privacy news

The latest privacy news and issues from around the web, all in one place.


WiFi Pineapple Redux: Hacking Toy Offers No Legitimate Use, Tricks Hotspot Users

You may remember an article I wrote last summer about “hack-in-a-box” tools that allowed novices to buy an off-the-shelf product that allowed them to hack wifi networks by simply flipping a switch.

One of the products I talked about is called WiFi Pineapple. As I wrote in last year’s post, WiFi Pineapple has only one purpose: to hack into unsecured wifi communications. They even admit it on their website:

Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder.

Well, guess what?

Darren Kitchen, the guy who created WiFi Pineapple, is back in the news and is aggressively touting his hacking tool.

Kitchen appeared at the SXSW 2012 conference in Austin and gave a talk entitled “Securing Your Information in a Target Rich Environment.” As part of his pitch, he used WiFi Pineapple to intercept the unsecured wifi communications of conference participants.

In a nutshell, WiFi Pineapple and other products like it are known as “hotspot honeypots.” When WiFi Pineapple is activated, it steals the credentials of legitimate wifi networks that users have accessed in the past. So when users log into what they think is a real wifi network, they are actually accessing the fake access point set up by WiFi Pineapple.

At that point, the owner of the WiFi Pineapple could launch a man-in-the-middle attack and steal passwords and other data. Kitchen says he doesn’t do that, of course.

Kitchen says his main objective is to simply illustrate how unsafe unsecured wifi networks are, and to let consumers know that they need to protect themselves. He says he sells WiFi Pineapple mainly to government and security professionals who do penetration testing on their own networks.

As I said last year, WiFi Pineapple is a toy that has no legitimate use.

It does not even pretend to be anything but a hacking device. Worse, it puts these hacking tools in the hands of adolescent hackers. All someone needs is about $90 and they can become a professional data thief.

While Kitchen maintains that he sells his project mainly to security professionals, they have plenty of other ways to conduct security audits. There are many free products on the Internet that are specifically made for security professionals that do a much better job for legitimate needs of managing wifi networks.

So who exactly is buying WiFi Pineapple? As Kitchen’s marketing seems to target novice hackers instead of security professionals, one has to wonder.

At the very least, WiFi Pineapple is a good reminder that you should always protect your communications in wifi hotspots using a virtual private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.

 


38 COMMENTS
  • PrintPrint
  • emailemail
Kent Lawson

Kent Lawson is President and CEO at Private Communications Corporation. He combined his extensive business and technical experience to develop Private WiFi in 2010. The software protects Internet communication over public WiFi and LAN networks and is available to those working in places like coffee shops, hotels, airports, and beyond.

Other posts by


Comments


  • TeleCom

    While this does rise concerns, i don't completely agree with all of it. Agreed selling tools to assist in 'hacking' for "malicious" purposes is wrong, but that's not what is being done here, so targeting a person for that is difficult. I say that with the understanding that with the help of YouTube and some Linux software, (even windows software).. its not hard to do the exact same thing that is being done with the WiFi pineapple, and this can be done at no cost. Agreed that packaging a device that can cause more damage then good is not at all productive regarding security awareness.. however that's exactly whats being done - awareness. Without people making us aware of these security vulnerability's, we can in fact be harmed by someone who is 'really' looking to do harm. Sometimes it takes a little 'bump' like this to REALLY kick security improvements into gear.
    As far as i can understand, it seems selling this tool is a means to support the Hak5 team and keep what is an informative Web Show, active and alive. Would it be wrong to give out instructions for the creation of this device and others like it? If so, YouTube needs a revamp, because when it comes to 'hacking newbies' this is the central hub.
    Another factor to consider is that the tool is only as harmful as its user. If a user intends on causing harm, they don't need a $90 tool to do so.. all they need is a computer, and if they are a novice attacker, all they need is YouTube.
    I believe that targeting a person for selling a device like this, is noted, but no different then targeting Walmart for selling Laptops.
    Just my 2c.

  • Eric

    This article makes you sound like a whiny toddler. Great journalism :D

  • hak5 rocks

    I agree with @eric , Call the waaaambulence , kent

    . Real hackers are about education and the wifi pineapple is a great teaching tool and Darren is a great teacher. I own one and have never nor would I steal credentials , however as a computer pro I need to know about such vulnerabilities so that I may educate my customers.

    Maybe educated customers wouldn't bmeedcto buy your security products could that be your motive for the attack ?

  • Kent Lawson

    TelCom, Eric and Hak5 are all entitled to their opinions. But I certainly stand by mine.

    There are many ways to educate the public about the risks of public wifi hotspots. That's what this blog site is all about.

    It is dangerous and irresponsible to putt out a product that can be used so easily for black-hat purposes.

    Let me quote again from the Pineapple's own web site:

    "Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder."

    • 4irplan3

      You don't need a product for any of this. A free download of Wireshark on your laptop will let you do about 50% of what Pineapple can do. A free download of Kali Linux will let you do the other 50%. There are tutorial articles or videos available pretty much everywhere.

