Hackers use hidden device to manipulate news at Wi-Fi hotspots

What if you are reading the news and some startling and almost unbelievable headline caught your eye such as "U.S. wants Assange as head of Defense Department"? That would surely be something worth sharing on Facebook or tweeting about? But after you share it, people quickly reply to let you know the headline says no such thing. Yet you can clearly see that it does, so what gives? If you happened to be reading the news at a Wi-Fi hotspot, chances are that you've been had by Newstweek.

If a device called Newstweek is plugged in at a wireless hotspot, then people connected to that Wi-Fi can have all media content modified, changed or otherwise edited by a hacker who is operating from a remote location.

Tech savvy Berlin-based artists Julian Oliver and Danja Vasiliev came up with the Newstweek project to address the potential of how "trustworthy" news can be manipulated and controlled by the "gatekeepers." Newstweek is a fascinating yet terrifying reminder of how our trusted media content can easily be censored or modified to manipulate public perception of what is happening in the world. The creators point out "Data from Reporters Without Borders" as an illustration of "a world increasingly seen through a filter of government-issued data surveillance."

Here's a short video of Newstweek in action, but you can also check out the longer and more detailed video.

I found Newstweek to be so intriguing, I interviewed the creators, Julian Oliver and Danja Vasiliev.

Interview with Newtweek creators

If Newstweek was conceptualization in December 2010 at the 27TH Chaos Communication Congress held in Berlin, Germany, when did you make it a real working device?

Julian & Danja: In the first week of January, 2011.

newstweek-detail-thumb.jpg

Can you change anything on webpage, not just the title? 

Julian & Danja: Indeed! For instance an URL to an image, encountered in the clear text of the HTML itself, can easily be substituted for another URL to another image resource.

The entire concept is scary, but if a person was like OMG and tweeted it -- for example -- the person on the other end would see the real headline or article, correct?

Julian & Danja: Correct. The manipulation is entirely local to the user associated with the hotspot under attack. 

I realize it is covered on Newstweek, but is Newstweek your site?

Julian & Danja: Yes. It's a spoof-website that demonstrates the ultimate power of Newstweek; we can potentially take any website (like newsweek.com) and replace its contents entirely. It also served well to brand the project and as such caught a lot of attention. It was somewhat telling just how many people took it as a real site with real journalistic intent.

I also read about it here, so did security researchers from Critical Engineering describe and figure it out correctly?

Julian & Danja: That was us, using a journalistic style to explain the underpinnings of the project. It worked! That same text was cited all over the place, people simply taking what they read as a given.

Do you have future plans for the device?

Julian & Danja: A 'do it yourself' manual will be released soon, enabling anyone with a little patience to put together a Newstweek device. The price for the parts comes to under 50 euro at the time of writing.

newstweek-infrastructureBlend.jpg

The same functionality can be easily reproduced on any PC running GNU/Linux, however the ability of a Newstweek device to blend into its surroundings and remain engaged for a continuous period of time is important. This is why we opted for a 'pass-through' electrical socket - it looks like part of the infrastructure.

Do you suppose anyone is using such a device to manipulate the news?

Julian & Danja: With the broad penetration of wireless networks we are sure there will be many cases where news and other content has been manipulated for strategic and/or merely playful reasons.

This works only at Wi-Fi hotspots. Does it grab the password per computer in order for the device to be used in changing the news?

Julian & Danja: The beauty of this attack is that it's entirely password free. In fact, there's no real 'break in' at all.

With the exception of Solaris systems, all operating systems are vulnerable to this form of network attack due to a basic flaw in the way modern networks are implemented. By design, all devices on a network respond to Address Resolution Protocol requests by other members asking them to report their hardware (MAC)address and their network (IP) address. By responding to these requests with false mapping, the ARP table on both client and router can be re-written to position the attacking device as a virtual router on the network. The center of all network traffic, it effectively owns the network.

Do have any advice on how to best secure a computer against such an attack?

Julian & Danja: Using a Virtual Private Network for connecting to the Internet would eliminate the chance of being 'newstweeked' entirely. Users can also (mostly) rely on SSL to protect their traffic from manipulation. Naturally the server has to provide that SSL connection. To our knowledge no news sites do this.

