With the previous post (Blue for the Pineapple); sharing instructions on how to create a cheaper and more affordable clone of the infamous Hak5 Pineapple. Awareness has risen about the capabilities and exploitability of these WiFi honeypots. This post will discuss possible defences against the pineapple:
- Setting Access Points to Use WPA2 or Enterprise Encryption
- Manual Connections
Does WPA2 or Enterprise Encryption Prevent the Pineapple?
The Pineapple responds to Beacon Frames, claiming it is the Access Point (or BSSID) your device is actively requesting. As the whole Pineapple’s WiFi network is unencrypted, it will not prompt the user for a Pre-Shared Key (PSK) or Enterprise Credentials. The WiFi client will blindly trust and associate with the Pineapple through the rogue SSID.
The Pineapple software has been used in several penetration testing engagements to this effect. With a more powerful router or with some additional help from a laptop, the pineapple can be reconfigured to support RADIUS authentication, and can capture hashed/encrypted Enterprise Credentials; these can then be cracked using Cloud-computation.
Does SSL offer any protection?
Some internet postings advise forcing the use of SSL with browser plugins like HTTPS Anywhere (Chrome & Firefox). Others advise using the HSTS (HTTP Strict Transport Security) HTTP Headers on servers, so that browsers are aware that only HTTPS should be used as a communication channel.
But neither of these are effective, as the Pineapple is essentially a Man-in-The-Middle (MiTM) device, therefore it can change/manipulate the traffic that flows through the Pineapple’s internet connection. The WiFi Pineapple website offers additional modules called Infusions. Amongst these infusions is a module called SSLstrip (using code from Moxie Marlinspike http://www.thoughtcrime.org/software/sslstrip/). This module essentially MiTM’s the connection, so the Pineapple will talk over SSL to the requested web server, however the Pineapple with talk plain ole regular HTTP to any wireless clients. This module thus renders any SSL protection useless.
So in my opinion SSL offers no real protection against the Pineapple attacks.
What about VPNs?
VPN (Virtual Private Networks) are a good way of protecting you data over public Access Points (APs). This is because your data should be adequately encrypted and tunneled through your corporate/home/trusted-provider. This is the general protection advise when using a public or untrusted wireless network.
A VPN is not going to prevent your mobile device from being tricked into connecting to a Pineapple. However, it should be protecting (via encrypted tunneling) your data as it flows through the Pineapple / public AP. Therefore, infusions (modules) like SSLstrip cannot manipulate your web-traffic and the MiTM capability of the Pineapple is lost.
Managing Your Connection?
This is not really for the inexperienced, it requires understanding by the user. Therefore, you are still vulnerable through user error.
You can configure some mobile devices, to not automatically connect to WiFi APs, additionally you may set your device to prompt if you want to connect to new networks; this may stop your device from automatically connecting, but now transfers this control to the user. If your out in public, and trust a familiar AP (actually the SSID, example: “BTFON”) you might still tap the “Connect” button unaware that you have actually connected to a Pineapple or another rogue AP.
The best possible advice is – if you do not trust the WiFi AP, turn off WiFi and use your 3G/4G connection on your mobile or 3G/4G modem!
Coming soon “Green for the Anti-Pinepple” – a small portable Anti-Pineapple device!
- Blue For The Pineapple …. (penturalabs.wordpress.com)
- Your Mac, iPhone or iPad may have left the Apple store with a serious security risk (troyhunt.com)
- Breaking website security with nothing more than a Pineapple (troyhunt.com)