  • Jason

    Buy them before they're banned! As regards to the pineapple being so readily available, I am pretty sure this will be reversed engineered and copied globally.

    • Nero

      that makes no sense seeing as how the pineapple is made from an off the shelf router, with an open source firmware and open source application.

      there is no need to reverse engineer, this can all be dont on a Linux PC as well not hard and no pineapple needed.

      the author of this article also seems to know very little about the pineapple its self, by default NO web page is replaced.

      all the information passes through the pineapple just like what it is A ROUTER. amazing i know such a powerful device a router is, they cant possibly be sold in public stores...

  • Jason

    Also, is there a way to track a router, say tracing a deauth attack?

  • skimpniff

    At least be accurate in your reporting. "When WiFi Pineapple is activated, it steals the credentials of legitimate wifi networks that users have accessed in the past." That is an incorrect statement, the legitimate wifi network credentials are not stolen, they are impersonated. The Wifi Pineapple simply replies "yes" to all auto-connect probe requests when Karma is active. Otherwise it is just like any other Honey Pot that requires a person to manually connect.

    • Jason

      True skimpniff, I didn't notice that. All it does is fool the PC into believing it is connected to a trusted network. It can't steal information immediately, the pineapple user has to decide if they want to "steal" credentials and personal data.

  • PassComm

    Most of the people that use this and other devices are using it to learn and teach. I was able to find my stolen laptop with it which took almost a year. I plan to buy another pineapple as mine is kind of old, maybe I can get them to hack each other :)

  • Richard

    What a surprise, a whiny, uninformed CEO..

    Please continue doing whatever it is you are doing.. please continue writing articles.. and most of all, get your other CEO buddies to do the same.

    Higher-ups like you that are so blindingly ignorant to even the most simplistic infosec concepts, are the reason I have a job..

    thank you.

    • f33

      Right? Christ... it's like listening to a hick preacher tell you how Heaven is waiting if you just trust him.

      • fukmny

        haha more like a used car salesman

    • Adrian Raff

      +1

  • Richard

    I just ordered the "elite" pineapple package. It doesn't increase my abilities one iota. I could drop a netbook onto a network and run all the same tools for practically the same price (the batteries would also last longer).

    As an attorney and tech, I am often tapped to educate fellow lawyers on all manner of security issues. I bring some linux netbooks and do some tricks. The average lawyer is not capable of understanding the specifics of an attack. My goal is always to demonstrate what is possible and why they need to protect themselves. Fear is a large part of that goal. But eyes always glaze over at the sight of a command line interface. They are left with the false impression that the attacks are unprofessional and difficult to execute.

    The pineapple elite is a polished device with a professional-looking interface. Literally a black box, it looks scary. The fact that I purchased it openly, as opposed to building my own, adds to the fear and should increase the effectiveness of my demonstrations.

  • SATAN

    It does offer a legitimate use as a penetration testing tool, just like how lock picks have legitimate benefits for penetration testers. Just because Kitchen developed a tool that has the potential to be used maliciously doesn't mean it will be. If you want to pimp your VPN to people that actually know what they're doing when it comes to digital security you're going to want to write less biased articles.

  • jane mcphil

    contacted this hacker bradhaccer@aol.com i think he is based in australia,helped me hack my husbands facebook account and email ,now my marriage is saved,his ex girl friend was trying to get back with him

  • jane mcphil

    contacted this hacker bradhaccer @aol .com i think he is based in
    australia,helped me hack my husbands facebook account and email ,now my
    marriage is saved,his ex girl friend was trying to get back with him .

  • dude

    You could have made such a huge sales pitch, if what YOU_ARE_SELLING is immune to such attacks, but noooeees that would be to easy, so you just bitch around about tools that enables people at home to test and harden their networks. The only thing that really bugs you, is that you don't see a wooden nickle from it. You could care less about the little man's netsec

  • T3MG

    You guys should note that this device can be easily detected by any mobile device if the user tries. Darren Kitchen also listed in his Hak5 podcast how can detect it.

  • http://twitter.com/x9a3k Jordan Dawson

    Great journalism, not only is it by a man who's company makes it's money off of uninformed tech illiterate fools but this article is filled with errors. One of the most obvious being "Darren Kitchen, the guy who created WiFi Pineapple". It takes all but a look at the wifi pineapple page itself (which I assumed you did) to know he didn't create it.

  • http://www.facebook.com/pat.mckenna.7737 Pat McKenna

    Hi Kent - I work in online child protection and security consulting / pen testing and I have to tell you that your article is very wrong in many respects. The WiFiP has a lot of genuine uses in security and is a fantastic demo tool to teenagers regarding their security in open wifi hotspots where they lose a lot of data including credentials. Pat

  • http://twitter.com/ProfessorLumic Adrian Goodhead

    Says the man making money from the vunribilites this toy exploits. If your the victim of a hack using a pineapple then you should turn your computer off and not turn it back on (ever). And if you paying this company to protect your wifi network then you need to as yourself why you are wasting your money on this when any one can configure a VPN for you.

