Sneak Pineapple peak: Hak5 creates even more lethal Wi-Fi hot spot honeypot hacking tool

Wireless devices conveniently search for Wi-Fi networks that they remember connecting to in the past, so when the router tells the device 'Yes, I'm your corporate wireless network,' then your device's network software automatically connects to that familiar network. While that connectivity feature makes it easy for your smartphone, laptop, tablet or other computing device to get online, it's also a vulnerability that should make you slightly suspicious of any Wi-Fi. If another device is between you and the router, but says 'Oh yes I'm the familiar such-and-such wireless access point' and you connect to it instead? Then say hello to a man-in-the-middle attack. A MITM attack allows a hacker to secretly nab passwords and all other data off your device. One such "hot spot honeypot" device that can easily exploit that vulnerability is Hak5's WiFi Pineapple which Revision3 Tekzilla host Patrick Norton called the "the little plastic Pineapple of Doom."


Well the Pineapple is back and in hacker-loving black. If you are a geek, IT ninja, security professional, hacker hobbyist or hardcore gamer, then it's likely you have heard of the great tech show Hak5 and Darren Kitchen who is one of the Hak5 hosts. At the hacker convention ShmooCon, Kitchen gave a sneak peak of the new WiFi Pineapple Mark IV which "is a huge leap forward for the fruitful Wi-Fi-focused penetration testing platform." With the new and improved Pineapple, "gathering interesting packets, spoofing DNS, watching web traffic and more is just a click away." Previous WiFi Pineapple hacks included auto-Rickrolling, phishing and session hijacking. I had the pleasure of interviewing Darren Kitchen about the soon-to-be-available WiFi Pineapple Mark IV.

When will the WiFi Pineapple Mark IV that you announced at ShmooCon 2012 become available?

Kitchen: It goes on sale at starting in the last week of February.

How did you make the WiFi Pineapple even better?

Kitchen: By working directly with our favorite wireless vendor, Alfa Networks, we were able to put together a wireless attack platform that meets all of the needs of hackers and penetration testers alike, while maintaining a hobbyist price. The addition of a second Ethernet port, USB and 802.11n gives us the ability to, for example, insert the device in-line between a target computer and the network allowing us to view all of the Internet traffic flowing in-between. I'm really excited about the possibility of deploying a fleet of battery powered WiFi Pineapples equipped with 3G modems anywhere and centrally managing all of the wireless attacks in the cloud -- something I'll be demoing at my SXSW panel in Austin this March.

There are ways to protect yourself from WiFi Pineapples. You use a 'Pineapple Alert.' How does your 'Pineapple Alert' let you know that you were almost sucked into a Wi-Fi honeypot?

Kitchen: The fundamental premise of a WiFi Pineapple's attack is simply lying to a nearby laptop, tablet or smartphone -- saying "Yes, I am the network you're looking for". I add a network on all of my devices called "Pineapple Alert" - so my phone for example is constantly looking for it. If "Pineapple Alert" shows up in my list of nearby access points I'll know there's a WiFi Pineapple nearby. While there are workarounds to mitigate the attack, such as disabling the "automatically connect to remembered access points" feature in most operating systems, I simply bypass WiFi completely when out and about using a 3G USB modem instead -- but then again I'm rather paranoid.

What are the best, most creative ways you've heard of the WiFi Pineapple being used by pen testers?

Kitchen: We get reports from time to time from law enforcement agencies who've used the WiFi Pineapple to aid in investigations, though never a whole lot of details. One of the more creative and funny uses of the WiFi Pineapple was demo'ed to me at the DEFCON hacker conference in Vegas a while back. Hak5 viewer John Bebo configured his WiFi Pineapple to forward all web requests to a landing page containing ASCII art of Rick Astley and the song "Never gonna give you up". What could be more fun than rick-rolling a concourse full of WiFi users at the airport?

Would you like to say something to the stupid, uninformed, who believe Hak5's WiFi Pineapple, or the lethal but cute USB Rubber Ducky, are just "toys" created by "clowns" with "no legitimate use" other than being nefarious hacking devices? 

Kitchen: The WiFi Pineapple and USB Rubber Ducky could have just as easily been called the WiFi Auto-Probe-Response Attack Platform and the USB Human Interface Deceit Device, but we're hackers -- not security appliance vendors. Our products are just as legitimate as any of the other professional penetration testing drop-boxes, though ours are more tongue-in-cheek and affordable. The company that claims we're clowns for packaging WiFi auditing tools in an easy-to-use device never contacted us for a quote, and interestingly enough they sell expensive VPN services they claim protect users from our tools. Imagine that. Furthermore the claim that the device has "no legitimate use" contradicts the countless government agencies and penetration testers who've used the WiFi Pineapple in authorized security audits.

Hak5 has created splendid penetration testing tools. In the computer security field, inspiration comes from a plethora of places such as reading about a security flaw, being a victim of vulnerabilities, hunting exploits on specific targets, deciding to educate the clueless, or thinking like a black hat for better white hat defenses. So where do these Hak5 creation ideas originate?

Kitchen: When I was little my favorite 007 character was Q, so I'm fascinated with building gadgets for hackers. I like the physical manifestations of a hack and primarily focus on taking advantage of the inherent flaws in the computer/human trust relationship. Also I like putting deadly hacker hardware inside rubber duckies, pineapples and monkeys then anthropomorphising 'em with cartoons. That's just good fun.


Thank you Darren and please do keep creating fun and useful security tools. Don't forget to check out the soon to be released WiFi Pineapple Mark IV.

Copyright © 2012 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon