There's a certain degree of doubt about whether it's possible to hack into an airplane's avionics from the in-flight Wi-Fi, as one security researcher claimed last year. But it's possible to do all sorts of things to fellow passengers—as USA Today columnist Steven Petrow recently found out. Following an American Airlines flight, Petrow was approached by a man who claimed to have gained access to the content of his e-mails, which showed communication with sources for a story Petrow was writing.
Petrow offered a bunch of advice on how to protect privacy on mobile devices (strong passwords, password managers, and encrypted communications apps). But none of these really addresses how he got "hacked"—the in-flight Wi-Fi provided a perfect environment for an attacker to undermine the security of other passengers' communications. It's something that could easily be fixed, but in-flight Internet providers are in no hurry to do so, because it's not in their interest.
When you're on any public Wi-Fi, you're bound to give up some personal information to anyone who might be watching the traffic (whether that be the company providing the service, for marketing purposes, or someone with more malicious intent). For example, in previous tests (such as the ones we conducted with NPR), we saw iPads and iPhones that identified themselves to the network by their owner's name, and Web requests to websites and mobile app traffic (some including personal data) were also visible. And as might have happened to Petrow, old-school POP/SMTP e-mail messages could be practically read off the wire.