WiFi Pineapple: an appliance to do WiFi snooping, password sniffing, and site-spoofing

The $90 WiFi Pineapple is now in its fourth iteration. The gadget does man-in-the-middle attacks on WiFi networks, allowing its owner to snoop on all the traffic, keylog password entries, and generally compromise the shit out of anyone using WiFi in the area. It's a damned good reason to use a VPN, like The Pirate Bay's IPREDator. Also: it has epic rickrolling potential.

The WiFi Pineapple Mark IV improves tremendously on previous models in both hardware capabilities and ease of use. Where the Mark III brought a completely redesigned web management interface the Mark IV continues with plug & play 3G / 4G connectivity, automatic presistent reverse SSH tunnels and a simplistic status page to name a few. The new control center shows at a glance connected clients hostnames, IP addresses, Karma'd SSID as well as signal strength, idle time and network throughput.

Hardware wise the Mark IV is built on a powerful Atheros AR9331 SoC at 400 MHz--over double that of the previous generation--and sports two Ethernet ports, 802.11 b/g and N connectivity, as well as most notably a USB 2.0 port, allowing for expansions like mass storage and 3G / 4G modems. *modem sold separately.

Also it's black, which adds at least 50 hacker points.

WiFi Pineapple Mark IV (via JWZ)


  1. Could someone explain (in non-expert words)  how a using a VPN would protect against that sort of stuff. Surely the WiFi Pineapple owner could just sniff the VPN login, same way they can sniff all the other traffic?

    1. The traffic over a VPN is encrypted, so it’s basically unreadable to the attacker. The protocol for associating to a VPN is also designed to prevent these kinds of “man-in-the-middle” attacks, using a complicated cryptographic exchange between the server and client. There might still be a problem if the WiFi Pineapple pretends to be the VPN server though, not sure if that is prevented as well.

      1.  You’d need more than just pretending to be the server IP address, though – from what I understand VPN tends to be paranoid on both ends, not just the server end. Everyone’s validating, not just the server. If things are sensible, then the client’s also validating with an RSA token or similar device, so even if the attacker can copy the users login attempt without decrypting it, it won’t be valid for more than 30 seconds… and even then they won’t be able to decrypt the response from the server so good luck with that.

      2. I get why VPN is safe once the connection is established, but when you first connect to the VPN server, before the VPN connection is established, aren’t you sending your login and password as plaintext to the (potentially compromised) wifi router?

        1. No, definitely not. Some kind of protocol like http://en.wikipedia.org/wiki/Transport_Layer_Security would be used, which does not send passwords in plain text. They use clever cryptographic tricks to allow both the client and server to verify that they both possess the key/password, without either actually sending it over the network.

  2. It’s the same problem as sniffing SSL/TLS, the client won’t negotiate a session with the man-in-the-middle (mitm), because, in a properly configured VPN, the true host holds a secret that the mitm doesn’t know and can’t imitate trivially. The mitm can pass the encrypted along and record a copy, it just can’t decrypt it.

  3. For those confused about why this is dangerous, this device will respond to your computer’s search for a familiar WiFi network and impersonate that network.  This allows the operator of the Pineapple to snoop your unencripted traffic.  Think of a fake Postal Service that intercepts all of your mail, only X 1000.

    1. it’s not inherently dangerous.  it’s just a tool.  a hammer can kill someone, it can also build a house, and it can also protect the owner against intrusions…

      1. Exactly. Like any other tool, this can be put to malicious purposes: stealing passwords, reading e-mails, all that bad stuff. 

        But you can also use it as a flimsy, lightweight hammer.

        (I know, I know, and I’m just kidding. But yyyyyyyyyyeah, people are going to use this to spy on the neighbors.)

  4. been watching hak5, closeted, for years.  amazing how worlds collide.  most of their episodes are trivial, but often contain nuggets of learning, and some episodes delve deep into penetration testing techniques.  i’m not in security, so i find that stuff fascinating and enlightening, even if the hosts are somewhat annoying.  (sorry darren)

  5. Pardon my ignorance: is this a danger for one’s home wifi network (with password, etc.), or does the Pineapple impersonate open wifi networks (airports, libraries, Starbucks), or both?  On open wifi, I only browse (read BoingBoing, etc.); my secure work I do only at password-protected wifi sites.  Can the Pineapple impersonate password protected wifi?

