The horror stories are almost as endless as the Internet itself. Laptop-toting customers are being hacked at coffee shops. Guests are being digitally pick-pocketed in hotel lobbies. Travelers’ smartphones are getting snooped on in airports.
In an age of ever-increasing digital security, how can this be happening? It turns out you can blame pineapples.
“The Wi-Fi Pineapple is a tool that makes fake Wi-Fi hotspots that automatically match the name of whatever network devices have previously connected to,” says Ben Miller, a Wi-Fi consultant and blogger with Sniff Wi-Fi.
The device, which has been around since 2008, is marketed as a tool for so-called “white hat” hackers, who test networks for vulnerabilities that bad guys might exploit. It has become smaller, less expensive, and more powerful over the years. The newest version, the Wi-Fi Pineapple Nano, costs just $99 and looks like a mobile data dongle, camouflaging it in plain sight in Wi-Fi-friendly places like airplanes, airports, and coffee shops.
Recently, a newspaper columnist claimed to have been hacked while airborne, using American Airlines’ Gogo in-flight Internet service. Airplane cabins, like coffee shops and airports, are the perfect place for a hacker to deploy the Wi-Fi Pineapple, says Miller. “Hackers can sit there without raising suspicion, because it’s normal to be on a laptop for a long period of time in those places,” he says.
Miller says the Wi-Fi Pineapple connects to laptops, smartphones, and tablets two different ways. One way is by programming the device to send out a commonly used SSID (that’s the “service set identifier,” also known as a Wi-Fi network’s name) that’s identical to ones that are popularly used. So that “Marriot_Guest,” “hhonors” or “gogoinflight” network that your computer or mobile device detects may be a trap.
The other way Wi-Fi Pineapple locks onto devices is even more insidious, using your “trusted networks” against you. Computers and mobile devices all have trusted networks — they’re the legitimate Wi-Fi networks that your gear connects with every day, including your home network, your work wireless connection, and the one at your favorite Starbucks, for example.
When your computer or mobile device’s Wi-Fi is turned on but not connected, it probes for trusted networks by sending out signals with their names. If these probes happen to hit a Wi-Fi Pineapple, the hacking hardware will mirror one of your trusted network names, causing your computer to automatically connect with it. And once the pineapple has you, you’re vulnerable and unaware.
But there are ways to avoid the trap. The easiest solution is to turn your device’s Wi-Fi connectivity off before you encounter a suspect area. This will also turn the device’s probing functionality off.
But if you forget or opt to do that, be aware that not every device probes the same way. For instance, Mac laptops probe right after you open the lid, making them more at risk, says Miller. “Only open the Mac and keep your Wi-Fi on if you’re near a good Wi-Fi network,” he advises.
Android and iOS devices are somewhat safer because they probe in different ways. But you should still be sure to shut off your Wi-Fi if you’re away from home or the office.
For the best protection against Wi-Fi Pineapples, use a Windows computer. “For Windows devices, there’s a checkbox — you can choose to ‘connect automatically,’ or not.” Whenever you’re connecting to a new, trusted network, checking the ‘connect automatically’ box will save the network’s information on your Windows computer. Then, if you go into the properties for that network, there’s an additional checkbox (select “this is a non-broadcasting SSID”) for the probing behavior.
Despite how disruptive and dangerous the Wi-Fi Pineapple can be, it is a tool used by networking professionals to test network security. As a result, it’s completely legal for anyone to buy. But some lawmakers are calling for them to be banned, bringing security to the airwaves.