WiFi Pineapple Redux: Hacking Toy Offers No Legitimate Use, Tricks Hotspot Users

Facebooktwittergoogle_plusredditpinterestlinkedinmail

You may remember an article I wrote last summer about “hack-in-a-box” tools that allowed novices to buy an off-the-shelf product that allowed them to hack WiFi networks by simply flipping a switch.

One of the products I talked about is called WiFi Pineapple. As I wrote in last year’s post, WiFi Pineapple has only one purpose: to hack into unsecured WiFi communications. They even admit it on their website:

Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder.

Well, guess what?

Darren Kitchen, the guy who created WiFi Pineapple, is back in the news and is aggressively touting his hacking tool.

Kitchen appeared at the SXSW 2012 conference in Austin and gave a talk entitled “Securing Your Information in a Target Rich Environment.” As part of his pitch, he used WiFi Pineapple to intercept the unsecured WiFi communications of conference participants.

In a nutshell, WiFi Pineapple and other products like it are known as “hotspot honeypots.” When WiFi Pineapple is activated, it steals the credentials of legitimate WiFi networks that users have accessed in the past. So when users log into what they think is a real WiFi network, they are actually accessing the fake access point set up by WiFi Pineapple.

At that point, the owner of the WiFi Pineapple could launch a man-in-the-middle attack and steal passwords and other data. Kitchen says he doesn’t do that, of course.

Kitchen says his main objective is to simply illustrate how unsafe unsecured WiFi networks are, and to let consumers know that they need to protect themselves. He says he sells WiFi Pineapple mainly to government and security professionals who do penetration testing on their own networks.

As I said last year, WiFi Pineapple is a toy that has no legitimate use.

It does not even pretend to be anything but a hacking device. Worse, it puts these hacking tools in the hands of adolescent hackers. All someone needs is about $90 and they can become a professional data thief.

While Kitchen maintains that he sells his project mainly to security professionals, they have plenty of other ways to conduct security audits. There are many free products on the Internet that are specifically made for security professionals that do a much better job for legitimate needs of managing WiFi networks.

So who exactly is buying WiFi Pineapple? As Kitchen’s marketing seems to target novice hackers instead of security professionals, one has to wonder.

At the very least, WiFi Pineapple is a good reminder that you should always protect your communications in WiFi  hotspots using a virtual private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.

 

Get Private Wifi   Protect your personal information.
Get DataCompress   Cut your mobile data usage.

Kent Lawson

Kent Lawson is the CEO & Chairman of Private Communications Corporation and creator of its flagship software PRIVATE WiFi. He combined his extensive business and technical experience to develop PRIVATE WiFi in 2010. The software is an easy-to-use Virtual Private Network (VPN) that protects your sensitive personal information whenever you’re connected to a public WiFi network. Follow Kent on Twitter: @KentLawson.

53 Responses

  1. TeleCom says:

    While this does rise concerns, i don’t completely agree with all of it. Agreed selling tools to assist in ‘hacking’ for “malicious” purposes is wrong, but that’s not what is being done here, so targeting a person for that is difficult. I say that with the understanding that with the help of YouTube and some Linux software, (even windows software).. its not hard to do the exact same thing that is being done with the WiFi pineapple, and this can be done at no cost. Agreed that packaging a device that can cause more damage then good is not at all productive regarding security awareness.. however that’s exactly whats being done – awareness. Without people making us aware of these security vulnerability’s, we can in fact be harmed by someone who is ‘really’ looking to do harm. Sometimes it takes a little ‘bump’ like this to REALLY kick security improvements into gear.
    As far as i can understand, it seems selling this tool is a means to support the Hak5 team and keep what is an informative Web Show, active and alive. Would it be wrong to give out instructions for the creation of this device and others like it? If so, YouTube needs a revamp, because when it comes to ‘hacking newbies’ this is the central hub.
    Another factor to consider is that the tool is only as harmful as its user. If a user intends on causing harm, they don’t need a $90 tool to do so.. all they need is a computer, and if they are a novice attacker, all they need is YouTube.
    I believe that targeting a person for selling a device like this, is noted, but no different then targeting Walmart for selling Laptops.
    Just my 2c.

  2. Eric says:

    This article makes you sound like a whiny toddler. Great journalism :D

  3. hak5 rocks says:

    I agree with @eric , Call the waaaambulence , kent

    . Real hackers are about education and the wifi pineapple is a great teaching tool and Darren is a great teacher. I own one and have never nor would I steal credentials , however as a computer pro I need to know about such vulnerabilities so that I may educate my customers.

    Maybe educated customers wouldn’t bmeedcto buy your security products could that be your motive for the attack ?