    1. if your computer is configured to connect to a wifi AP automatically, when it sees it, in most cases, the OS doesn’t care if it’s password protected or not.  it’ll connect again.  try it… disable the password on your router (temporarily) and watch windows and OSX gleefully connect…

      the only way it’d be a danger on your own wifi network is if you do something silly with the data stored on the pineapple. i don’t believe they are configured by default to send the data anywhere or do any traffic re-routing or anything. but if you were on your own wifi network you could just use your own router or computer to slurp data…

  6. Jesus.  Do people really need ANOTHER reason not to live in a dense city?  Someone snooping my WiFi is going to be pretty obvious, since they’d have to be camped right outside my house.
    Seriously, folks.  Just what is the point of tech like this? I love a good (private) hack as much as the next guy, in fact I’ve been in the biz since before most of you were born.  But stop jerking yourselves off and think about the public culture this is promoting.

    1. i honestly have no idea what you are saying.  but i can tell by your tone that i probably don’t like it. 
      If you were really in “the biz” since before “most of [us]” were born, you’d know what the point(s) are.

      1.  I know all those points; it’s not like they’re secret.  What do they have to do with my argument?
        Also, your first sentence is a classic of projection.  Good job.  Do you read what you write before posting?

        1.  i’ll bite… again.
          i believe the point of developing the wifi pineapple, believe it or not, was not to convince @google-4b3155a999a0ab195cfc77d07750cd0b:disqus of “all those points”. 
          i don’t see how it produces any type of “public culture;” other than an educated one.

  7. If you’re not using a VPN at non https sites at public hotspots, you might as well hand over your passwords to random thugs on the street.

    1. I tried that (giving passwords to street thugs) once. They ripped up (encrypted) my note, stole my fags and beat my ass. Guess I fooled them!

    2.  in case anyone else cares, one can also use an SSH tunnel at a relatively known/safe exit point (EG: home).

          1. I know… I’m watching it with you through your webcam. I warned you to stop using Windows before you’d get hacked.

  8. Not to come off as retarded (I really know nothing about encryption), but would TOR protect against any of this in the same way that a VPN would? 

    1. only offers relative protection if you trust the TOR exit node’s network more than the one you are on.

  9. You’re identifying a key conceptual issue that baffles most people most of the time. It’s the so-called “out of band” problem. How do you handle a secure exchange of credentials to build a secure “tunnel” or session when you’re on a untrusted medium—that is, nearly any network you use outside of a home or office (and sometimes even then).

    The trick is to establish trust in a channel before and outside of the method by which you’re making a secure connection. That involves some kind of shared secret that each party has separately agreed upon without using an untrusted network, or the use of trust proxies, like certificate authorities, that can vouch for the validity of associated security information.

    So, for instance, if we both agree that “pineapple” is our shared secret when we meet and whisper it in each other’s ears, and we use software that lets us communicate securely when we enter the same password in the shared secret field, we’re good.

    Likewise, Web browsers (and other things like email clients) can create a secure connection to a remote server using SSL/TLS, because that protocol relies on digital certificates that are cryptographically verified using pre-installed lists of certificate authorities in the browser or operating system. These lists have an entry with the crypto detail necessary, and are set when the system is installed or updated.

    When you create a VPN tunnel, you might be relying on both a shared secret and an SSL/TLS connection that requires relying on certificate authorities. The shared secret might be a key-generating dongle that was synchronized and registered with a central server, and which generates a new number every minute that the central sever can validate separately.

    Thus, when you create a VPN session, you may enter your user name and password (and shared secret) as plain text in the VPN client, but the connection then wraps that information up in a secure way so that only the VPN server can decrypt it. Once you’re validating, some kind of handshaking occurs to create a strong session key used to encrypted the actual contents of your communications.

Comments are closed.