Spoof your phone's MAC address to share in-flight wifi between your laptop and phone

I'm a big fan of many airlines now providing internet access on flights these days. It's pretty interesting stuff, especially the different ways in which internet access is provided on a flight. There are some services that are terrestrial cell-tower based meaning that there is an antenna on the plane communicating/hopping to cell towers on the ground. From my poking around this is how Gogo-in-flight works which has been provided on a few American flights I've been on recently. Another alternative that I've seen is satellite based in-flight wifi which is what United appears to use and looking up the IP allocations with a whois $(curl icanhazip.com) this service is provided by ViaSat. Some of their advantages and disadvantages should be pretty obvious e.g. latency/bandwidth/availablity/etc. All pretty cool stuff. While there are certainly probably more ways in which internet access is provided on these flights the point I'm trying to make is that they all, from my experience flying, all seem to enable internat access from devices to the access points inside the cabin the same way -- by whitelisting mac addresses after you have paid.

Today on my flight I was pretty annoyed when my laptop wouldn't connect to the United_WiFi Access Point when I pulled it out ~2 hours into my flight. Looking at dmesg it just showed the authentication hanging talking to the AP:

[531755.367967] wlp3s0: direct probe to b4:c7:99:6a:d3:80 (try 1/3)
[531755.674821] wlp3s0: Connection to AP b4:c7:99:6a:d3:80 lost
[531757.253218] wlp3s0: direct probe to b4:c7:99:6a:d3:80 (try 2/3)
[531757.455912] wlp3s0: direct probe to b4:c7:99:6a:d3:80 (try 3/3)
[531757.656093] wlp3s0: authentication with b4:c7:99:6a:d3:80 timed out

The annoying thing is my iPhone had connected and had no issues at all connecting. I cycled my iPhone's wifi a few time, and my laptop's several times. I even tried changing my laptop's mac address and still it kept timing out. I assumed it had something to do with wifi client exhaustion so I tried changing my Linux wifi adapter's MAC address to that of my iPhone -- and it worked!

sudo ip link set wlp3s0 address b8:4:d9:1c:2b:ab

Cool -- now I'm at least connected to the access point and can pay for internet which I did. For "basic email and mobile apps" it is only $1.99/hour which in my opinion is pretty reasonable. And all I really wanted was ssh access out, so that is perfect :)

The upside of this situation is that I can (kind of) use my phone/laptop at the same time to access the internet! Success! Due to the fact the wifi sessions are unencrypted and use the same broadcast domain to accept the 802.11 wifi frames, and they have the same ip address because dhcp, somewhat work. The downside here is for when you're using TCP, which you almost surely are, since they're sharing an ip address you may have issues keeping tcp connections established because the other device will see packets coming in for TCP sessions it doesn't know about and send back a RST to kill the connection. This is too bad and makes this setup pretty unusable for almost all things in this active/active state. So I suggest only using one at a time...unless, you're able to set up one of your devices to tunnel their traffic over a non-TCP channel. DTLS vpn ftw! :)

An astute reader will also recognize that there are some pretty nefarious things that can be done here since the security model of these in-flight wifi APs are so weak by just doing mac-based whitelisting. With simple tools like aircrack-ng it would be pretty trivial to capture some unencrypted wifi traffic, find macs talking to ip addresses that aren't the access point, and spoof those. Although it is a fact that you both will have a bad time unless you tunnel your traffic, again, over some non-TCP channel.

Anyways, that's enough for today. Enjoy sharing your in-flight wifi between your devices and stay out of trouble! :)

social