a.k.a. How to be disappointed again by UA
I was visiting New York University and Carnegie Mellon University. Flying from Beijing to New York, from New York to Pittsburgh, from Pittsburgh to Beijing via Chicago, I chose United Airlines, one that suffers from previous scandals on ‘violently reaccomodating a customer’. It turns out that their in-flight entertainment system is also torturing! This entry was written during the flight from Chicago to Beijing.
On UA851, I was trying to amuse myself by watching 29+1 (page in Chinese). I started out on my iPhone. The website said that I did not need special softwares to watch it, but it just didn’t work. Then I switched to my Surface. I couldn’t watch the movie with Edge. After a while of browsing their support page, I turned to Internet Explorer. It’s even worse. The page kept reloading and a banner said
You are temporarily disconnected from the network, but the system is trying to reconnect you. If you continue to see this message, please refresh your browser. (Error 2002)
Obviously refreshing or even restarting the browser didn’t work. I was getting nuts! Firing up the console, I found it popped up with a lot of XMLHttpRequest: Network Error 0x80004004, Operation aborteds, which indicated SSL/TLS failures. The network profiling tool showed the JSON payload requested from https://services.inflightpanasonic.aero/inflight/services/mm/v3/?fn=start&nocache=<nonce>&device_id=<guid>®istered_instances=&media_uris=84478&media_types=vod&client_capability=bt&ppv_token= (part of the request is anonymised) is:
{
"bandwidth_allocation_code": 200,
"locations": [{
"bt": 0,
"lookup_code": 200,
"media_uri": "84478",
"media_url": "http://api.airpana.com:58000/media/uam111706648z4/uam111706648z4.m3u8",
"media_url_list": [{
"bt": 0,
"media_url": "http://api.airpana.com:58000/media/uam111706648z4/uam111706648z4.m3u8",
"rating": "160",
"seek_delay": 0
}],
"parent_uri": "84478"
}],
"text": " - ",
"ver": 2
}
Following the path, uam111706648z4.m3u8 contained:
#EXTM3U
#EXT-X-VERSION:4
#EXT-X-KEY:METHOD=AES-128,URI="https://airpana.com:58001/media-info/uam111706648z4/"
#EXT-X-MEDIA:TYPE=AUDIO,GROUP-ID="Mult_Audio",NAME="Chinese",LANGUAGE="49",DEFAULT=YES
#EXT-X-STREAM-INF:PROGRAM-ID=1,BANDWIDTH=1200000,AUDIO="Mult_Audio"
uam111706648z4_video1.m3u8
The nested media listing file uam111706648z4_video1.m3u8 contained bunch of .ts entries, which were encrypted video streams. Clearly, the key was located at https://airpana.com:58001/media-info/uam111706648z4/, which failed to load because of DLG_FLAGS_SEC_CERT_DATE_INVALID (‘The website’s security certificate is not yet valid or has expired.’).
I WAS EXTREMELY UNSATISFIED BECAUSE THE INTERNET HAD ALREADY BEEN DOWN FOR 90 MINUTES OR SO AND I COULDN’T EVEN WATCH SOMETHING SERVED DIRECTLY FROM A SERVER IN THE FLIGHT.
I couldn’t connect to the Internet from my Surface (because I would rather not pay an additional $23.99, which I already did for my iPhone without a MileagePlus™ account), therefore, could not download some AES decryption software to decrypt the files locally and play them back.
As you might have noticed, the key was served from airpana.com:58001 while the videos were located on api.airpana.com:58000. This opened up an opportunity for solving the problem by mocking airpana.com.
First, start a VS command prompt with administrative privilege and execute the following command: (How do I know this line of command without the Internet? I had it saved in OneNote!)
makecert -r -pe -n "CN=airpana.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
Next, open Manage computer certificates (i.e., certlm.msc) and copy the newly generated certificate from Personal to Trusted Root Certification Authorities.
Then, download the files required by the website located on airpana.com (in my case, there were two files, one the key, the other /crossdomain.xml), store them in some folder (e.g., C:\Users\<UserName>\Documents\airpana_mock), and assign an appropriate ACL to the folder and its descendants (simply grant full control to Everyone).
Finally, open IIS Manager, add a site bound to https://airpana.com:58001 with the newly generated certificate, and edit hosts to hijack airpana.com to 127.0.0.1.
All set. Now flush your f*cking DNS with ipconfig /flushdns and watch your f*cking movie!
P.S. 1 I was asked by a passenger sitting two seats away from me whether I was tampering with their service to (illegally) gain access to the Internet. No, I just wanted to watch their f*cking movie. And I actually paid for the Internet for my iPhone. But yes, I was tampering with (prnounced ‘fixing’ or ‘working around’) the (broken) system.
P.S. 2 Even though I didn’t look closely, I could tell that the front-end code of United Wi-Fi is quite scattered.
P.S. 3 There really isn’t any point in encrypting things with a static key that everyone has access to.
P.S. 4 The film itself is great!
P.S. 5 Another way to work around this issue is to temporarily change the system time so that the certificate becomes ‘valid again’. However, this is less favourable as it uses a global approach to a local problem. Though the system is not connected to the Internet during the flight, there might be all sorts of mismatches in system logging or whatever.
Please enable JavaScript to view the comments powered by Disqus.