  4. Kent Lawson says:

    TelCom, Eric and Hak5 are all entitled to their opinions. But I certainly stand by mine.

    There are many ways to educate the public about the risks of public wifi hotspots. That’s what this blog site is all about.

    It is dangerous and irresponsible to putt out a product that can be used so easily for black-hat purposes.

    Let me quote again from the Pineapple’s own web site:

    “Of course all of the Internet traffic flowing through the Pineapple such as email, instant messages and browser sessions are easily viewed or even modified by the Pineapple holder.”

    • 4irplan3 says:

      You don’t need a product for any of this. A free download of Wireshark on your laptop will let you do about 50% of what Pineapple can do. A free download of Kali Linux will let you do the other 50%. There are tutorial articles or videos available pretty much everywhere.

      • Steve says:

        The thing is sometimes you do not need a robust platform to run custom scripting, etc. It is nice to plug, program, and drop something to do the bulk of work, especially during initial phases when we do not necessarily know what we are looking for. It’s all part of mapping the environment.

  5. Jason says:

    Buy them before they’re banned! As regards to the pineapple being so readily available, I am pretty sure this will be reversed engineered and copied globally.

    • Nero says:

      that makes no sense seeing as how the pineapple is made from an off the shelf router, with an open source firmware and open source application.

      there is no need to reverse engineer, this can all be dont on a Linux PC as well not hard and no pineapple needed.

      the author of this article also seems to know very little about the pineapple its self, by default NO web page is replaced.

      all the information passes through the pineapple just like what it is A ROUTER. amazing i know such a powerful device a router is, they cant possibly be sold in public stores…

  6. Jason says:

    Also, is there a way to track a router, say tracing a deauth attack?

  7. skimpniff says:

    At least be accurate in your reporting. “When WiFi Pineapple is activated, it steals the credentials of legitimate wifi networks that users have accessed in the past.” That is an incorrect statement, the legitimate wifi network credentials are not stolen, they are impersonated. The Wifi Pineapple simply replies “yes” to all auto-connect probe requests when Karma is active. Otherwise it is just like any other Honey Pot that requires a person to manually connect.

    • Jason says:

      True skimpniff, I didn’t notice that. All it does is fool the PC into believing it is connected to a trusted network. It can’t steal information immediately, the pineapple user has to decide if they want to “steal” credentials and personal data.

  8. PassComm says:

    Most of the people that use this and other devices are using it to learn and teach. I was able to find my stolen laptop with it which took almost a year. I plan to buy another pineapple as mine is kind of old, maybe I can get them to hack each other :)

  9. Richard says:

    What a surprise, a whiny, uninformed CEO..

    Please continue doing whatever it is you are doing.. please continue writing articles.. and most of all, get your other CEO buddies to do the same.

    Higher-ups like you that are so blindingly ignorant to even the most simplistic infosec concepts, are the reason I have a job..

    thank you.

  10. Richard says:

    I just ordered the “elite” pineapple package. It doesn’t increase my abilities one iota. I could drop a netbook onto a network and run all the same tools for practically the same price (the batteries would also last longer).

    As an attorney and tech, I am often tapped to educate fellow lawyers on all manner of security issues. I bring some linux netbooks and do some tricks. The average lawyer is not capable of understanding the specifics of an attack. My goal is always to demonstrate what is possible and why they need to protect themselves. Fear is a large part of that goal. But eyes always glaze over at the sight of a command line interface. They are left with the false impression that the attacks are unprofessional and difficult to execute.

    The pineapple elite is a polished device with a professional-looking interface. Literally a black box, it looks scary. The fact that I purchased it openly, as opposed to building my own, adds to the fear and should increase the effectiveness of my demonstrations.

  11. SATAN says:

    It does offer a legitimate use as a penetration testing tool, just like how lock picks have legitimate benefits for penetration testers. Just because Kitchen developed a tool that has the potential to be used maliciously doesn’t mean it will be. If you want to pimp your VPN to people that actually know what they’re doing when it comes to digital security you’re going to want to write less biased articles.

  12. jane mcphil says:

    contacted this hacker bradhaccer@aol.com i think he is based in australia,helped me hack my husbands facebook account and email ,now my marriage is saved,his ex girl friend was trying to get back with him

  13. jane mcphil says:

    contacted this hacker bradhaccer @aol .com i think he is based in
    australia,helped me hack my husbands facebook account and email ,now my
    marriage is saved,his ex girl friend was trying to get back with him .

