Not too long ago I was reading a piece on the interwebs called the beginners guide to breaking website security with nothing more than a Pineapple and that title is a direct link to the page on author Troy Hunt’s blog. It isn’t a piece of the technically faint hearted, so I’ll try for a quick summary; there’s an inexpensive device called the Pineapple that ruthlessly exploits how trusted wifi connections work. Wireless devices are constantly calling out to known connection points, so if your home router is called MyHomeNet, when the mobile device you have connected to it in the house is out and about it’s periodically calling “is MyHomeNet there” into the ether to see if the router is around to make a connection… and the Pineapple listens for these calls and responds, pretending to be whatever Service Set Identification (SSID from here onwards) the device is asking for. Strap that to a laptop running Wireshark, share internet connectivity through another network connection and you’ve got a “man in the middle” listening post watching unsuspecting peoples’ traffic.
That’s quite alarming, but although I’m usually a lovely, fluffy bunny it also set the more nefarious, black hat wearing side of my mind working; fast food restaurants, coffee shops, hotels and even supermarkets offer free wireless and many of these access points appear as unencrypted networks; that connection pushes the user to a landing page where they enter a mobile number, which is then texted a code that unlocks the service. But as noted, the access point itself in these systems just appears as an unsecured wireless network so what happens if a mobile device configured to log in automatically on one of these services comes across another network with a matching SSID?
Here’s my 1337 h4x0r rig to look into that question and yes, that’s sarcasm because it’s thrown together from scrap and spares. I’m using a battered Acer TravelMate 2350 which was dropped and half killed in a former life, connected to a D-Link wireless router which has been configured to broadcast the SSID of a national supermarket chain’s free wifi service. And when this pile of junk went online, my old Blackberry Curve which had previously been taught the same SSID from one of the supermarket’s access points earlier in the day automatically connected with absolutely no questions asked!
So what can we take away from this apart from a nagging paranoia? Well, anybody who works in IT has probably known for a while that wifi security is at best adequate and anybody with the right tools but no morals can at least theoretically crack into your router or access point if the shared pass phrase is weak enough. And television programmes like The Real Hustle have demonstrated how con artists use wifi, but this is in a way that requires marks to connect to a bogus SSID so the grifter risks discovery by placing themselves in or near the location of the network they’re spoofing (here’s a clip and this is really worth a watch if you use a laptop or other mobile device when traveling).
But what the Pineapple does is a different matter, it works anywhere and abuses the trust wireless devices have when it comes to networks so users can just be wandering along and minding their own business whilst the connection is made to their mobile device and all traffic for social media or email starts going through a monitored connection. The golden rules seem to be don’t let your mobile devices remember shared networks like the ones in public places (so delete the connection when you’re finished and that goes for the Apple Demo network some Apple stores use to demonstrate wifi use to their customers), turn off the device’s wifi completely when not using it and don’t use public connections to log into email accounts, online banking, Paypal, eBay, forums or anything else where losing control of the account would be a bad thing.