
Hacking WiFi to inject cryptocurrency miner to HTML requests (CoffeeMiner) - petteralexander
http://arnaucode.com/blog/coffeeminer-hacking-wifi-cryptocurrency-miner.html
======
moepstar
I've thought about adding something like this to my guest wifi to mine some
cryptocurrency - but quickly dismissed it as most guests would need to use a
charger soon(ish) and thus using my electricity :P

~~~
rocky1138
It's also a scummy thing to do and sets a terrible precedent. Do you want
friendly customers on your WiFi or do you want angry customers who feel
cheated when they learn the truth?

~~~
jstanley
I think it was basically a joke, and I think his "guests" are friends, not
customers, and would therefore be likely to appreciate the joke even if he
actually did it.

~~~
rocky1138
Ah, okay :)

------
mawalu
I find it funny how, even after publishing this post, the author hasn't
configured a http -> https redirect for his own site.

~~~
Myrmornis
Your sense of humour must be very unique.

------
diegorbaquero
Excellent write up. That’s why we need SSL/TLS with HSTS. Pure HTTP, specially
in public WiFi, is dead.

~~~
dx034
Since we won't get https everywhere soon, is WPA2 on a public Wifi with a
publicly known key a workaround? Should prevent plain MITM?

~~~
pnutjam
If you control the AP, you should disallow client to client communication.
Most AP's and routers allow this and it would mitigate this risk.

~~~
rocky1138
Is there any way to mitigate this without limiting abilities of people on the
network? It kind of destroys the point of a LAN.

~~~
dx034
Did you ever use LAN functionalities in public Wifi (e.g. Starbucks)?

~~~
reaperducer
I did once at a hotel. Someone on the LAN kept what appeared to be his entire
MP3 collection in his Shared folder. So I downloaded the whole thing.

Turned out he had crap taste in music and I ended up deleting my copy.

------
poxrud
This is why it's important to always use a VPN when connecting to an untrusted
wifi, such as a coffee shop or airport wifi. Either pay $3 /month to a
provider or setup your own with something like pivpn.

~~~
Matt3o12_
One problem I have with that is: by the time I’m conected to WiFi, I don’t
know how much traffic has already passed through before I could active the
VPN. How many background tabs suddenly realized that they had internet again
and started sending information (and how many of those used insecure, third
party scripts?). Many apps/programs also seem to happily start phoning home as
soon as they got WiFi.

I used to have little snitch[1] set up custom rules depending on where I’m
connected (allow only local network on unknown WiFi’s until connected to a
VPN) but that never really worked well because some WiFi’s allowed third party
IP addresses (to tracking scripts or their home page) which meant I got to
tracking down this IP and adding a temporary rule for that. Suddenly quickly
connecting to hotspots often became a tedious 10 minute process. This also had
the positive side effect that I could prevent A LOT of apps from phoning home
but at the end it was not worth all the hassle (because almost nothing just
worked) and I decided not to install little snitch for my current
installation. The only thing I really miss it is when I connect to my phone
hotspots because I’m always afraid application XYZ decides to download an
update and eat my (very limited) mobile bandwidth.

Furthermore there is no way to do that on my mobile phone where I have even
less control over. My current solution is to never connect to free WiFi
networks in the first play and in the few cases I need to, just hope that the
provider is not evil. This sucks when I’m on vacation, though, because I’m at
their mercy.

[1]: a very flexible application based firewall which allows you to set which
app is allowed to connect to with ip/dnsName:port
[https://www.obdev.at/products/littlesnitch/index-
en.html](https://www.obdev.at/products/littlesnitch/index-en.html)

------
cesarb
Given the recently disclosed vulnerabilities, instead of a cryptocurrency
miner, it could be a Spectre exploit trying to scan and exfiltrate data from
the computer's memory. We might be now at the point where disabling all
Javascript for non-HTTPS pages is a good default.

~~~
freeone3000
Why do HTTPS pages get a pass? Between CDNs and ad networks, there's a ton of
code out there. At some point, we decided that a magical protective box could
make it okay for random people on the internet to run code on our machines. We
keep finding this premise to be flawed, with Applets, and with Flash, and now
with Javascript, and we always say "oh, if only we had a better protective
box, it would have prevented this specific form of attack". Maybe the premise
is flawed. Maybe no box is strong enough. Maybe we should stop running code
from websites.

~~~
mr_toad
> Maybe we should stop running code from websites.

Which would mean that even something as simple as an up-vote on a comment
would require a full page refresh from the server. The lag would probably kill
most social media.

You could be on to something there.

~~~
dmichulke
> as simple as an up-vote on a comment would require a full page refresh

There are certainly ways to solve this declaratively.

~~~
ateesdalejr
One of them being making all form submits asynchronous and not reload the
entire page. Or the server sends only the bytes that it changes back.

------
mnx
This is (one of the reasons) why we need https.

------
dre85
I guess all it takes is one request to a non-https site?

~~~
YCode
Well, one persistently active tab with a non-https site open.

I suppose you could configure the rogue AP to have one of those registration
pages but the registration page tells them the WiFi will only work so long as
they keep that tab open.

------
beiller
Interesting method, but yes; wouldn't HTTPS mitigate this script from being
injected? Trying to get awareness for my own original miner written from
scratch [https://www.sparechange.io/](https://www.sparechange.io/) Interesting
learning WASM.

------
rishabhsagar
Some buildings (hostels and shared accomodations) have shared internet
(secured with WPA2). This type of attack might be particularly profitable in
such situations.

~~~
jonwachob91
Wouldn't WPA2 protect users from an attack like this?

~~~
frenchie4111
Not if the attacker knows the password (which is probably just listed on the
wall in the hostel)

------
spraak
Does someone need to have control of the router to do this? Or how could it
work otherwise?

~~~
cakebrewery
It's in the article. He spoofs the MAC address to trick the gateway into
thinking the attacker is the victim.

------
hellbanner
(OT: petteralexander's name shows a different color than other usernames.
Why?)

~~~
mschuster91
New users are green, iirc 50 or 100 karma points required to get normal grey

~~~
0xWilliam
Feels like they are more superior than us based on his color.

~~~
rocky1138
That's probably a cultural thing. In some cultures, red is superior to green.

Really, it's not about them being better or worse than a user with more Karna.
It's just a signal to everyone that this person might be advertising or
AstroTurfing.

~~~
parmesan
What?! I didn't know it indicates that the user is "untrusted", I'm from
Sweden and my impression has been that the green users are super users of some
kind.

~~~
ateesdalejr
That was my impression as well. I never knew that. Guess it's good to know
though.

------
simooooo
Won't modern browsers block this anyway?

------
rhlala
Https everywhere extension fix it right?

------
rootsudo
This is great! Wow!