  14. dude says:

    You could have made such a huge sales pitch, if what YOU_ARE_SELLING is immune to such attacks, but noooeees that would be to easy, so you just bitch around about tools that enables people at home to test and harden their networks. The only thing that really bugs you, is that you don’t see a wooden nickle from it. You could care less about the little man’s netsec

  15. T3MG says:

    You guys should note that this device can be easily detected by any mobile device if the user tries. Darren Kitchen also listed in his Hak5 podcast how can detect it.

  16. Great journalism, not only is it by a man who’s company makes it’s money off of uninformed tech illiterate fools but this article is filled with errors. One of the most obvious being “Darren Kitchen, the guy who created WiFi Pineapple”. It takes all but a look at the wifi pineapple page itself (which I assumed you did) to know he didn’t create it.

  17. Pat McKenna says:

    Hi Kent – I work in online child protection and security consulting / pen testing and I have to tell you that your article is very wrong in many respects. The WiFiP has a lot of genuine uses in security and is a fantastic demo tool to teenagers regarding their security in open wifi hotspots where they lose a lot of data including credentials. Pat

  18. Says the man making money from the vunribilites this toy exploits. If your the victim of a hack using a pineapple then you should turn your computer off and not turn it back on (ever). And if you paying this company to protect your wifi network then you need to as yourself why you are wasting your money on this when any one can configure a VPN for you.

  19. Kik says:

    Lawson, your an ID-10-T….. If people stop buying illegal drugs there would be no drug problem, if ID-10-T’s would quit writing crappy software, there would be no security problem, someone needs to point this stuff out and quit hiding it, obviously your company is worthless.

  20. blackball says:

    Your last statement completely negates your earlier, uninformed, rant. The reason this tool is useful is to inform people of the dangers of open WiFi networks. Anyone can be a fearmonger. That’s the easy route.

  21. ned ryerson says:

    This is a quote from Private WIFI:

    “We create a secure, encrypted pathway between your computer and our servers”

    Your servers being the endpoint of the encryption tunnel, which means someone at your company (should they CHOOSE to do so) could compromise the information between the point it arrives at your servers, and the point at which the data is sent to its destination. You attempt to vilify Darren Kitchens teachings on the need for computer security. I can only guess that our new found security is interfering with your true goals?

  22. Marty says:

    I dont understand the point of this article, seems Kent is a bit jealous of the wifi pineapple and darren’s success. Since when did CEO’s show morality in general let alone within business… Darren isnt breaking any laws by selling the pineapple, and he’s not promoting malicious use of it or promoting illegal activities….

    I await the article he writes when he discover’s anyone with a few hundred dollars can purchase a handgun…

  23. They_call_me_g0d says:

    Are you all blind? check the last part of the article

    “At the very least, WiFi Pineapple is a good reminder that you should
    always protect your communications in wifi hotspots using a virtual
    private network like PRIVATE WiFi, or else you could be WiFi Pineapple’s next victim.”
    This is what is called a sales trick, they try to scare people into paying for their VPN service :)

  24. Mike says:

    Not a great article. I am thinking of buying the Pineapple device to have test the security of my OWN wifi and my friends wifi devices in order that I can up their security.

    That IS a legitimate use.

    Your argument is parallel to saying that crowbars never have a legitimate use. However if someone is thought to be inside their house and they are in danger and unable to open the door, e.g. an attempted suicide case or some kind of medical emergency, then using a crowbar to break in to their house in order to save their life is a legitimate use of force. How you fail to see this is a bit difficult to see. An ‘imagination’ error I suppose ;-)

  25. Burns Newby Johansson says:

    I am an IT (guy) and I did not buy my Wifi Pinapple for hacking at all. I bought it as an inexpecive Wifi access point that I can control every aspect of.

    Considering basic access points are $120+ and most don’t have basic management funtionality I like having something that is only $90.

    Just because an item can be used in one way does not make it the only way. If we all took your aproch we would all have plastic scisors and butter knives because some people kill using normal scisors and knives.

  26. f33 says:

    First of all the tool intercepts insecure and *secured* communications and strips out the protection (sslstrip) and it has several “legitimate” purposes, since the author is unable to imagine or unaware of using the pineapple for pen testing (legit use) or simply testing your own wireless communications (legit) it simplifies the process for the “average” user.
    This is another propaganda piece aimed at telling us how bad “hackers” are and how scary everything is because you don’t understand it.

  27. f33 says:

    Based on this article, I would say stay away from this guys product he is selling via this propaganda piece “Private WiFi”.

  28. ballllin says:

    After reading this I would never purchase from your ill-informed company.

