How to get gogo in flight wireless internet for free. [DISCLOSURE]

Gogo's new fancy logo

Gogo’s new fancy logo

**DISCLAIMER**

Stealing internet is illegal. I do not condone stealing of internet services. This is merely a flaw in their system that I reported to them on August 15, 2013. I take no responsibility for your actions. The information provided is without warranty. Seriously, do not try this at home or in flight.

A little history on the matter. We were on a flight to DEF CON (this is how good stories start) and were in the mood. Rather than be destructive, we set out to see if we could gain internet access while on the plane. In short, we were successful and it was much easier than we imagined.

We were only armed with a rooted Android tablet and two rooted Android phones. You only need one rooted Android device or pretty much any PC. For the sake of this article and from in flight experience, Android was used.

So here goes:

Apps you need for this demonstration:

However I’m sure there are equivalent apps out there that are also free and readily available.

Warning, these steps are all from memory and are by no means exact.

Part 1:

  1. Once you hit 10,000 feet and it’s deemed safe for electronics by the pilot, fire up DSploit.
  2. Connect to the gogo network and then select the network’s subnet mask (the one ending in 0/24)
  3. You are going to want to run a MiTM (Man in The Middle) attack, so select that.
  4. On the next screen select Session Hijacker. This will hijack the sessions of those who are about to purchase some internets.
  5. Give it a few minutes, you’ll need to gather a session from someone who just paid. Once you find one that says gogoair.com or similar (I forget what domain is used in flight) you should be good.
  6. Note the IP address of the user and then replay their session, it’ll show you the “Thanks for paying” page. This gives you the authentication you need. If not, go wait for another session.

When I made it to this point, it would attempt to give me internet but it wasn’t 100% working. For the record, replaying their session logs you into their account where you are able to purchase more wifi time without a password or credit card information.

Part 2:

  1. So now you’ve got the session needed and the IP associated with that session. Go back a few pages in DSploit, it’ll show you the list of connected devices (Where you selected the 0/24 subnet earlier)
  2. Find and match the IP of the user you hijacked the session from, it will also display their mac address. Copy it down
  3. Open ChangeMac and spoof your mac address to theirs.
  4. You may need to reboot

You should now have internet!

I’d also like to note that you could then continue hijacking sessions and do other things while on that network since AP isolation is disabled. I’ll let you use your imagination.

Something else I’d like to point out, you can do all of this without agreeing to the terms of service or even displaying the terms of service.

Disclosure history:

  • 8/15 – First contacted vendor notifying them of issue/asked about bug bounty program (Need some cheddar, ya know?)
  • 8/21 – Manager of Information Security, Scott, responds asking to know more about the issue described. Tells me there isn’t a Bug Bounty Program
  • 8/21 – I respond that I am disappointed with the lack of Bug Bounty Program but then fully disclosed the issue and suggested AP isolation.
  • 8/26 – I never heard back from Scott. I write back to him that I’d like to talk/post about my findings publicly and would like to make sure things are patched first.
  • 9/5 – Still nothing from Scott. I tell him again that I’d like to publish my findings and that I would really like to make sure things are fixed before I go public.
  • 9/5 – Scott’s auto-responder says that he is out of the office with limited access to email for the day and that he will respond to my E-mail when he returns
  • 9/9 – I alert Scott that I’ll be disclosing this on the 15th
  • 9/9 – Scott responds that he is pushing for a Bug Bounty Program (woo!) and would like to preview what I’m going to publish (this)
  • 9/15 – Haven’t heard back from Scott, not publishing yet.
  • 9/16 – I wrote Scott back asking for his comments before I publish.
  • 9/18 – Can’t wait. Publishing.

I have no idea if this is fixed yet or if they are even fixing it.


About Chad Burton

view all posts

Hello, My name is Chad, most internet people know me by OutKastz. I play the internet often, it's one of my favorite games and I play to win. Sometimes I even beat my high score. I enjoy hardware hacking and tinkering on the computer. I'm also pretty big into home automation and more recently Corvettes. Shocker. I have a loving wife, Kelly, and my son, Little Butt, I mean Charlie.

You May Like This

  • outkastz

    Feel free to report back if this works still or not. I want to confirm if it’s been patched.

    • Matthew Karlovic

      Hi, just wanted to let you know this does still work. I believe I missed the confirmation page when the other session reached it, but I simply copied their MAC to my android device and after a restart it was good to go. I attempted to replicate on my PC, however Windows 7/8.1 refused to let me use my own MAC that didn’t begin with a 02 octet (appears to be some kind of override in the OS).

  • David Huber

    nice man! great work!

  • Sam Baker

    I have not tried it yet oh! the annoying paid internet subscriptions

  • Jakob

    I’m not a professional in the security industry, but from my understanding, there isn’t much that GoGo CAN do to prevent this. I would say that this isn’t necessarily a bug because it’s not something you just stumbled upon through normal usage of their service. This is more of an inherent flaw of open networks.

  • JMY

    I found this page after taking a flight a few days ago. I was able to gain access to the internet using a different method. I was using the iPhone 5 IOS 7. If bring up the web you can select a movie to watch. You are prompted to then download the GOGO movie player. It will launch the AppStore on your phone or iPad. If you leave the AppStore open as well as the original screen in Safari you can then launch another app such as Pandora or eBay and play away for free. Good post by the way I enjoyed it.

  • omarbirjas

    Dslpoit is off the market, does anybody know a good MiTM attack app on android platform?

    • Jared K

      I dont think it was ever on the market.
      Just follow his link to dslpoit and download the new zANTI2. It also has a mac changer built in.

      • omarbirjas

        It was on the market, you can see it whenever you type in the full name, but then it got deleted and merged with zANTI2.

  • Jared K

    Going to try this today. If i remember ill post back here.
    Noticed that dslpoit mereged and is now: zANTI2.
    This has a built in mac changer!

    • frafri

      Please let me know if still works ! Thank you sir

      • Jared K

        I couldn’t get it to work, but i wasn’t trying very hard. Im pretty sure it should still work though.
        Probably a lot easier with Kali Linux on a laptop.

  • frafri

    When I try to use dSploit it has issues with the mac address

  • Pingback: Latest Gogo Wifi Method for Free Internet()

  • Pingback: #IfIHadGlass My Google Glass Web Redemption()