WiFi Pineapple: an appliance to do WiFi snooping, password sniffing, and site-spoofing

The $90 WiFi Pineapple is now in its fourth iteration. The gadget does man-in-the-middle attacks on WiFi networks, allowing its owner to snoop on all the traffic, keylog password entries, and generally compromise the shit out of anyone using WiFi in the area. It's a damned good reason to use a VPN, like The Pirate Bay's IPREDator. Also: it has epic rickrolling potential.

The WiFi Pineapple Mark IV improves tremendously on previous models in both hardware capabilities and ease of use. Where the Mark III brought a completely redesigned web management interface the Mark IV continues with plug & play 3G / 4G connectivity, automatic presistent reverse SSH tunnels and a simplistic status page to name a few. The new control center shows at a glance connected clients hostnames, IP addresses, Karma'd SSID as well as signal strength, idle time and network throughput.
Hardware wise the Mark IV is built on a powerful Atheros AR9331 SoC at 400 MHz--over double that of the previous generation--and sports two Ethernet ports, 802.11 b/g and N connectivity, as well as most notably a USB 2.0 port, allowing for expansions like mass storage and 3G / 4G modems. *modem sold separately.
Also it's black, which adds at least 50 hacker points.

WiFi Pineapple Mark IV (via JWZ)

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Gadgets • security

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

http://www.facebook.com/people/Katrina-van-Malksvig/100000571611598 Katrina van Malksvig

Could someone explain (in non-expert words) how a using a VPN would protect against that sort of stuff. Surely the WiFi Pineapple owner could just sniff the VPN login, same way they can sniff all the other traffic?
- http://doteight.com Rob O’Dwyer
  
  The traffic over a VPN is encrypted, so it’s basically unreadable to the attacker. The protocol for associating to a VPN is also designed to prevent these kinds of “man-in-the-middle” attacks, using a complicated cryptographic exchange between the server and client. There might still be a problem if the WiFi Pineapple pretends to be the VPN server though, not sure if that is prevented as well.
  - Jerril
    
    You’d need more than just pretending to be the server IP address, though – from what I understand VPN tends to be paranoid on both ends, not just the server end. Everyone’s validating, not just the server. If things are sensible, then the client’s also validating with an RSA token or similar device, so even if the attacker can copy the users login attempt without decrypting it, it won’t be valid for more than 30 seconds… and even then they won’t be able to decrypt the response from the server so good luck with that.
  - nosehat
    
    I get why VPN is safe once the connection is established, but when you first connect to the VPN server, before the VPN connection is established, aren’t you sending your login and password as plaintext to the (potentially compromised) wifi router?
    - http://doteight.com Rob O’Dwyer
      
      No, definitely not. Some kind of protocol like http://en.wikipedia.org/wiki/Transport_Layer_Security would be used, which does not send passwords in plain text. They use clever cryptographic tricks to allow both the client and server to verify that they both possess the key/password, without either actually sending it over the network.
    - http://www.openbuddha.com/ Al Billings
      
      No, that would be dumb.
      - snubs
        
        http://hak5.org/ <– we also did a bunch of episodes recently about proxies, VPN's and tunnels.
Michael Curran

It’s the same problem as sniffing SSL/TLS, the client won’t negotiate a session with the man-in-the-middle (mitm), because, in a properly configured VPN, the true host holds a secret that the mitm doesn’t know and can’t imitate trivially. The mitm can pass the encrypted along and record a copy, it just can’t decrypt it.
http://www.facebook.com/greg.bosen Greg Bosen

can i buy one with bitcoins?
ROSSINDETROIT

For those confused about why this is dangerous, this device will respond to your computer’s search for a familiar WiFi network and impersonate that network. This allows the operator of the Pineapple to snoop your unencripted traffic. Think of a fake Postal Service that intercepts all of your mail, only X 1000.
- OoerictoO
  
  it’s not inherently dangerous. it’s just a tool. a hammer can kill someone, it can also build a house, and it can also protect the owner against intrusions…
  - semiotix
    
    Exactly. Like any other tool, this can be put to malicious purposes: stealing passwords, reading e-mails, all that bad stuff.
    
    But you can also use it as a flimsy, lightweight hammer.
    
