byMs. Smith
Opinion
Aug 11, 20144 mins
Data and Information SecurityMicrosoftSecurity
Before you use a WiFi Pineapple in Vegas during a hackers' security conference, you better know what you are doing.
The WiFi Pineapple makes man-in-the-middle attacks incredibly easy, but users better know what they’re doing before trying out the Pineapple at the biggest hacker hangout in the U.S. A classic example of that wisdom can be seen via a screenshot tweeted by @JoFo after an intern deployed a Pineapple at Def Con 22.
Feel free to see it yourself in the original form, but the general gist is below…with creative asterisk spellings for words I can’t publish here. Hopefully you will be as amused by the message as I was.
Dear Lamer,
You just got popped with some 0-day s**t. Mess with the best and die like the rest. Should have just bought a t-shirt.
You’re going to mess around with someone’s Wi-Fi in Vegas at a f***ing hacker con? What the h*ll did you expect?
Your sh*t’s all wrecked now. If you really are the bad*ss you’re pretending to be, you ought to be able to fix it.
If you have no idea what is going on then I recommend you take this back to the Hak5 booth, ask for a refund, and stop sh***ing-up the Wi-Fi.
Read the f***ing code the next time you buy super elite skiddie hax0r gear. This s**t is criminally insecure.
Sincerely,
@IHuntPineapples
Apparently, @ihuntpineapples has a network at DEFCON that is popping shells on pineapples with an 0day.
— Brandon Perry (@BrandonPrry) August 8, 2014There is a fix if it was bricked or if it needed a firmware update, but if a person wanted to know more about the Pineapple, then the Def Con 22 Wireless Village would have been a good start. For example, Hak5’s Darren Kitchen and WiFi Pineapple developer Sebastian Kinne released new firmware 2.0. But, in theory, @IHuntPineapples used a zero-day exploit on the newest Pineapple firmware 2.0.0.
Step one: take advantage of someone’s brain fart of checking authentication in the footer after all the PHP runs
— I Hunt Pineapples (@ihuntpineapples) August 9, 2014Step 2: command inject. One possible: /components/system/karma/functions.php?client_list=true, POST remove_client=false mac=”;commands;”
— I Hunt Pineapples (@ihuntpineapples) August 9, 2014Kinne later took to the Hak5 forum to explain that 2.0.0 fixed numerous security issues, so long as the root password isn’t known. “If you know the root password, you can inject into POST or even some GET requests. You could also just use the functions.php in the configuration tile that will execute commands for you – a built-in function of the tile. We’ll have to lock that – and other things down now.”
We cannot really fix the fact that passwords can be sniffed over the open wireless – use a cable to manage it without the password leaking into the air. Only thing we could do in that regard is put self-signed SSL certs on every Pineapple… but that would be a hassle for everyone. Nginx DOES support SSL, so feel free to set that up.
TLDR: Download 2.0.1 once it’s out, it has the logout bug fixed.
The very same day, 2.0.2 was released.
Tripwire’s Craig Young, a security researcher for its Vulnerability and Exposure Research Team, also gave a “Pineapple Abductions” talk at the Wireless Village. He talked about poor SSL implementations and showed “how a simple hack with a Pineapple WiFi can be used to abduct, stalk, spy on, or even physically harm unsuspecting victims.”
Hak5 says it sells WiFi Pineapples to anyone, which has spurred folks to claim there are no legitimate uses for the Pineapple other than nefarious activities. Hak5 host Darren Kitchen has disputed that by stating, “The claim that the device has ‘no legitimate use’ contradicts the countless government agencies and penetration testers who’ve used the WiFi Pineapple in authorized security audits.”
As if “worrying” about G-men playing around with a Pineapple isn’t bad enough, wise folks might keep an eye open for War Kitteh or for “Denial of Service Dog” that walks around with a “saddle-bag containing the WiFi Pineapple Mark V wireless network hacker tool.”
Related content
- news analysisWill the public nature of ransom payments change CISO strategy over whether to pay? Reports identifying a $75 million ransom payment made in March by a Fortune 50 company raise some questions.By Evan SchumanAug 01, 20244 minsCSO and CISORansomwareSecurity
- newsDashlane study reveals massive spike in passkey adoption One in five users has at least one passkey stored, but a security consultant issues a reality check, saying in a sense ‘they are still passwords.’ By Paul BarkerJul 31, 20245 minsIdentity and Access ManagementSecurity
- brandpostSponsored by FortinetAs the skills gap grows, organizations should do these 3 things to enhance resiliency While many organizations are taking creative approaches to recruiting and hiring new cybersecurity talent, these efforts alone won’t immediately eliminate the growing skills gap. Here are three strategies organizations can take now.By Rob RashotteJul 31, 20245 minsSecurity
- feature7 top cloud security threats — and how to address them Dark and threatening, an insecure cloud should never be ignored. Here’s a rundown of the top threats you need to look out for.By John EdwardsJul 31, 20248 minsCloud SecurityCloud ComputingSecurity
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
