A story about bypassing air Canada's in-flight network restrictions

tldr; the wifi's access restrictions still allowed DNS so they set up a vpn on the dns port

Iodine has done this for many years. https://github.com/yarrick/iodine

I haven't used iodine, but this seems simpler. Iodine wraps requests with actual DNS requests. In this case that wasn't needed, because port 53 wasn't filtered at all. So all they needed was a simple proxy on port 53.

> We affirm our strict adherence to all relevant regulations and service terms throughout this project.

Except if you bypassed payment and used the service in a manner that was not intended, most likely you were by definition not undertaking "strict adherance" to service terms ?

> The only downside was that although we broke through the network restrictions and could access any website, the plane’s bandwidth was extremely limited, making web browsing quite painful.

Unfortunately this is also the downside of paying. Many times I have paid for internet, only to find it unusably bad. To be fair, I just flew a transcontinental flight on Air Canada the other day and the wifi was fine.

Limiting availability of third party services based on local service provider fee can only be done 100% reliably on a service side through an agreement with that provider, i.e. WhatsApp needs to disable certain functions to users coming from certain dedicated links or IP ranges, or even based on live user status metadata. There's an obvious size mismatch, and lack of incentive to implement compartmentalisation only needed for some other company. It also creates enormous shared responsibility and potential circular finger pointing clown shows, all for relatively tiny number of affected paying users.

Therefore, it is either done with least amount of work that is “good enough”, and can be done on a cheapest router (rate limit to the absolute minimum, ban connections to ports 80 and 443, maybe cut the traffic to most stable IP ranges of biggest services, and regular person is going to state that “nothing else works”), or trough very extensive commercial DPI with lots of guessing and ad-hoc rules (if this feature is important for the income, and many will try to game the system). So it's either going to be as simple as in this example, or you'll compete with the global army of detection rule authors.

Though I do like the wink-wink, nudge-nudge choice of proxy software.

This is likely another layer of security that they didn't break through:

To prevent chat apps from consuming lots of bandwidth typically your connection is severely bandwidth restricted until you pay. If they didn't then someone could simply stream movies from their chat apps.

If a ping to a specific IP times out, I wouldn't say the IP is blocked. It could be that ICMP specifically is blocked, following some network rules on the firewall. This is pretty common in entreprise networks to not allow endpoint discovery. I could be missing something and happy to be corrected here, but I was surprised to read that.

Yeah, ICMP tunnelling is also a common bypass method for captive networks, so simply blocking all ICMP seems logical.

AC offers free WhatsApp, iMessage, messenger in most flights. You can ask meta through WhatsApp to effectively browse the net :)

Yeah I am a bit confused about posts like this. It’s bragging about breaking the law. There was a particularly bad one a few months ago where a kid had hacked Monster’s employee training site, and was sharing all this internal media in the post. I don’t understand how they don’t end up getting in some seriously annoying trouble with law enforcement. Well I looked it up just now and the post was deleted, I guess maybe he did get in trouble. https://news.ycombinator.com/item?id=44997145

Say you're on a plane from Canada to Hong Kong (random example), which country's laws would be applicable here? The country where the airplane is registered?

Could also just be lack of knowledge. Weren't we all a bit more risky and playful with other people's websites when we were kids and the internet was still accessed via modems? Remember talking about that with both other kids and adults without getting in trouble, but it was also decades ago. Once I saw others getting in real big trouble (like prison), then I kind of tried to find more beneficial ways of learning programming and computers.

I remember doing this about twenty years ago when many hotels blocked the internet behind a paywall but were naive in their approaches. I also remember trying this at a hotel in Tokyo about ten years ago and instantly finding my MAC address blacklisted. Their networking folks were clearly more sophisticated.

> which country's laws would be applicable here? The country where the airplane is registered?

For all intents and purposes it is the country of registration of the aircraft.

There are one or two exceptions to the rule, but they would not be applicable in this scenario. Mostly stuff relating to air safety. For example, if the aircraft did something against the aviaition laws of the country being overflown. Or hijackings etc.

