SXSW: 'Hot-spot honeypot' hacker's heaven

For a hacker, the thousands of smartphone junkies tweeting and checking in on Foursquare at South by Southwest are like a flock of lambs.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
Darren Kitchen, 29, founder of Hak5 and creator of the WiFi Pineapple Mark IV honeypot.
Darren Kitchen, 29, founder of Hak5 and creator of the WiFi Pineapple Mark IV honeypot. Declan McCullagh/CNET

AUSTIN, Texas--Some funny things were happening at the South by Southwest conference here today. My virtual private network connection kept getting disabled, and even stranger, on a friend's laptop a window popped up showing an animated cartoon cat flying through the air with a rainbow in its wake.

The image, known as Nyan Cat after a popular 2011 Internet meme, immediately alarmed me because it was used by the hacker group LulzSec on at least one occasion. I joked about being hacked, and my friend quickly turned off his laptop. (See CNET's related story about how to protect your Wi-Fi links, and a slideshow.)

A few minutes later we found the culprit around the corner standing in a Starbucks line: Darren Kitchen, founder of the Hak5 show, who had just given a talk about security at the conference. In his session he demonstrated for the audience how easy it can be to intercept unsecured Wi-Fi connections with a special router and custom software he wrote that he calls the WiFi Pineapple. His talk was appropriately titled "Securing Your Information in a Target Rich Environment." During the demo, audience members who were surfing the Web were surprised when the silly music that plays during the Nyan Cat video blared out of their laptops.

Hacking Wi-Fi networks with the Pineapple Mark IV honeypot (photos)

See all photos
Thousands of SXSW attendees with lots of social-media moxie but little to no security savvy were easy prey for a hacker like Kitchen. The interface he was using on his Galaxy Note smartphone showed a long list of BlackBerrys, iPhones, Androids, and laptops that thought they were connecting to the hotel or Starbucks Wi-Fi (which uses the name "attwifi"), but were actually being tricked by Kitchen's WiFi Pineapple. "Nobody has any sense of security here," he said, scrolling through the list of devices connected to his Wi-Fi router.

If he wanted to, Kitchen could do something malicious, like a man-in-the-middle attack, and steal passwords and other data from unwitting victims. But his mission is to educate people by demonstrating what the risks are and not attack them. So his device was programmed to replace every Web page on the Internet with a Nyan Cat.

"When the device is kicked off it tries to get back on the network, and since I'm in closer proximity than the Wi-Fi router, it picks up my signal instead," Kitchen said. "In the demo I had half the audience connected to my Wi-Fi router."

Basically, his WiFi Pineapple is what is known as a "Hot-spot Honeypot" that attracts the devices looking to connect to Wi-Fi. The devices send out probe requests when the user turns the Wi-Fi on or turns on the device, and then Wi-Fi is automatically enabled. The messages are asking for a connection from a list of Wi-Fi networks that the device has remembered. Kitchen's router pretends to be the Wi-Fi network the user's device is seeking. This only works with an open Wi-Fi network, not one that's protected with the WPA encryption standard, which requires users to type in a password to connect. "It's an inherent flaw in the trust model of open Wi-Fi," he said.

Prototype software on his laptop was doing something similar with Wi-Fi connections, only the messages it was sending were de-authorization packets to interfere with the current Wi-Fi connection by saying the security equivalent of "this is not the Wi-Fi router you are looking for."

The problem is that the devices are set to automatically remember networks they've connected to in the past and it reconnects automatically when in range. "The security is in the way vendors implement it and all they care about is network name," Kitchen said. The solution would be requiring a challenge and response protocol for authentication and encryption, he said. But the mobile device makers haven't implemented that, probably because users would need to make a few more clicks to get on the network, he added.

Kitchen has a more ominous version of his WiFi Pineapple that resides in a simple aluminum box with a rechargeable lithium battery and magnets on the back so he can attach it to many surfaces in public spaces. He attached one on an ATM and an escalator. The box also could easily be designed to plug into a hidden wall outlet under a hotel hallway bench, for instance. "You could plug it into an outlet and remote-in over a 3G network and it can stay there forever," he said.

Kitchen sells his WiFi Pineapple for $90, mostly to governments and security professionals that are hired by corporations to do penetration testing of their own networks as part of security audits.