  • Kik

    Lawson, your an ID-10-T..... If people stop buying illegal drugs there would be no drug problem, if ID-10-T's would quit writing crappy software, there would be no security problem, someone needs to point this stuff out and quit hiding it, obviously your company is worthless.

  • blackball

    Your last statement completely negates your earlier, uninformed, rant. The reason this tool is useful is to inform people of the dangers of open WiFi networks. Anyone can be a fearmonger. That's the easy route.

  • ned ryerson

    This is a quote from Private WIFI:

    "We create a secure, encrypted pathway between your computer and our servers"

    Your servers being the endpoint of the encryption tunnel, which means someone at your company (should they CHOOSE to do so) could compromise the information between the point it arrives at your servers, and the point at which the data is sent to its destination. You attempt to vilify Darren Kitchens teachings on the need for computer security. I can only guess that our new found security is interfering with your true goals?

  • Marty

    I dont understand the point of this article, seems Kent is a bit jealous of the wifi pineapple and darren's success. Since when did CEO's show morality in general let alone within business... Darren isnt breaking any laws by selling the pineapple, and he's not promoting malicious use of it or promoting illegal activities....

    I await the article he writes when he discover's anyone with a few hundred dollars can purchase a handgun...

  • They_call_me_g0d

    Are you all blind? check the last part of the article

    "At the very least, WiFi Pineapple is a good reminder that you should
    always protect your communications in wifi hotspots using a virtual
    private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim."
    This is what is called a sales trick, they try to scare people into paying for their VPN service :)

  • Mike

    Not a great article. I am thinking of buying the Pineapple device to have test the security of my OWN wifi and my friends wifi devices in order that I can up their security.

    That IS a legitimate use.

    Your argument is parallel to saying that crowbars never have a legitimate use. However if someone is thought to be inside their house and they are in danger and unable to open the door, e.g. an attempted suicide case or some kind of medical emergency, then using a crowbar to break in to their house in order to save their life is a legitimate use of force. How you fail to see this is a bit difficult to see. An 'imagination' error I suppose ;-)

  • Burns Newby Johansson

    I am an IT (guy) and I did not buy my Wifi Pinapple for hacking at all. I bought it as an inexpecive Wifi access point that I can control every aspect of.

    Considering basic access points are $120+ and most don't have basic management funtionality I like having something that is only $90.

    Just because an item can be used in one way does not make it the only way. If we all took your aproch we would all have plastic scisors and butter knives because some people kill using normal scisors and knives.

  • f33

    First of all the tool intercepts insecure and *secured* communications and strips out the protection (sslstrip) and it has several "legitimate" purposes, since the author is unable to imagine or unaware of using the pineapple for pen testing (legit use) or simply testing your own wireless communications (legit) it simplifies the process for the "average" user.
    This is another propaganda piece aimed at telling us how bad "hackers" are and how scary everything is because you don't understand it.

  • f33

    Based on this article, I would say stay away from this guys product he is selling via this propaganda piece "Private WiFi".

  • ballllin

    After reading this I would never purchase from your ill-informed company.

  • For the People

    All I heard from this article was, "Don't buy the wifi pineapple." followed by a meager attempt at discrediting it's use and manufacture. Judging by your article, you're not familiar with this product whatsoever. Just to point out a few flaws in your argument, network auditing is but one of it's many uses; but you miss the big picture. This is a tool that acts as a platform for developers to introduce new tools and uses with each update. Sure, you can create a honeypot. Did you know you can also capture ADSB and stream it to a remote server? Did you know that you can capture bluetooth packets and stream them to a tool that automatically decodes the data? What about SSL strip deployed on a busy apartment complex rooftop, with built in cellular data modem support? I'd like to see your itemized list of portable solutions that can deploy remotely and beam back via SSH for packet analyzing. This article really discredits your capability to recognize major potentials; or did you recognize it as a threat to your own business solutions? Either way, you'd be amazed if you actually used the product.

  • ramv36

    "WiFi Pineapple is a toy that has no legitimate use.

    It does not even pretend to be anything but a hacking device."

    That statement clearly says it has a legitimate use as a hacking device.

    When I clicked this article for a review, the title suggested the device did nothing or did not work, but you're stating it does it's intended job TOO well. Noted.

  • 2600

    Another suit who has absolutely no idea what is actually involved in using a device like this... nor does he understand what it is, and is not.

  • Adrian Raff

    Actually now I am going to pen test your software and find a hole in it. I always do. After that I am going to post the exploit here and show you how valuable the wifi pineapple can be. As long as it is being humped over RF, it is hackable;)




FACEBOOK TWITTER

receive privacy industry news

Email:

most commented

questions + feedback

Have a question or a privacy issue that you'd like us to investigate ? Send an to our editors with your comments.