The Man in the Middle
He sees all the things.
While “Abusing the Internet of Things” wasn’t the greatest book I’ve ever read, it introduced me to a device that really piqued1 my interest. The natural assumption would be that it was an IoT gadget, but it’s not. It’s the amazingly cool WiFi Pineapple, a “wireless network auditing tool”.
What does “wireless network auditing” actually mean? At its core, the WiFi Pineapple is a tool that can help internet security researchers find vulnerabilities in wireless network, and devices and applications that use wireless networks. It does this by playing Man In The Middle (MitM). By exploiting the surprisingly naive way wireless networks and clients work, the WiFi Pineapple will trick a wireless device, for instance your iPhone, into believing it’s connected to a well-known, secure wireless network, for instance your home network. But what your iPhone is really connected to is a wireless network controlled by the WiFi Pineapple, and all the data sent to and from your phone is passing through, and visible to, the WiFi Pineapple.
This means that all data that is not encrypted is available to whoever is in control of the device: Passwords, usernames, credit card numbers. Stuff like that. That you’re connected to a website that uses encryption might not be enough to keep your data safe, either. Some older browsers are vulnerable to the SSLStrip attack, where the browser is tricked into communicating unencrypted even though the website you’re using is encrypting the data that is sent between the server and the client. The WiFi Pineapple has built-in support for the SSLStrip attack.
HSTS is a technique that can be used to mitigate the SSLStrip attack, but it’s not perfect. With a new version of SSLStrip, SSLStrip+, and some DNS trickery, it’s possible to avoid the HSTS protection mechanism. While the WiFi Pineapple doesn’t support the SSLStrip+ attack yet, there’s only a question about time before that happens.
There’s a very fine line between being a security researcher and a criminal, though. Eavesdropping on other people’s communication can’t possibly be legal. Although I don’t know Norwegian law in detail, I assume snooping usernames and passwords is frowned upon, even if you have the best intentions and don’t plan to use whatever secret, private or confidential information you happen to come across for anything fishy. I’m guessing it’s especially frowned upon if you’re not just passively eavesdropping on insecure communication, but instead actively and intentionally trick a browser into communicating insecurely, like in the SSLStrip example above.
Still, that doesn’t prevent me from wanting a WiFi Pineapple to play around with. I am, after all, one of the good guys. The current version of the WiFi Pineapple is the sixth iteration of the device, the WiFi Pineapple Nano. Right now, the Nano sells as an “Evaluation and Development Kit”, which means it can’t be considered a retail version yet. That said, manufacturer Hak5 states that the final hardware design has passed lab tests and is awaiting final certification. Also, judging from what I read on the Nano forum, the device seems to be ready for the limelight.
I’ve decided to wait for the final retail version to be ready, however, just to make sure any hardware quirks are ironed out. If the device doesn’t suddenly get a massive price increase compared to the dev kit’s $99.99 - like the Oculus Rift - I’ll very likely get one. And then you should probably turn off your phone whenever I’m nearby.