Yes, you need to test the exact protocol you want to use. This means tcping/curl, TLS with proper certificates and SNI domains, etc.

However, just as you make sure that the power supply actually supplies power before dismantling something that refuses to work down to the last washer, repairing network problems should start with the basics. Simple test that does not work, or shows something nonsensical, is a great hint that you forgot something, or should start digging elsewhere.

> Could also just be lack of knowledge.

Huh ?

DNS tunneling is not exaclty something you do "by accident".

And if the person doing it on the flight "did not know" (which, given the text of the blog, I doubt) , then you can bet your botom dollar that the "roommate" that was summoned for remote assistance knew very well what was going on.

Didn't claim so either, but a lack of knowledge about that it is in fact illegal, hence the parallel to at least my previous experience where I've most surely have committed crimes in the past, because I didn't know it was illegal in the first place.

I don't know the age of the author, but it almost doesn't matter, sometimes people don't know (lack of knowledge).

"All new is something already known, but well forgotten."

Escaping locked down networks by tunneling things over DNS is one of these things. We've used it back in 00's to get out of restrictive hotel networks. Not even WiFi, but the actual wired Ethernet ones.

> breaking the law

Not law per se. More like contractual obligations taken upon by connecting to the flight's WiFi.

I feel like you have to be brave messing with a plane's network. People tend to get really touchy when airplanes are involved.

Ah "network neutrality", how you won initially yet lost over time...

IMO a certain amount of youthful indiscretion that takes the form of challenging systems and structures feels like it's both tolerable and important. Agitation prevents calcification.

Imagine if anything essential/of value/useful was exposed on the passengers WiFi, this story could have been a huge scoop. But alas, everything is heavily separated.

I was going to say this too.

I once merely mentioned the words “Heart Attack” on a plane and was kicked off by the flight attendants. No context, they just heard the words and forced me off.

There are things that trigger them because of laws and regulations like mentioning “bomb” (even if you’re describing something fantastic).

So messing with the gogo flight entertainment is up there with flirting with terrorism charges.

tl;dr: The firewall on the plane allows any traffic to pass on port 53 (to allow for DNS queries) but doesn't do any state inspection or rate limiting so you can do whatever you want on it.

> My roommate spent about an hour setting up a proxy server exposing port 53 using xray 1, and sent me the configuration via WeChat:

An hour!? As opposed to just spinning up an sshd on that port and coming in using ssh -D to establish a local socks proxy?

> Not law per se. More like contractual obligations taken upon by connecting to the flight's WiFi.

Well, being pedantic, you could be said to be breaking Civil Law. :)

Jest aside, IANAL but most western countries have some sort of Criminal Law relating to mis-use of computers.

A brief search for Canada reveals Criminal Code (R.S.C., 1985, c. C-46)[1].

Again IANAL, but from my reading in this scenario it would be (c) -> (a), "uses or causes to be used ... a computer system" to "obtains, directly or indirectly, any computer service".

[1]https://laws-lois.justice.gc.ca/eng/acts/C-46/section-342.1....

This was a thing back in the days too. You’d use a tool like iodine to tunnel ip through dns queries. Fun!

My question is: would proxying over SSH running on port 53 have worked? Seems simpler than using Xray.

I'm pretty "curious" when it comes to public networks. I'll scan coffee shops, stadiums, hotels, bus hotspots, anything I can connect to. Some networks are set up well, others not so much.

I would never in a thousand years run a sweep on an airplane network. That's massively risky, to the point you might never be allowed on a jet again. Anything to do with aviation I am on my absolute best behaviour.

I’ve been the unfortunate one who paid and endured the slow-barely-usable/mostly unusable speeds. However, that was before the Starlink era. So if you’re gonna pay for WiFi, it’s worth checking if the flight is equipped with Starlink.

> Here we exploited a simple cognitive bias: not all services using port 53 are DNS query requests.

