You may remember an article I wrote last summer about “hack-in-a-box” tools that allowed novices to buy an off-the-shelf product that allowed them to hack WiFi networks by simply flipping a switch.
One of the products I talked about is called WiFi Pineapple. As I wrote in last year’s post, WiFi Pineapple has only one purpose: to hack into unsecured WiFi communications. They even admit it on their website:
Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder.
Well, guess what?
Darren Kitchen, the guy who created WiFi Pineapple, is back in the news and is aggressively touting his hacking tool.
Kitchen appeared at the SXSW 2012 conference in Austin and gave a talk entitled “Securing Your Information in a Target Rich Environment.” As part of his pitch, he used WiFi Pineapple to intercept the unsecured WiFi communications of conference participants.
In a nutshell, WiFi Pineapple and other products like it are known as “hotspot honeypots.” When WiFi Pineapple is activated, it steals the credentials of legitimate WiFi networks that users have accessed in the past. So when users log into what they think is a real WiFi network, they are actually accessing the fake access point set up by WiFi Pineapple.
At that point, the owner of the WiFi Pineapple could launch a man-in-the-middle attack and steal passwords and other data. Kitchen says he doesn’t do that, of course.
Kitchen says his main objective is to simply illustrate how unsafe unsecured WiFi networks are, and to let consumers know that they need to protect themselves. He says he sells WiFi Pineapple mainly to government and security professionals who do penetration testing on their own networks.
As I said last year, WiFi Pineapple is a toy that has no legitimate use.
It does not even pretend to be anything but a hacking device. Worse, it puts these hacking tools in the hands of adolescent hackers. All someone needs is about $90 and they can become a professional data thief.
While Kitchen maintains that he sells his project mainly to security professionals, they have plenty of other ways to conduct security audits. There are many free products on the Internet that are specifically made for security professionals that do a much better job for legitimate needs of managing WiFi networks.
So who exactly is buying WiFi Pineapple? As Kitchen’s marketing seems to target novice hackers instead of security professionals, one has to wonder.
At the very least, WiFi Pineapple is a good reminder that you should always protect your communications in WiFi hotspots using a virtual private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.