Secplicity – Security Simplified

HBO’s Silicon Valley Showcased Wi-Fi Man-in-the-Middle Pineapple Attacks

Photo: HBO
If you’re not watching the American comedy on HBO, Silicon Valley, you’re missing out on some hilarious moments around California’s Silicon Valley area.  The stars of the show are a small group of software developers and a Bay Area startup incubator character named Erlich who form the startup Pied Piper. They take the audience through outrageous experiences only possible in California including VCs throwing millions of dollars at anyone who mutters the letters “VR” together in a sentence, and the idea of “negging” or insulting an investor to raise the valuation of your startup.

Wi-Fi man-in-the-middle attacks go mainstream on HBO

Season 4, episode 9, “Hooli-con” aired a few weeks ago and featured Wi-Fi man-in-the-middle attacks using Wi-Fi Pineapples.  Pied Piper needed a way to trick trade show attendees into downloading their mobile app on their phones when connecting to the conference Wi-Fi.  They thought through trying to hack “the app store” and scratched that off the list due to way too much effort and legal risk.  So what do they do?  Exactly what WatchGuard’s Secure Wi-Fi message has been telling us: use Wi-Fi pineapples placed around the trade show to mimic the real “trade show” SSID and trick people’s phones into connecting to them.  Once connected, the Wi-Fi pineapples display an evil portal splash page that looks just like the real trade show pop-up, but has a button requiring people to download the “trade show app” to access the Wi-Fi.  The app is actually Pied Piper’s app and the trade show attendees are completely unaware they just got Wi-Fi hacked!

Hollywood or Reality?

It’s real: Wi-Fi Pineapples are affordable to anyone online starting at $99.  They give you the ability to setup an access point in between the real AP and the victim “in the middle” and get innocent victims connected.  Once connected the attacker can see all traffic of the victim, steal usernames, passwords, credit card numbers in plain text and in the case of Silicon Valley, trick victims into installing nefarious apps.

But Websites are Encrypted with HTTPS Right?

Once the attacker has a victim connected, then can even bypass HTTPS encryption on web pages using techniques known as SSL Strip and SSL Split.  HSTS (HTTP Strict Transport Security) is an HTTP Header that tells browser that it should only be allowed to connect with HTTPS.  HSTS only takes affect after the user has visited a website at least once.  This means that if the victim has never visited the site before their browser would not enforce HSTS and the website could be displayed in plain text HTTP including all input form text boxes for usernames, passwords, credit cards, etc.  SSL strip simply tricks the browser into thinking it’s always the first time a user has visited any website and renders all web pages in plain text HTTP.

The Wi-Fi man-in-the-middle attacks didn’t go exactly according to plan when the trade show Tactical Review Team (TRT) suspected Wi-Fi Pineapples at play and did a full sweep of the floor with high powered antennas designed to pinpoint the pineapples.  The pineapples were indeed located and plucked out one by one.  The TRT people are doing the job of Wireless Intrusion Detection (WIDS) with their eyes, high powered antennas, expensive RF equipment, and batteries in their backpacks.  WatchGuard’s access points managed by the Wi-Fi Cloud do the detection job of these TRT people in seconds, 24/7/365 and don’t require food, water, bathroom breaks, or a salary.  Instead of physically pulling the Wi-Fi pineapples out like dead rodents as they did in the show, our patented Wireless Intrusion Prevention System (WIPS) technology in our APs neutralizes the pineapples automatically.


Wi-Fi man-in-the-middle attacks are alive and well today and affect consumers of Wi-Fi service around the world.  Make sure to think about the legitimacy of what information splash pages are asking of you and ask if WIPS is being used in the Wi-Fi network you’re connecting to.