Eh, I don’t think this is a result of cognitive bias. I’m sure the people involved in creating whatever hardware or software is running the network know that you can run other stuff on ports. More likely the extra effort involved in inspecting packets was not deemed worth the risk, a decision either made by the manufacturer of the hardware/software, or someone on Air Canada‘s IT team.

I mean, if everyone was watching 4k YouTube videos they probably couldn’t support it, right?

Same country that would be responsible if you stab your seat neighbor for taking too much space I‘d guess.

Why does Air Canada charges $30 for internet, that's brutal. Especially on 12hr flight where it should be provided for free imo.

Without commenting on the appropriateness of what they did, the author doesn't say they did anything like a sweep. It looks like they were manually poking a few things with dig and ping, not firing up nmap.

I find it's important to remember, too, that a failed PING tells you nothing other than your echo request did not receive a response. If the remote host received your request, and if it responded, are both things a failed PING can't tell you, because both of those things could be true but you still end up with a failed PING.

I've seen technicians get tripped up in troubleshooting thinking that a failed PING tells them more than it does. When the possibility of asymmetric return paths is involved it's always important to remember how little a failed PING actually tells you.

Many years ago, some dial-up providers in my city offered free public logins to use their websites (for scratch card activation, account renewal, user guides, and so on). Some companies also paid ISPs to have their sites and services accessible in similar fashion for promotional reasons.

At a certain provider, all those free logins used the same firewall configuration to only allow traffic to those free services and ISP site, probably for simplicity, so all of them were accessible with any promotional login. Most of them were not useful (to me), but different agreements with ISP resulted in different call time limit until hang-up, 10-15 minutes instead of 3-5.

However, the main treasure was the addition of external page translation service as a feature on some big site. Back then, it was strictly static and server-side, URL in request gave you its HTML source with translated text strings and absolute paths to external resources, so in order for translation to work, users needed to be able to access that third party server, too. Obviously, if you gave it any other URL, the server would also grab it to translate (and choosing least similar language in parameters would leave most of the page text intact).

You can imagine that having a browser supporting tabs and switching media off was very handy for loading as many free web pages in text only form as those dial-up sessions allowed.

Obviously, WWW-to-email services for people who only paid for mail server access had existed even before that.

It depends on which jurisdiction region wants to enforce the law. If someone wants to enforce a law, and it succeed, then the law of that jurisdiction region applies.

Circumventing security on a network, on a plane, is definitely up there regardless if you sweeped or not. IANAL but that could put you in DHS crosshairs.

To quote https://news.ycombinator.com/item?id=45537828

> This is likely another layer of security that they didn't break through:

> To prevent chat apps from consuming lots of bandwidth typically your connection is severely bandwidth restricted until you pay. If they didn't then someone could simply stream movies from their chat apps.

I’ve had to explain this over and over throughout my career. The only way to know if something is accessible is to try the exact endpoint and protocol. Even application-aware firewalls will mess with things at times.

Now imagine the same restrictions on your home Internet

I don't think so, compared to transcontinental, which lately (before Starlink) has been using the cell towers on the ground + satellite backhaul -- even paying would probably still result in a garbage experience.

> if you stab your seat neighbor for taking too much space

IIRC the way it works is that when you land (destination or forced landing elsewhere) the offender is delivered to the local competent authorities.

They then undertake an initial investigation and decide either to exercise their own jurisdiction or undertake extradition proceedings to send the offender to the country of registration of the aircraft.

In a scenario of (attempted)murder, I suspect that it is highly likely it would be dealt with in the local courts unless there was a specific external push for extradition.

The point of the convention is to ensure there is never no jurisdiction, i.e. the country of registration to the aircraft is always there as the ultimate fallback. The wording doesn't seek to strictly define the jurisdiction, which is why in most cases the delivery country has the option to take jurisdiction.

I didn’t see this, but the monster hacker blog post is up on archive. Honestly the person sounds like a kid:

https://web.archive.org/web/20250823174801/https://bobdahack...