  29. For the People says:

    All I heard from this article was, “Don’t buy the wifi pineapple.” followed by a meager attempt at discrediting it’s use and manufacture. Judging by your article, you’re not familiar with this product whatsoever. Just to point out a few flaws in your argument, network auditing is but one of it’s many uses; but you miss the big picture. This is a tool that acts as a platform for developers to introduce new tools and uses with each update. Sure, you can create a honeypot. Did you know you can also capture ADSB and stream it to a remote server? Did you know that you can capture bluetooth packets and stream them to a tool that automatically decodes the data? What about SSL strip deployed on a busy apartment complex rooftop, with built in cellular data modem support? I’d like to see your itemized list of portable solutions that can deploy remotely and beam back via SSH for packet analyzing. This article really discredits your capability to recognize major potentials; or did you recognize it as a threat to your own business solutions? Either way, you’d be amazed if you actually used the product.

  30. ramv36 says:

    “WiFi Pineapple is a toy that has no legitimate use.

    It does not even pretend to be anything but a hacking device.”

    That statement clearly says it has a legitimate use as a hacking device.

    When I clicked this article for a review, the title suggested the device did nothing or did not work, but you’re stating it does it’s intended job TOO well. Noted.

  31. 2600 says:

    Another suit who has absolutely no idea what is actually involved in using a device like this… nor does he understand what it is, and is not.

  32. Adrian Raff says:

    Actually now I am going to pen test your software and find a hole in it. I always do. After that I am going to post the exploit here and show you how valuable the wifi pineapple can be. As long as it is being humped over RF, it is hackable;)

  33. Guest says:

    Who do you think make better VPN’s than joke you mentioned as well as other privacy measures. You think they are made by some “security professionals” That is just a synonym for the term white hat hacker, and who do you think they come from. Go ahead guess and then thank those “novice hackers” for becoming the people who protect you from other, real threats unlike the pineapple. And maybe find a better way to advertise your awful VPN other than denouncing a quality product, something people like you don’t understand.

  34. Herve says:

    both google and yahoo has well has microsoft do the same thing

  35. Herve says:

    also the wi-fi sharing program do the same thing

  36. Kitchen Kaboodle sells knives ridiculously cheap and I am sure they are putting these dangerous weapons in the hands of adolescents that could use them to commit murder or assault. Yes those knives could be used to cut meats and vegetables and have other legitimate purposes but frankly since we have other tools for that, like scissors, we really have no real legitimate use to sell knives anymore.

    Yes Kent, that is exactly how your argument sounds in real life. I understand that this ‘blog posting’ is really an advertisement for your company but do not assume all of your potential customers are morons. You can inform people of the dangers at hand while letting them know you have a product that can help them without villainizing a legitimate tool used for security professionals.

  37. Smith says:

    Oh really so it can’t be used as a regular router, wireless extender or as a 3G modem? Those all seem like legitimate uses to me. We all know how you people get off and get higher traffic with panic inducing news.

  38. jeicrash says:

    Blah!, This is some of the saddest advertising I’ve seen in a short while. The pineapple is a router with some extra software on it. The same software this guy touts the “professionals” use. Honestly lets go over a few things you can do with the WP without breaking the law.

    1. use it as a router (BIG DUH! that’s what it is)
    2. Enable non-Wifi devices to connect to wifi networks over ethernet (Use it an ethernet to wifi adapter)
    3. Cell phone hotspot, connect a cell usb data card supported by the OS and use it as a hotspot
    4. Test box for anything wifi security related, Instead of lugging around a router, the WP is much smaller then most costing about the same. Take it for lan parties (a little Capture the flag?)
    5. Umm, as it was designed, a portable wifi pentest box. I use to lug around a netbook, my tablet, and phone. Now all I really need is a WP and my phone. Although some clients tend to think your not doing the job as well. But that’s because they don’t understand what’s being done in the first place.

    I could probably go on, but as this article is very old, I doubt it’s getting much views now days.
    Cheers from one of the “Novice Hackers” with only 20 years experience and certifications. :(

  39. iteratee says:

    If this has “no legitimite use” then you should throw your home router in the trash – a similarly dangerous hacker tool.

  40. I really like this post, I search this topic to many time on web but not find best article like this, are you interest to Online Abaya Shop

  41. Zain Tech says:

    Abaya online shopping in Pakistan

    Vnscollection is the best online store in Pakistan that provides quality abaya’s. We are famous in Abaya online shopping in Pakistan, just visit and book order. This firm deliver their products in all cities of Pakistan.

  42. Hamza akram says:

    this blog is very Excellent

  43. kabcogroup says:

    this blog is very good.

  44. Aetmaad says:

    Are you looking for invest in New Housing Schemes in Lahore, Don’t worry, Aetmaad is here, We are Pakistan best leading real estate marketing company, we assist you in investing in the Lahore property. We are committed to exceeding clients’ expectations.

Leave a Reply to Nero Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.