The Show’s Massive MiTM Attack Could Work – But These Security Measures Can Keep You Safe
Minor Spoilers for Silicon Valley Season 4 Episode 9, “Hooli-Con.”
This week’s Silicon Valley episode saw the Pied Piper crew in yet another jam. They need to get a few hundred thousand downloads of their app to make their peer-to-peer network work and keep their company in business.
Richard and the crew launch a plan to use Hooli-Con, the show’s parody of a major industry event like WWDC, as a way to get “forced adoption” of their app.
To do this they would set up rogue Wi-Fi networks at the convention and distribute a fake version of the official convention app that also secretly includes Pied Piper’s code, giving them the downloads they need.
Characters Gilfoyle and Dinesh explain the scheme: “We position ourselves between everyone’s devices and the real Wi-Fi,” with Wi-Fi Pineapples and then “show them a fake landing page and force everyone to download a fake version of the Hooli-Con app.”
While I won’t comment on how Pied Piper’s plan turned out, you may be wondering if such a scheme is really possible.
The short answer is yes, but it comes with a lot of qualifiers; and if a website is using the best security measures out there they can actually make these types of attacks impossible (skip to the last section if you want to learn about that).
Here is how it would work:
The Silicon Valley Wi-Fi Pineapple Scheme
First off, Wi-Fi Pineapples are real and affordable. For only $200 they give you both the router hardware and network software needed to spoof a wireless network.
This allows you to set up a wireless network that you can control and use for this malicious plan. The next step is to get innocent users to connect to your Pineapple’s network and then begin manipulating their traffic with a “man-in-the-middle” attack (MiTM).
In a MiTM attack the Pineapple you control is positioned between (“in the middle of”) the server and the user’s device. The two parties believe they are talking to each other, but in reality all communication is happening through the attacker (in this case, the Pied Piper crew) who can modify or delete any data being sent or received.
How easy it will be to successfully execute the man-in-the-middle attack depends on two factors: how security savvy the targeted users are, and the security features of the website you want to be “in the middle of.”
In a best-case scenario, with un-savvy users and a weak website configuration, you can fairly easily execute the MiTM attack and have full control over all data being sent between the user and the website they are visiting.
It can be as simple as redirecting the DNS to an address you control (while not technically a MiTM, this could be enough to execute Pied Piper’s plan). Or you could use sslstrip, software that automatically prevents users from connecting over HTTPS. This keeps them on the un-secured HTTP protocol where all data is in plain text and unauthenticated, and therefore trivially easy to manipulate. However, things can quickly get complicated if your victims notice the padlock icon in their browser is missing.
The plan in Silicon Valley involved a “fake landing page” which is another clever option. When you log on to free Wi-Fi it’s common to have to sign in and accept terms and conditions through a landing page – also known as a captive portal. This could be a look-alike domain like “hooli-con-2017.com” which seems like a realistic domain for the event but is actually owned by the attackers (some captive portals are on local IPs which would be even easier to execute).
But there is a modern security option that could make a MiTM attack impossible…
Make MiTM Attacks Impossible
You can make your site impervious to man-in-the-middle attacks with a technology known as HSTS, even when up against a formidable foe like a Wi-fi Pineapple.
HSTS (HTTP Strict Transport Security) is an HTTP Header that tells a client (aka a browser) that it should only be allowed to connect with the site with a valid HTTPS certificate.
HSTS prevents you from downgrading a connection to HTTP. It also means you can’t serve your own version of the site because you wouldn’t be able to produce a valid SSL certificate. All major browsers – including Chrome, Firefox, and Edge – support HSTS and produce an un-bypassable error in this case.
As always, when we are talking about secure connections, there is some complexity. Because HSTS settings are an HTTP Header, it does require that the user has made at least one successful connection to the real site previous to connecting to the hostile network.
This means if the user has never visited the site before they would not have the HSTS settings and would be vulnerable to a MiTM attack. However, there is something known as HSTS Preloading that allows a website’s HSTS settings to be shipped with a browser. The Preload list is put together by Google. It includes around 25,000 sites and is shipped with Chrome, Firefox, Edge, IE 11, Safari, and Opera.
This removes the need to have made a successful connection to the site and with HSTS Preloading a site becomes truly impossible to MiTM.
So if we tried a man-in-the-middle attack on Twitter.com, a site which does use HSTS Preloading, we would totally fail. We couldn’t downgrade Twitter’s connection. We couldn’t redirect people elsewhere. We couldn’t serve a different website.
Despite the benefits of HSTS less than 5% of the Alexa Top Million use the feature. A much smaller .3% are preloaded. However it is relatively new and adoption of the feature is growing fast. As HTTPS deployments mature we expect to see HSTS use rise significantly.
Most major sites and services, like Gmail, Twitter, Facebook, and Paypal, have modern HTTPS configurations including HSTS which would make Silicon Valley’s plan infeasible against most notable targets. But just 5 years ago this would have been a significantly more dangerous threat.
I am mainly focused on the MiTM attack here. That’s because Silicon Valley’s entire plan – which requires successfully executing a MiTM attack and then distributing an app to cell phones – would most likely be impossible due to the additional security measure you would need to defeat in the phone’s OS.
Modern mobile OSes like Android and iOS make it very difficult (mostly impossible on iOS) to get users to install apps from outside the official app store. This is an entirely separate set of mechanisms – including code signing, key pinning, and packaged binaries – that you would need to defeat even if you could get your MiTM attack to work.
It’s also worth mentioning that such a scheme is incredibly illegal – so even if you could pull it off – you probably shouldn’t. Unless you also liked the HBO show Oz.