> Remember talking about that with both other kids and adults without getting in trouble.

A few kids doesnt matter. A few adults is only a problem if it's their stuff (If they are teachers, they will care more about unautorized changes of the wallpaper in the computer of the school that anything in a remote computer.) And yuo can even later claim they misunderstood or you were exagerating.

But here is an in written report in front of thousands of persons and about planes that is a sensitive topic.

The point is that if the connection does have more bandwidth available they wouldn't get that extra bandwidth without paying.

That's Air Canada. They are already making you a favor by allowing on board.

I do not buy this.

I was on airplane with large aggressive dog, that was harassing other passengers. I was worried it would ampute my limb mid flight.

I voluntary left before take off, dog stayed!

If you move to an empty seat to prevent WiFi signal strength triangulation, and assuming the cabin has no cameras, you didn't auth to the network with identifiable information, actually encrypt your Xray proxy connection (which OP didn't), and you have MAC randomization on, there's next to no way the airliner would be able (or even care) to identify that you did what was described in the article. Sure, they could use DPI and behavioral analysis to detect you were misusing the network, but if they're doing that, they would just block this sort of "backdoor" from the get-go.

I'll echo the article's disclaimer: This reply is intended solely for educational and research purposes. I affirm the strict adherence to all relevant regulations and service terms.

I agree, this sounds a bit too stretched. Or maybe they were looking for any excuse under the sun to get someone off what could have been an overbooked flight. But just saying the two words "heart attack" would not be enough

And that can be a lot more subtle than you might think. I've had a persistent very hard to debug false alarm triggered on pings sometimes not making it and most of the time they did. But very rarely that would happen three times in a row and that was the threshold for raising an alarm. We spent days on this. Finally, the root cause was tracked down to a BNC 'T' connector at the back of a media adapter that filtered out the header of some percentage of ICMP packets. It is one of the weirdest IT problems I've ever encountered and it makes me wonder how much of what we rely on is actually marginal.

Could y'all point at instructions for how to imitate this limited internet situation ?

I ask because, two years ago, I was able to circumvent the Windows-11-requires-internet-and-a-microsoft-account part of the set up for a new laptop computer by doing this on a flight. Apparently, connecting to the airplane wifi (without yet logging in) was enough to satisfy the OS set-up, but limited enough that my laptop didn't require a microsoft account. With windows 10 now end of life, I will probably get a new desktop computer and would like to repeat the feat at home. Thanks

>Apparently, connecting to the airplane wifi (without yet logging in) was enough to satisfy the OS set-up, but limited enough that it didn't require a microsoft account.

Set up a wifi network with no internet? If you have a separate router/modem, just unplug your modem from your router. If your mode/router is combined unplug the coax/fiber/phone line.

Isn't this pretty straightforwardly "theft of service", like "stealing" cable TV service?

I highly doubt any airline staff are on your flight (or even remotely) counter-hacking one in a billion passengers messing around with the in-flight WiFi. That $30.75 they're not getting doesn't justify anyone looking into it.

>Especially on 12hr flight where it should be provided for free imo.

"Should" in the sense that "everyone should get free food, housing, and healthcare" or that other airlines actually provide it for free? I don't know of any airline that provides it for free, the most is some Asian/Gulf airlines providing "free for 1 hour" or similar. Compared to that, "free texting, unlimited" doesn't seem too bad, considering there are also trans-continental flights with no internet access at all.

> Especially on 12hr flight where it should be provided for free imo

That's junkie talk /s

No but seriously if you think Internet access is so vital that it has to be provided for free on a long-ish flight, you may have a problem. Watch an in-flight movie, read a book, take a nap, look out the window. There are many ways to pass 12 hours.

On a recent 12h Air New Zealand flight I went on they offered free wifi for everyone. They say you can:

- Browse the web.

- Send and receive emails and messages.

- Check and post to social media

In practice I think they just whitelist a few messenger apps. Everything else was unusable - I couldn't even load this site. Only had my phone so couldn't check if I was actually receiving any bytes from other sites, but it at least wasn't immediately blocked.

