To access your bank account…
About 10 years ago a company called hak5 produced a WiFi gadget called a pineapple the intended market being for penetration and security testers, but anyone can buy one for around $100. The way the device works is simple, just connect it to your laptop & it scans for wireless access points and mimicks them. Then it scans for clients wanting to connect, offers connection but then forces http only connections (as opposed to https) even when https is demanded. All data passing through the pineapple is made available to the operator. Yup, thats everything including any log on details…
Hopefully, you’ve just sussed that the pineapple is the perfect ‘man in the middle’ attack and you dont have to be in Sainsburys or any other public WiFi place for an attack to succeed.
This is because your laptop or phone retains WiFi credentials if it can detect a public wifi network, such as that presented by the pineapple then it will attempt to connect to it.
Oh fuck! This really is fairly serious…
So how do you prevent this?
- When using a public WiFi connection, accept that everyone can see everything so never use your credit card or access your bank account or do anything remotely sensitive security-wise that involves a log-in.
- Avoid open networks – use only those that are WPA encrypted as the pineapple cannot impersonate them and check for https as opposed to http in public WiFi spaces, if you dont see a https connection then switch off WiFi.
- Use a VPN as a pineapple cannot sniff the traffic.
- Avoid public wifi and remove from settings any that you do, on a Mac its:
- System preferences
- Select any where security = none & click minus sign
- The browser add in HTTPS Everywhere It will force https where available so may assist in defeating such an attack.
Further reading here I intend to do some testing with iStumbler soon.