    (I know, I know, and I’m just kidding. But yyyyyyyyyyeah, people are going to use this to spy on the neighbors.)
OoerictoO

been watching hak5, closeted, for years. amazing how worlds collide. most of their episodes are trivial, but often contain nuggets of learning, and some episodes delve deep into penetration testing techniques. i’m not in security, so i find that stuff fascinating and enlightening, even if the hosts are somewhat annoying. (sorry darren)
mamayama

Pardon my ignorance: is this a danger for one’s home wifi network (with password, etc.), or does the Pineapple impersonate open wifi networks (airports, libraries, Starbucks), or both? On open wifi, I only browse (read BoingBoing, etc.); my secure work I do only at password-protected wifi sites. Can the Pineapple impersonate password protected wifi?
- OoerictoO
  
  if your computer is configured to connect to a wifi AP automatically, when it sees it, in most cases, the OS doesn’t care if it’s password protected or not. it’ll connect again. try it… disable the password on your router (temporarily) and watch windows and OSX gleefully connect…
  
  the only way it’d be a danger on your own wifi network is if you do something silly with the data stored on the pineapple. i don’t believe they are configured by default to send the data anywhere or do any traffic re-routing or anything. but if you were on your own wifi network you could just use your own router or computer to slurp data…
http://profiles.google.com/fred.drinkwater Fred Drinkwater

Jesus. Do people really need ANOTHER reason not to live in a dense city? Someone snooping my WiFi is going to be pretty obvious, since they’d have to be camped right outside my house.
Seriously, folks. Just what is the point of tech like this? I love a good (private) hack as much as the next guy, in fact I’ve been in the biz since before most of you were born. But stop jerking yourselves off and think about the public culture this is promoting.
- OoerictoO
  
  i honestly have no idea what you are saying. but i can tell by your tone that i probably don’t like it.
  If you were really in “the biz” since before “most of [us]” were born, you’d know what the point(s) are.
  - http://profiles.google.com/fred.drinkwater Fred Drinkwater
    
    I know all those points; it’s not like they’re secret. What do they have to do with my argument?
    Also, your first sentence is a classic of projection. Good job. Do you read what you write before posting?
    - http://www.openbuddha.com/ Al Billings
      
      I guess the point is that no one can understand your argument and, now, no one cares.
    - OoerictoO
      
      i’ll bite… again.
      i believe the point of developing the wifi pineapple, believe it or not, was not to convince @google-4b3155a999a0ab195cfc77d07750cd0b:disqus of “all those points”.
      i don’t see how it produces any type of “public culture;” other than an educated one.
- Cowicide
  
  since they’d have to be camped right outside my house.
  
  i’m a mile away n ur wifi
Cowicide

If you’re not using a VPN at non https sites at public hotspots, you might as well hand over your passwords to random thugs on the street.
- FelixDio
  
  I tried that (giving passwords to street thugs) once. They ripped up (encrypted) my note, stole my fags and beat my ass. Guess I fooled them!
  - Cowicide
    
    Hopefully they caught the cancer from your cigs.
- OoerictoO
  
  in case anyone else cares, one can also use an SSH tunnel at a relatively known/safe exit point (EG: home).
  - Cowicide
    
    in case anyone else cares
    
    I care.
    - Antinous / Moderator
      
      Hey, I’m watching that now.
      - Cowicide
        
        I know… I’m watching it with you through your webcam. I warned you to stop using Windows before you’d get hacked.
Gene Poole

Not to come off as retarded (I really know nothing about encryption), but would TOR protect against any of this in the same way that a VPN would?
- OoerictoO
  
  only offers relative protection if you trust the TOR exit node’s network more than the one you are on.
http://blog.glennf.com/ Glenn Fleishman

You’re identifying a key conceptual issue that baffles most people most of the time. It’s the so-called “out of band” problem. How do you handle a secure exchange of credentials to build a secure “tunnel” or session when you’re on a untrusted medium—that is, nearly any network you use outside of a home or office (and sometimes even then).

The trick is to establish trust in a channel before and outside of the method by which you’re making a secure connection. That involves some kind of shared secret that each party has separately agreed upon without using an untrusted network, or the use of trust proxies, like certificate authorities, that can vouch for the validity of associated security information.

So, for instance, if we both agree that “pineapple” is our shared secret when we meet and whisper it in each other’s ears, and we use software that lets us communicate securely when we enter the same password in the shared secret field, we’re good.

Likewise, Web browsers (and other things like email clients) can create a secure connection to a remote server using SSL/TLS, because that protocol relies on digital certificates that are cryptographically verified using pre-installed lists of certificate authorities in the browser or operating system. These lists have an entry with the crypto detail necessary, and are set when the system is installed or updated.

When you create a VPN tunnel, you might be relying on both a shared secret and an SSL/TLS connection that requires relying on certificate authorities. The shared secret might be a key-generating dongle that was synchronized and registered with a central server, and which generates a new number every minute that the central sever can validate separately.

Thus, when you create a VPN session, you may enter your user name and password (and shared secret) as plain text in the VPN client, but the connection then wraps that information up in a secure way so that only the VPN server can decrypt it. Once you’re validating, some kind of handshaking occurs to create a strong session key used to encrypted the actual contents of your communications.