> It is one of the weirdest IT problems I've ever encountered and it makes me wonder how much of what we rely on is actually marginal.

Vernor Vinge had a character who was a "Programmer-Archeologist" on a relativistic starship. Feels more and more prescient as time goes on.

Most countries will have laws covering cases of unauthorized access, theft of services, and computer misuse.

The user agreement helps define the service as a paid service with defined access cases. Going around those would put the user in violation of some laws.

An analogy would be showing up to a paid event venue and noticing a back door was left open. Going into the building without paying is not okay, even though you never engaged with the ticket office to agree to anything.

FWIW, WhatsApp does (or did) support special price networking. I used to be the engineering side of that. But the supported offerrings were for special priced everything (text+mms+voip) or just text+mms if real time voice and video was not to be special priced. Text only was not a supported offering while I was there. And you needed to be a mobile carrier to get the information about IP ranges (the IP ranges were public but not directly linked early on, but got limited later).

That said, many networks did these sorts of things without communicating with WhatsApp. Even without knowing IP ranges. WA traffic is easy to spot. Chat has a destinctive protocol that's neither http, nor https; mms is https with obvious hostnames in SNI; voip looks like voip.

You might be able to trick in-air wifi by looking like WA chat, but I've never been interested enough to check while on a plane. I'd rather use the time to watch awful movies on a tiny screen with terrible audio conditions.

I thought that too up until this GenAI moment, and now I wonder if needing to be an archaeologist will be so valuable if one can get your needs met by a quickly GenAI-written script/program.

If the user routed all traffic through a WeChat or other messaging service, they would just be using messaging.

The exaltation displayed in this discussion thread is something everyone should ponder about. Some stupidity specific to certain era and place on Earth, just another tumour of uncontrolled bureaucracy which always grows, is discussed as some eternal property of God-given Universe.

Hijacked plane is a popular media spectacle with lots of ties to other images and scenes. Millions are ready to discuss it, or listen to the thrilling stories. “This is important for security!” is a shazam in that context. At the same time, much closer and routine dangers directly affecting many people (power plants, refineries, railroads and so on) are kept in check by underpaid workers who can't even make companies fix sensors or replace something until it is rusted through. Effectively, “this is not important for anything”, nor public is interested in TV shows about working pipeline that is not getting blown up. Those who want money and power naturally stick to impressions that work for the crowd they are given.

Propaganda is most successful when people do the required thing on their own, agree that it's absolutely impossible to evade, and even encourage each other. Something in this day and age makes people themselves adore certain forms of propaganda, and even demand to be told specific lies. Among other things, images of stupid social machines crushing someone (“they'll put you on the list”, etc.) seem to weirdly stimulate the crowd.

Even in so-called globalised world there are examples that crack the habituation. In country A, any big gathering of people needs to be formally approved, supplied with hordes of policemen (thankfully, not tanks), fences (thankfully, not barbed wire), entrance searches (thankfully, without stripping). When you ask anyone about that, they promptly respond with “What if terrorists/enemies decide to attack the crowd?” or “What if they start to riot?” (notice that “they”), etc. Even most obvious security theatre acts are automatically accepted with promotion to “psychological stuff that helps to detect those people in the crowd”. In country B, no less “civilised”, the same event is handled by some private company that is mostly worried about portable toilets or electric generators, and people come freely to the venue if they like it (just buy the ticket).

The odds of something wrong happening are roughly the same, but people reason about themselves and those around them very differently. That mental picture of the world shapes the thing that happens, not the alleged expert opinions or calculations.

iodine automatically checks several modes a "simple" proxy on port 53 being one of them. If you're trying to sneak traffic through this kind of block, it is really the first tool to try.

Dan Kaminski popularized this in 2007-8 or so. Not that it didn't exist here and there, but he made the perhaps first public version of a dns tunnel (ozyman). he inspired iodine and others and was a fairly well known guy.

