Saily: The Risks of In-Flight Wi-Fi and 'Evil Twin' Attacks

The expansion of complimentary in-flight Wi-Fi services, such as with the partnership between Southwest Airlines and T-Mobile, presents a growing security challenge.

As more airlines adopt free internet to improve the passenger experience, they may also be creating new opportunities for cybercriminals to target business travellers and the sensitive corporate data they carry.

This evolving threat landscape means that old hacking tactics are finding new life in an environment where passengers might lower their guard.

Matas Čenys, Head of Product at Travel eSIM app Saily says: “In-flight Wi-Fi used to occasionally be a target for cyberattacks, but with the service now becoming complimentary, security incidents will become more frequent.

"Hackers use old tactics in an environment where travellers expect to be safe. So, their old tricks work again, even when they wouldn’t elsewhere.”

Understanding the 'evil twin' threat

One of the primary methods used in this environment is the 'evil twin' attack. A malicious actor, posing as a regular passenger, can use a personal device such as a smartphone or a compact travel router to create a new Wi-Fi hotspot. They then give this hotspot a name that mimics the airline’s official network, for example, 'Southwest WiFi'.

Unsuspecting travellers who connect to this fraudulent network risk having their unencrypted data traffic intercepted by the attacker. This could allow the cybercriminal to steal session cookies, potentially giving them access to corporate accounts without needing a password. Furthermore, they can deploy fake login pages to trick users into entering credentials or payment information, creating a direct path for data breaches.

Malware and data exfiltration risks

Beyond intercepting data, these malicious networks can serve as a conduit for distributing malware. Matas asserts that: “Hackers can also spread malware through the connection, for example, by offering a ‘required’ app or plugin to access the Wi-Fi. The same trick can be used via AirDrop. If your device notifies you that you’re receiving some file from an unknown person, tread carefully — even if it looks like an innocent photo of their dog you’ve seen in countless social media posts.”

Once a device is compromised, it can become a foothold for a wider attack on a company's internal network. For business travellers, a key indicator of a malicious connection can be performance. “If connected to a malicious network, the internet will be extra slow. Airplane passengers might expect a small drop in internet speed while flying, but a super slow connection could be a red flag,” Matas explained.

Mitigating in-flight cyber risks

While the risks are increasing, there are clear, actionable steps that organisations can mandate for their travelling employees to enhance security. A proactive approach to cybersecurity is essential when staff are using public networks. Companies should consider implementing the following security protocols for employees:

• Always verify the name of the official in-flight Wi-Fi network with the cabin crew before connecting.
• Utilise a trusted Virtual Private Network (VPN) to encrypt all internet traffic when connected to any public Wi-Fi.
• Ensure device settings are configured to connect only to sites using HTTPS and to look for the padlock icon in the browser's address bar.
• Disable file-sharing features such as AirDrop and automatic network discovery when on public networks.
• Treat all requests for personal or login information with caution and defer sensitive tasks until a secure trusted network is available.

As airlines continue to integrate connectivity into the travel experience, the responsibility falls on corporations to update their security policies and ensure employees are aware of the risks. The convenience of in-flight internet should not come at the cost of corporate data security.