How Rogue Access Points Are Hijacking In-Flight Connectivity

TLDR: In-flight connectivity systems often lack robust authentication, making them prime targets for evil twin attacks that harvest passenger credentials. By leveraging tools like Wireshark and Wigle, researchers can identify these rogue access points and map their deployment patterns. Security teams must prioritize monitoring for AP impersonation and anomalous beacon frames to defend against these airborne threats.

Commercial aviation has long been treated as a disconnected environment, but the rapid expansion of in-flight connectivity (IFC) has turned the passenger cabin into a high-stakes network segment. While we often focus on the hardening of ground-based infrastructure, the systems providing internet access at 30,000 feet are frequently overlooked. These systems are not just simple routers; they are complex, integrated avionics environments that often prioritize availability over security. When an attacker deploys an evil twin access point in this space, they are not just attacking a network; they are exploiting the inherent trust passengers place in the "official" airline portal.

The Mechanics of the Airborne Evil Twin

The vulnerability here is rooted in the OWASP A07:2021 – Identification and Authentication Failures. Most passengers connect to in-flight Wi-Fi without verifying the BSSID or checking for certificate pinning. An attacker simply needs to broadcast a stronger signal with the same SSID as the legitimate airline network. Once a device associates with the rogue AP, the attacker can serve a captive portal that looks identical to the real one.

The impact is immediate. By capturing names, email addresses, and payment information through a fake portal, an attacker gains a treasure trove of PII. More importantly, this setup allows for man-in-the-middle (MITM) attacks on unencrypted traffic. Even with modern TLS, many applications or misconfigured devices will still leak metadata or attempt to reach out to insecure endpoints, providing the attacker with a foothold to escalate their position.

Hunting the Threat in the Logs

For a blue teamer or a researcher, the challenge is separating this malicious activity from the noise of a busy airport or a crowded cabin. The Elastic Stack is the standard for ingesting these logs, but the sheer volume of data requires precise filtering. You are looking for beacon frames that deviate from the expected baseline.

When investigating, focus on the BSSID. If you see an SSID that matches the airline's network but the BSSID does not align with the known hardware inventory, you have found your target. The following logic in a SIEM query can help isolate these impersonation attempts:

SELECT timestamp, source_bssid, target_ssid, signal_strength
FROM wifi_logs
WHERE event_type = 'beacon_frame'
AND ssid_match = true
AND bssid_in_whitelist = false;

This query is a starting point. In a real-world engagement, you must account for the fact that multiple aircraft from the same airline might be parked at adjacent gates. This leads to legitimate cross-contamination of signals. A sophisticated attacker will time their broadcasts to coincide with these periods of high signal density, hoping to hide their rogue AP within the legitimate churn of the airport environment.

Real-World Engagement and Detection

During a penetration test, you would encounter this by performing a passive survey of the terminal area. Using Wigle allows you to map the density of APs and identify outliers that shouldn't be there. If you are on the offensive side, you are looking for the "low-hanging fruit"—the airline that hasn't implemented WPA3 or that relies on open networks with captive portals.

If you are on the defensive side, you need to move beyond simple detection. You need to correlate your Wi-Fi logs with ADS-B data. If your logs show an AP impersonation attempt, check if there is an aircraft actually at the gate or in the vicinity. If the signal is strong but there is no corresponding flight, you are likely looking at a ground-based rogue AP rather than an airborne one. This distinction is critical for your incident response workflow.

Strengthening the Perimeter

Defending against this requires a shift in how we view the aircraft network. It is not an isolated bubble. It is an extension of the corporate network that happens to be mobile. Engineers must ensure that the on-wing compute modules are not just logging events but are actively participating in a broader security fabric. This means implementing IDS/NGFW capabilities that can identify and drop traffic from unauthorized BSSIDs before it ever reaches the passenger devices.

If you are tasked with auditing these systems, do not just look at the software. Look at the physical installation. Are the WAPs accessible? Is there a physical port that can be bridged? The most effective way to secure these systems is to treat them with the same rigor as a data center rack.

The next time you are on a flight, take a moment to look at the network list. If you see something that doesn't look right, don't just ignore it. The data you collect could be the missing piece in a much larger investigation. We are seeing more sophisticated attempts to compromise these systems, and the only way to stay ahead is to treat every connection as a potential point of failure. Keep your tools sharp, keep your logs clean, and always verify the source of your connection.