If you're lucky enough to be served SSL (with a trusted certificate) vigilance is still important. Using techniques such as SSL stripping, encrypted traffic can be 'proxied' through a standard HTTP connection fooling less astute users they are receiving encrypted traffic as usual. Users should always be sure to watch out for the absence of that little padlock and other visual cues provided by the application brokering the supposed secure transaction. If they are not there it is likely their secure connection has been stripped and they are vulnerable to manipulation, data theft, snooping and general nastiness.

On the network level itself, administrators can install utilities like arpwatch to keep a close eye on traffic going over the router and signal when someone is manipulating the ARP table. This requires a relatively high level of knowledge however, far more than the average cafe owner would have at their disposal.

If watchdogs against ARP spoofing are in place the attacker can still fall back on other strategies like DHCP spoofing - handing out leases to clients that point all traffic back to the attacking device. The attacker can also just simply install a rogue AP with exactly the same ESSID as the hotspot clients expect to connect to. With the addition of an antenna amplifier, the device will appear as the best candidate for association; many clients (smartphones, laptops) will then default to your rogue AP rather than the weaker off-the-shelf router normally found at their cafe or library.

In short, there are many ways to exploit a wireless network and manipulate the data going over it.

Do you see this rogue device or one like it being able to hijack an entire news website?

Julian & Danja: For sure, in fact it would be possible just to perform a simple DNS spoof and redirect an unwitting user to an entirely fabricated news site. Naturally however most new sites are very complex, with plenty of javascript and server side code responsible for what the user actually reads on their computer. This is not easy to duplicate at all and so 'tweeks' to individual bodies of content delivered by the the actual server are much easier to perform. 

That article says it is causing havoc in hotspots throughout Europe - is that correct?

Julian & Danja: It is and it seems to be going global. Since publishing the project and outlining the hardware and software used we have heard of multiple Newstweek interventions in Germany, Netherlands and more recently in Brazil. This is an unintended consequence of our research.

Is the point behind this to raise awareness or to mess with people or -- what is the point behind Newstweek?

Julian & Danja: News journalism has long been the target of manipulation by propagandists, lobbyists and governments. Newstweek represents a fresh dimension to news manipulation in an era where such content is increasingly distributed wirelessly; a tactic that is 'on the ground', civilian and without need of a lobbyist's budget.

This form of attack could indeed be used to mass effect - in a location such as an airport, convention, hotel or university library - by those wishing to 'fix back' news they believe is not correct and or biased. If performed with care and timing, those exposed to that modified news would literally leave that access point with altered world views. It could be used to mass detriment, mass gain or just for 'fun'.

More broadly however we created this project to raise awareness as to the increasingly network-dependent reality of modern times; that far too much trust is placed in all the hardware and minds that deliver the content that eventuates in the browser. Even without devices like Newstweek there are a vast number of people along the chain of delivery - from people working at ISPs, to those working at large infrastructural switches and even at the origin of the data itself - that have a tremendous amount of power to manipulate the browser-delivered reality widely accepted by readers.

Where WiFi itself is concerned, we also wish to expose a basic contradiction in the way people feel about security relating to the technology. We generally accept that a part of public life is overhearing the conversations of others; their audible emmissions are easily read. Why then not for wireless communication? If the air we breathe is considered public, why not that which passes through it?

802.11 devices like those in smartphones, tablets and laptops are, by definition, radio devices. Just as with AM/FM, all one needs to do is tune in.

Any other information that you have, or would like the public to know about this, please let me know.

Julian & Danja: Newstweek is made entirely using free, open source software components and tools available online. We tie it all together with shell scripts and build it into an embedded GNU/Linux distribution. 

People were naturally disturbed by the idea of Newstweek, that such a thing as seamless content manipulation on wireless networks is so feasible. For this reason we've had to work hard to make videos to prove it actually works! Even now there are less educated naysayers out there that haven't studied our longer video in the company of someone more knowledgeable and have decided it simply isn't possible.

Our HOWTO, coming in the next days, will change all that. "Stay tuned"!

newstweekLogo.gif

Now think again about the headline "U.S. wants Assange as head of Defense Department" and realize that it is entirely possible for your trusted news site to be censored, manipulated and modified to report whatever the "gatekeeper" wants you to believe is true. As Oliver and Vasiliev said, "A strictly media-informed reality is a vulnerable reality."

Image Credits: Newstweek creators Julian Oliver and Danja Vasiliev

Join the discussion
Be the first to comment on this article. Our Commenting Policies