Exploit Airlines that use T-Mobile for Free WiFi

Or how I hacked an airline with my phone.

Objective: How to obtain free WiFi and maintain it while on an airplane.

I had a long 14 hour flight back to the United States and ended up getting bored in the first 30 minutes. There I was, with a rooted phone and nothing but time. The first thing I wanted was internet, and found out that indeed there was a free hour offered to T-Mobile customers! 

It was a bit of fun just wasting the only hour I had on cat videos, but now there I was. Twelve or so hours remaining. I realized I needed more WiFi time. 

Ironically, I'd use the internet to first gather information and learn more about the systems in front of me, but seeing as that I wasted all of my time on ridiculous videos, I figured that I'll just have to make use of what I already had. Not a problem from someone with my rural and unique background.

Thinking back on some of my earlier tricks learned from Cybersecurity, I started to think about how these systems really determine who can only have 1 hour of WiFi, and the methods they used for verification. 

Step 1: Good Ol' Fashioned MAC Spoofing

Luckily, I'd have rooted my phone using Magisk on a custom LineageOS, a more secure phone OS for the paranoids like myself. This along with apps that allow you to spoof your MAC address would help me discover this vulnerability.

I started scanning the network to see if I'd be able to use anyone else's MAC address, and then try to use their MAC to obtain free WiFi. I know, not the nicest thing in the world but it's something. Unfortunately, all of the MACs that I had spoofed did not grant me further WiFi access, leading me to believe that they may have also used up their free hour. :(  *sadface

Then it hit me, well what are they asking for? A valid T-Mobile phone number, really. Then I realized that I had never received a text, nor authentication method that could prove I really owned the number...

Step 2: Fresh MACs with a side of T-Mobile Numbers

Time to start hacking. I ended up going through my contacts list, you know, for science, and picked all of the numbers I knew were T-Mobile users. I compiled a list and then saved it to my phone.

Next, I used my app, cleverly called MacChanger to change my MAC to a random MAC address for my phone.

I then went to the T-Mobile site on my phone and ended up using a new T-Mobile number, along with my newly generated MAC address and BAM! Free WiFi for another hour. Yay!

Free WiFi through T-Mobile GoGoInFlight Application

Time remaining on flight, 5 hours. New T-Mobile phone number, and MAC address.

Free WiFi through T-Mobile GoGoInFlight Application

Time remaining on flight, 2 hours.

Free WiFi through T-Mobile GoGoInFlight Application

Time remaining on flight, 30 minutes.

Step 3: Responsible Disclosure

After enjoying some free delicious WiFi for myself, I figured I'd do the right thing and let the airlines know about this vulnerability.

I ended up contacting the airlines on July 7th, 2022, and turns out that their teams were aware of the vulnerability and ended up accepting the risk since they were eventually going to offer free WiFi to passengers anyways! That's awesome.

As for further communication from the team, it looks like there were some clarifications mentioned:

  • "This finding specifically from an [Airline] perspective would fall under 'out of scope'.
  • "[They] are going to begin piloting the feature in week-long sprints on select aircraft in select markets beginning in two weeks (from July 7th, 2022), unannounced of course publicly until it's wholly ready for prime time, but progress all the same :)"
  • Unlimited full WiFi now offered to T-Mobile customers: https://www.t-mobile.com/benefits/travel/in-flight-wifi

Working with the airlines was a pleasure, and look forward to working with each other more in the future!

Lessons Learned

If you are an Airline WiFi provider, I'd recommend not using MAC and T-Mobile numbers as the sole authentication method for your services. MAC Addresses were never intended to be reliable forms of authentication. 

I'd recommend:

  • SMS-Based Authentication while boarding or on the ground during potential connections via LTE, WiFi that then give a one-time passcode for WiFi during the flight.
  • Any login-based authentication method that doesn't rely on just a valid T-Mobile number and new device, really.
  • Cool new auth methods that might be in progress that I am not aware of!