I just had an absolutely tremendous trip over to Salt Lake City for the annual Pluralsight authors’ summit where 100 or so of us got together with the Pluralsight folks and talked about many wonderful things. Included in that time was a number of “lightening talks” or in other words, presos limited to 5 minutes during which you make as much impact as you possibly can. Clearly this called for me to break out the trusty wifi Pineapple.
For the uninitiated, take a browse through the WiFi Pineapple tag on this blog and you’ll get a sense of what it’s all about, but in short, this little guy is the best damn way of showing just how important transport layer security is in web software and it’s dead easy to demonstrate how simple it is to hijack other peoples’ connections. Here’s how these demos tend to run:
- A few hours before presenting, fire up the Pineapple
- Set the SSID to something entertaining – I went with “Free NSA wifi” on this occasion
- Enable “Karma” on the Pineapple so that wireless devices can be tricked into connecting to it
- Set up my little Pineapple Surprise DNS spoof page
- Sit back and watch the bemused tweets – “Hey, why am I connected to my home network on the other side of the world?!”
- Observe the intense stares of the Pineapple connectees as they absorb the info on the Pineapple Surprise page:
- Take to the stage and reveal the insecurity that is wifi including showing the devices connecting and the SSIDs probed for (you know, peoples’ home networks, their work names, the airline lounges they’ve visited, etc.)
- Spend the rest of the night hearing about how everyone now wants to go back to pen and paper
This is always an impactful demo as people are seeing their own devices and their own networks up on the big screen. They rarely have any idea that they were sending out probe requests nor that their devices could have their wifi networks hijacked without even taking it out of their pockets.
But I don’t want to make this seem like I’m trivialising what ultimately amounts to taking control of other peoples’ networks, this demo is there for one key reason: to help software developers understand that they must always build apps with the expectation that the transport layer is compromised. Clearly what I’m doing in these demos has the ability to be used for malicious purposes but let us not lose sight of the fact that the participants in these settings are the very people who have the power to protect all of us from exactly this risk. They are the software developers, the IT folks and the educators and hopefully they’re all now that much better equipped to protect the masses from this risk.
Fortuitously, I found myself having dinner at the same table as Jay Mcfarland the next night. As it turns out, Jay hosts a daily radio program on the hugely popular The Browsers radio program on the local KSL station. Jay asked if I’d like to swing by and chat about the demo and why wifi security is so important so I went for a wander over to the studio and recorded a session with him and Amy Iverson. Have a listen here:
While I was there I also setup the Pineapple and captured a bunch of devices in the studio whilst they recorded some video then turned the material into a news segment:
For those already in the know, none of this is really new, but you can see how it’s impactful on those who haven’t given it much thought before. What’s really scary from the consumer side – there’s not a good answer to protect yourself from risks such as the Pineapple. Yes, you can turn your wifi off and yes, you can decide not to connect to open networks and yes, you can run a VPN but no, none of those are practical for your average consumer in their daily lives.
For developers, however, it’s actually very simple: SSL goes on all the things you don’t want read or manipulated and it goes on properly. That point probably sounds obvious but the number of sites doing things like loading login forms over HTTP or embedding them in iframes on an insecure page plus the complete lack of SSL altogether on so many mobile apps or just as bad, apps which disable cert validation, goes to show that we have a long way to go yet in the software industry.