WiFi Pineapple: an appliance to do WiFi snooping, password sniffing, and site-spoofing

Discuss

31 Responses to “WiFi Pineapple: an appliance to do WiFi snooping, password sniffing, and site-spoofing”

  1. Could someone explain (in non-expert words)  how a using a VPN would protect against that sort of stuff. Surely the WiFi Pineapple owner could just sniff the VPN login, same way they can sniff all the other traffic?

    • Rob O'Dwyer says:

      The traffic over a VPN is encrypted, so it’s basically unreadable to the attacker. The protocol for associating to a VPN is also designed to prevent these kinds of “man-in-the-middle” attacks, using a complicated cryptographic exchange between the server and client. There might still be a problem if the WiFi Pineapple pretends to be the VPN server though, not sure if that is prevented as well.

      • Jerril says:

         You’d need more than just pretending to be the server IP address, though – from what I understand VPN tends to be paranoid on both ends, not just the server end. Everyone’s validating, not just the server. If things are sensible, then the client’s also validating with an RSA token or similar device, so even if the attacker can copy the users login attempt without decrypting it, it won’t be valid for more than 30 seconds… and even then they won’t be able to decrypt the response from the server so good luck with that.

      • nosehat says:

        I get why VPN is safe once the connection is established, but when you first connect to the VPN server, before the VPN connection is established, aren’t you sending your login and password as plaintext to the (potentially compromised) wifi router?

  2. Michael Curran says:

    It’s the same problem as sniffing SSL/TLS, the client won’t negotiate a session with the man-in-the-middle (mitm), because, in a properly configured VPN, the true host holds a secret that the mitm doesn’t know and can’t imitate trivially. The mitm can pass the encrypted along and record a copy, it just can’t decrypt it.

  3. Greg Bosen says:

    can i buy one with bitcoins?

  4. ROSSINDETROIT says:

    For those confused about why this is dangerous, this device will respond to your computer’s search for a familiar WiFi network and impersonate that network.  This allows the operator of the Pineapple to snoop your unencripted traffic.  Think of a fake Postal Service that intercepts all of your mail, only X 1000.

    • OoerictoO says:

      it’s not inherently dangerous.  it’s just a tool.  a hammer can kill someone, it can also build a house, and it can also protect the owner against intrusions…

      • semiotix says:

        Exactly. Like any other tool, this can be put to malicious purposes: stealing passwords, reading e-mails, all that bad stuff. 

        But you can also use it as a flimsy, lightweight hammer.

        (I know, I know, and I’m just kidding. But yyyyyyyyyyeah, people are going to use this to spy on the neighbors.)

  5. OoerictoO says:

    been watching hak5, closeted, for years.  amazing how worlds collide.  most of their episodes are trivial, but often contain nuggets of learning, and some episodes delve deep into penetration testing techniques.  i’m not in security, so i find that stuff fascinating and enlightening, even if the hosts are somewhat annoying.  (sorry darren)

  6. mamayama says:

    Pardon my ignorance: is this a danger for one’s home wifi network (with password, etc.), or does the Pineapple impersonate open wifi networks (airports, libraries, Starbucks), or both?  On open wifi, I only browse (read BoingBoing, etc.); my secure work I do only at password-protected wifi sites.  Can the Pineapple impersonate password protected wifi?

    • OoerictoO says:

      if your computer is configured to connect to a wifi AP automatically, when it sees it, in most cases, the OS doesn’t care if it’s password protected or not.  it’ll connect again.  try it… disable the password on your router (temporarily) and watch windows and OSX gleefully connect…

      the only way it’d be a danger on your own wifi network is if you do something silly with the data stored on the pineapple. i don’t believe they are configured by default to send the data anywhere or do any traffic re-routing or anything. but if you were on your own wifi network you could just use your own router or computer to slurp data…

  7. Jesus.  Do people really need ANOTHER reason not to live in a dense city?  Someone snooping my WiFi is going to be pretty obvious, since they’d have to be camped right outside my house.
    Seriously, folks.  Just what is the point of tech like this? I love a good (private) hack as much as the next guy, in fact I’ve been in the biz since before most of you were born.  But stop jerking yourselves off and think about the public culture this is promoting.

    • OoerictoO says:

      i honestly have no idea what you are saying.  but i can tell by your tone that i probably don’t like it. 
      If you were really in “the biz” since before “most of [us]” were born, you’d know what the point(s) are.

      •  I know all those points; it’s not like they’re secret.  What do they have to do with my argument?
        Also, your first sentence is a classic of projection.  Good job.  Do you read what you write before posting?

        • Al Billings says:

           I guess the point is that no one can understand your argument and, now, no one cares.

        • OoerictoO says:

           i’ll bite… again.
          i believe the point of developing the wifi pineapple, believe it or not, was not to convince @google-4b3155a999a0ab195cfc77d07750cd0b:disqus of “all those points”. 
          i don’t see how it produces any type of “public culture;” other than an educated one.

    • Cowicide says:

      since they’d have to be camped right outside my house.

      i’m a mile away n ur wifi

  8. Cowicide says:

    If you’re not using a VPN at non https sites at public hotspots, you might as well hand over your passwords to random thugs on the street.

  9. Gene Poole says:

    Not to come off as retarded (I really know nothing about encryption), but would TOR protect against any of this in the same way that a VPN would? 

    • OoerictoO says:

      only offers relative protection if you trust the TOR exit node’s network more than the one you are on.

  10. You’re identifying a key conceptual issue that baffles most people most of the time. It’s the so-called “out of band” problem. How do you handle a secure exchange of credentials to build a secure “tunnel” or session when you’re on a untrusted medium—that is, nearly any network you use outside of a home or office (and sometimes even then).

    The trick is to establish trust in a channel before and outside of the method by which you’re making a secure connection. That involves some kind of shared secret that each party has separately agreed upon without using an untrusted network, or the use of trust proxies, like certificate authorities, that can vouch for the validity of associated security information.

    So, for instance, if we both agree that “pineapple” is our shared secret when we meet and whisper it in each other’s ears, and we use software that lets us communicate securely when we enter the same password in the shared secret field, we’re good.

    Likewise, Web browsers (and other things like email clients) can create a secure connection to a remote server using SSL/TLS, because that protocol relies on digital certificates that are cryptographically verified using pre-installed lists of certificate authorities in the browser or operating system. These lists have an entry with the crypto detail necessary, and are set when the system is installed or updated.

    When you create a VPN tunnel, you might be relying on both a shared secret and an SSL/TLS connection that requires relying on certificate authorities. The shared secret might be a key-generating dongle that was synchronized and registered with a central server, and which generates a new number every minute that the central sever can validate separately.

    Thus, when you create a VPN session, you may enter your user name and password (and shared secret) as plain text in the VPN client, but the connection then wraps that information up in a secure way so that only the VPN server can decrypt it. Once you’re validating, some kind of handshaking occurs to create a strong session key used to encrypted the actual contents of your communications.

Leave a Reply