Dan passed away in 2021, rip.

if you search for it its hard to find. his blog is down (hea dead...), and many companies and people talked about it on his behalf to drive traffic (hi duo sec..), so you can see the internet forget, rediscover, and rewrite some history even in a few years.

Do consumer rights exist in the skies? Genuine question!

I never understood the need to post about this. Just pay the $30 or just keep quiet so others can continue to browse for free.

I'm a SRE and encountered this recently. To prevent DDoS, there is a buffer setting on the kernel that will limit the number of pings (a few settings actually). So if you have a group of machines that all ping a single destination at once, it's very possible to have some that fail to get a reply.

Brave or stupid.

Yeah, I just flew WestJet from Canada to Honolulu and was amazed; full 1080p YouTube with no hiccups and I was able to play some (non-latency sensitive) online games, all over the Pacific. This was fully intentional; there wasn't any back-of-the-seat iPad for watching movies or anything, they straight up tell you to use your own device and watch Netflix. I did some research after and found a lot of airlines in NA are going to be rolling out satellite internet in the next year or two.

For some reason, being fully connected at 50mbps+ on a plane seems more futuristic sci-fi to me than everything AI.

I've yet to have my needs met by a GenAI-written script/program. Archaeologists tend to be a lot more precise in their statements, especially about what is speculation and what is not.

Oh, that's nasty. How long did it take you to troubleshoot that?

> - Browse the web.

> - Check and post to social media

> In practice I think they just whitelist a few messenger apps. Everything else was unusable

That was probably intentional, because to the vast majority of the users of these services, 'the web' is just a handful of the same social sites. As long as they can post a few things about their trip, that's the extent of the web access that they need or care to want. Sucks when you're expecting the whole kit and kaboodle, but the airlines seem to know their customers.

i appreciated this comment, even though it downplays real pragmatic concerns. from a security perspective, should getting on an airplane (especially for domestic flights) really be all that different from getting on a bus? are the potential outcomes different enough to justify the differences in security measures?

In my old company it was the oposite. Ping worked allways, even when you where blocked on to a specific VLAN.

> This was fully intentional; there wasn't any back-of-the-seat iPad for watching movies or anything, they straight up tell you to use your own device and watch Netflix.

Westjet has required you to use your own device for a long time now (10 years?), but they offer an app/website and streaming library that works for anyone who connects to the in-plane wifi, unrelated to actual access to the internet.

Interesting that they're telling you to use your own streaming app/account now. Did you still have to pay extra for internet access? Was the Westjet streaming app still available?

Relatively speaking, it wasn't that bad. It took a few weeks of getting trouble tickets with no root cause, and a bit of googling. But management wasn't okay with fixing the root cause, instead they just increased the timeout/retry window.

I've worked in gigs that wanted that. They were all about segmentation, but wanted ICMP echo / response available throughout.

I refuse to believe that anything important for flying the plane is actually hooked up to the system providing Netflix to passengers.

People do get nervous, and in theory you could probably break some kind of informational system utility if you kernel panic the box that booms up to the satellite receiver, but unless you're trying to get root on the plane's routers I don't believe there's a need to feel brave.

The braver part is publishing the results of this stuff online under your own name.

I don't think there are any net neutrality laws that don't exempt things like in-flight Wi-Fi, where the upstream is so heavily restricted that providing balanced services to everyone is basically impossible or leaves the entire connection useless.

With Starlink things may be looking a bit better, but I think demanding net neutrality on in-flight satellite internet and plane-to-cell-tower internet is excessive.

I had an experience setting up a third-party VPN where the echo responses were being delivered to the correct (host,interface) but with the wrong destination address (not the same as made the request)

Boot up a router without any ethernet cables hooked up to it. Or turn on tethering on your phone but disable mobile data.

I believe this trick doesn't work on Windows 11 anymore, though. Microsoft will happily wait for you to move some place with internet access to finish the OOBE, especially with upcoming changes where they disable various internal mechanisms to bypass the account restrictions.