

FaceNiff takes Firesheep mobile, hacks Facebook and Twitter accounts in seconds - wicknicks
http://thenextweb.com/apps/2011/06/02/faceniff-takes-firesheep-mobile-hacks-facebook-and-twitter-accounts-in-seconds/

======
Jun8
This may be impossible to prevent (for non-https users) but can't it at least
be detected, i.e. in a coffee house setting, since the probability of two
devices requesting the same user's FB page under normal circumstances is
almost nil. Then you can let all requesters know and block any further
traffic.

IDEABOLT: How about a startup selling self-contained routers to e.g. Panera,
Starbucks, or B&N that can add this extra security. Then they can advertise
this as an extra differentiating feature.

------
archivator
Can someone knowledgeable elaborate on how this works? I'm not well versed in
wi-fi MITM techniques.. Does it inject packets, pretending to be from
Facebook's servers or is there some other trick to it?

~~~
dspillett
It isn't a MiTM attack, it is a listening-in attack.

A wireless network is essentially a hub, rather than a switched network, and
as such _all_ hosts on one leg of the network get to see _all_ the packets
transported through it no matter what their source or destination and it is up
to your network card and/or OS to filter out those that are relevant to it. In
a switched arrangement (which all modern wired networks are) by contrast, the
switch is bright enough to only send your NIC ethernet frames that are
addressed to it.

Even if the network is passkey protected this does not stop all hosts seeing
all the packets: the password and encryption are only for authentication and
protecting the network from the outside, it offers no protection from other
nodes on the same network leg once you have joined.

So an attack like firesheep doesn't need to inject anything pretending to be
from the target node to get facebook to send it the session token - it simply
sets the network interface to "promiscuous mode" so that it can see all the
packets and not just those addressed to your machine. It then sifts through
those packets looking for HTTP headers containing cookies destined for
facebook, and reads the session token from them. Once you have that token you
can make HTTP requests to facebook as if your browser is the one that opened
that session, so you can post as that user and read all their stuff without
knowing their password. The same goes for any other service operating over
plain HTTP.

The only way around this with current wireless protocols is to use a secure
transport for your communications. SSL based protocols, like HTTPS for
instance, would protect the content of the communication from such inspection.
The same goes for SSH, SFTP, IMAPS, and so forth. For facebook specifically
you can switch on the "always user HTTPS" security option to protect yourself
if using a web browser to access the service, _but_ be aware that neither the
iPhone or Android applications currently respect this setting.

If I ever connect my netbook to a public wireless network I always run all
communication through an OpenVPN setup that I have - this way all packets
travelling in and out of my machine are encrypted in a way that protects them
from inspection by other hosts on the same access point, even if the packets
themselves are not protected (by being part of an HTTPS stream for instance).
This probably isn't an option for the non-technical man-on-the-street, nor
does it currently protect streams direct from my phone (though I'm told
OpenVPN can be made to work on Andriod, I have yet to try) if I ever let it
connect to a public wireless access point, so isn't a perfect solution.

~~~
Total_Meltdown
> A wireless network is essentially a hub, rather than a switched network, and
> as such all hosts on one leg of the network get to see all the packets
> transported through it no matter what their source or destination

The article claims that it works on WPA-2, but WPA-2 doesn't work the same
way. WPA-2 uses individual encryption between the router and the device. This
happens to be one of the biggest reasons it's recommended over unencrypted or
WEP encryption, which are both passively sniffable. With WPA-2, you don't get
all traffic on the network, you have to trick hosts on the network to
explicitly send it to you.

To sniff WPA-2 traffic, this app must generate some kind of active MITM
attack, probably ARP spoofing or flooding. I feel [very slightly] bad for the
poor guy who tries this on his campus network and gets nailed in about four
seconds.

~~~
dspillett
If you connect _before_ the eavesdropper then WPA-2 will protect you as you
will have a per-client key by that point.

But if the eavesdropper was present on the network as you joined I believe it
is possible to intercept that key during the negotiation process, due to flaws
in the design of that process.

------
rlorenzo
Do the Facebook/Twitter mobile apps connect to their servers via SSL? Is this
only a problem if you use the web version via your mobile phone?

~~~
pyre
This doesn't just affect mobile usage of social networks. It.s basically just
FireSheep running on a mobile platform. Any one accessing those social
networks over a network with someone running this is vulnerable.

