far as I can tell [1], and TOS violations do not a crime make [2]. Actually "hacking" something to get the service for free (sniffing a cookie and spoofing a MAC address, perhaps) would of course be another matter, but there's not even an access control being circumvented here.

Edit: Let's say they were price discriminating by looking at the size of your browser window, assuming anything < 600x400 is mobile and charging less. Is it illegal to resize?

[1] http://www.gogoair.com/gogo/cms/term.do [2] http://www.volokh.com/2012/04/10/ninth-circuit-hands-down-en...


> Let's say they were price discriminating by looking at the size of your browser window, assuming anything < 600x400 is mobile and charging less. Is it illegal to resize?

No. The browser window size, or user agent string are just proxies for the real question: is the device a laptop or a phone/tablet/etc?

Your laptop remains a laptop whatever size the window is. This guy's laptop remained very much not a phone after altering his user agent.

Edit: It's worth adding that desktop browsers do not use mobile device user agent strings during normal operation, but small windows are perfectly legitimate.


You do not need to violate a black letter TOS agreement to commit fraud.

You do need to intend to deceive to commit fraud, which moots your later example.


While it is not mentioned in the ToS, the pricing varies based on what device you have (this is stated elsewhere). This guy has a laptop and is claiming that it's a phone - a deception made for personal gain - a.k.a fraud.


I would argue with your "claiming it's a phone". Under that rationale, everyone using Internet Explorer is committing fraud as soon as someone decides to price-discriminate based on it, since it claims to be Mozilla [1]. User agents are totally discretionary. It's like the color of your laptop.

[1] http://www.useragentstring.com/pages/Internet%20Explorer/


> everyone using Internet Explorer is committing fraud

No - there's no financial gain from using IE.

He has manipulated his computer to inform web servers that his device is a mobile device. I'm not aware of any desktop browsers which use mobile device user agent strings during normal operation. Whether it is discretionary or not is irrelevant, the point is that he's deviated significantly from normal behaviour, deliberately, without any legitimate reason (e.g. he wasn't at the time say, testing a mobile site), in fact with only the intent to defraud.

Ultimately, user agent strings are not a brilliant way to create a legally binding contract - it would be much smarter to have the contract amended based on the user-string to include "I confirm that my device is a laptop", and make this click-through.


As far as I can see he's done absolutely nothing illegal, immoral maybe depending on your view on the matter. It's rather like totally trusting client side javascript for authentication, unless you check that the data being received is accurate then you'll never be able to stop this. It's a simple case of trusting the client. I would imagine that should the submitted have been running an Android Development Image on his system and access via a browser on that the effect would be the same.


Intentionally misrepresenting the situation to get a better deal is called fraud.


UA strings aren't bound to any legal requirements, as far as I know. So how is it fraud if one party has no reasonable expectation of any particular representation of the situation in the first place?


Wellllll, it would be reasonable to expect that 99.99% of people wouldn't change their UA.


Name me one desktop browser which uses a mobile UA string during normal operation.


Assuming this isn't a troll post:

1) He didn't trespass on a protected computer system or hack anything - he's using a web browser.

2) Users are not required to leave their browser's default settings intact when interacting with websites.

3) Where are the theft of services? He paid for a wifi internet connection for the duration of the flight with a price he was offered. He could have just as easily paid using his phone and then tethered his laptop to it.


I think that's a stretch. Here's another example:

A certain airline offers upgrades to first class seating, but only within a certain time period before the flight.

When using their website, I realized that I could pass in the time constraint as a parameter to their webapp. Boom, cheap first class upgrade, at any time!

Is that stealing? Yes. At the very least, theft of service. That first class ticket can sell for thousands of dollars, and instead, this trick would have allowed me to get it for hundreds. Just because their webapp allowed it doesn't make it OK. It's no different than tricking someone at the counter into giving you an item for free, or giving you extra change.


The distinction you're trying to draw between "theft" and "theft of service" is the reason we have fraud statutes. Fraud is a more general crime than theft.


I think that analogy is flawed because the airline can only sell that seat once. If you used that hack, then you would be removing the chance that the airline could sell that seat for the full price. That doesn't apply to the wifi situation.


You've clearly not dealt with congested airplane wifi.


I'm all for heavier users paying more for the service, but breaking it down by device is asinine.


How a vendor chooses to break it down is their prerogative. Our prerogative is only whether or not we'll accept the deal they offer at a price they'll accept.


Fair enough. The author did accept the deal they presented on his laptop the second time around.


I am guessing Google will be upset with him too when they get wind of this.


So what if I paid for it and used my USB tether?

Am I committing fraud? Violating the TOS maybe? Both?


I glanced at the first two screenshots before I read the article and thought he was just going to create a wifi hotspot off his phone... that way he could get internet on both devices for the mobile price.


You can't create a WiFi hotspot from a WiFi connection on a Galaxy Nexus.


Not sure what's less impressive. A pricing model based on browser headers, or a 10,000 word article on "hacking gogo inflight" based on changing a browser header.


Indeed. I clicked this expecting to find an interesting description of a authentication vulnerability, or a novel way to spoof, or a hidden tunnel, or something.

tl;dr: GoGo implements price discrimination in a naive way. Author "hacks" it with equally naive mechanism to save $8US.


On a flight to a conference we once set up our own wifi hotspot using two laptops.

We had one company gogo subscription. They connected and shared their internet through ethernet to another laptop. That laptop shared it out through wi-fi. We had 4 people using the Internet. It was awesome but fairly impractical. At least I could tweet from the clouds.


This is unbelievably lame. The whole thing could have been related in under 100 words. Plus he is defrauding a perfectly legitimate service. $15 is not a ripoff. This isn't the MPAA.

It would have been acceptable if the author was 13 or something but they appear to be an adult who works for google.

What next, spoofing referer to get into porn sites? l33t d00d!


You can get internet on a flight?! We live in the future!

Oh, it's $15? Nevermind.


Never mind, you can order a $20 Pepsi.


TL;DR: Wifi was cheaper for mobile so he changed the User-Agent header.


Should have tried the Lynx user agent


Really clever. Also really stupid to post it on the internet. I hope nothing bad comes your way because of it.


I understand the proof of concept is cool, but why do this? High speed Internet at 35k feet isn't worth $15 to you? You said yourself it was going to be a long flight. Why hussle them out of what is one beer on a plane?


It's basic capitalism; if this "vulnerability" wasn't built into their code, would you submit to a more expensive price on your laptop when you could just as easily get half off (for the same product) on your phone?

If there were no 'hack', and I went on that plane knowing full well that I was going to purchase internet access, I would buy the half-off solution and tether to my phone.

As a user, this is a valid set of decisions. Since they're implementing this in a stupid way, it's perfectly valid to exploit their method and pay for the cheaper item.

If you went to the supermarket and found an item at $10, but you had the option of doing 5 jumping jacks to lower the price to $5, what would you do? Is it immoral to do jumping jacks?


"Since they're implementing this in a stupid way, it's perfectly valid to exploit their method[...]"

Really?

If you went to buy something on Amazon, and found they had a "stupid" vulnerability you could exploit in order to get half off of your order—maybe some Javascript hack that made the part of their system that calculated the price you pay think you actually ordered a smaller version of the product—is that immoral?

Is leaving your house or car unlocked a sufficiently stupid vulnerability to become "perfectly valid to exploit"?


Your examples break federal law; I'm exploiting Amazon's proprietary codebase to lower my prices / someone is still breaking and entering into my home. Those aren't moral because federal laws are being broken.

If Amazon charged $20 for a book if I were to buy it on my laptop, but $10 for that same book if I buy it with my phone, why in the hell would I buy it on my laptop? How is that immoral? I'm presented with two options: $10 or $20 for the same item. The company has offered me a contract of payment and I am to choose one, or I can take my patronage elsewhere. This is not a matter of breaking into a server and SQLi'ing until you can make an item free; this is the company offering me something for cheaper, depending on how I buy it.


Aren't they hustling you for $10-16 for a few hours of internet access? There is no marginal cost difference between a phone and a tablet or laptop, and that marginal cost is likely VERY low relative to the asking price to begin with.

This is preying on the notion that you "should" have to pay more for a laptop vs a phone access because that's what people have been conditioned to accept from their wireless carrier.



This explains why the Internet is more expensive everyday. I shall hack my mobile so it presents as a desktop browser so I can pay full price. Every little bit helps.

Oh, and what a seriously lame article in almost every respect. Awesome interface etc etc. This was the gentle reminder I needed to push me from these mind-numbing articles. Good luck and good night.


Would it be illegal to connect to the internet with your phone (pay mobile price) then tether your phone to your laptop?


I'm flying to san fran from the east coast next week and specifically booked a Gogo flight in order to get work done by mile high. I saw the pricing structure on the airlines website though and I agree that it's shady. Where I'm from the law of Shade for Shade applies, shall try your method.


Discuss: How do you feel about Gogo's pricing model? According to this article they charge $9.95 if they detect you're on mobile. $15.95 otherwise.


GoGo sucks. Their service has been unusable on recent SFO/JFK flights. At $18 a pop, you can't even get the google home page to respond. What a joke of a company...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: