Hidden device distorts news on wireless networks, brews beer, is time machine

We covered the Newstweek, a wall-wart sized box that injects fake news stories over public WiFi connections last February, but now there’s a great walk through and it seems our doubts about this project were disproved.

The Newstweek uses ARP spoofing to change the text displayed on several news sites. After doing some field research, placing and configuring the device, there’s a simple web frontend that configures the man-in-the-middle hack. Right now, the Newstweek only allows a few news sites to be targeted, but the team is working on allowing anyone to add their own targets.

Aside from the relatively simple build, we’re wondering about the social engineering aspects of the Newstweek. In our previous coverage of the Newstweek, we couldn’t decide if this was a social commentary art project, or a real device. It looks like it’s both now. Would hackaday readers succumb to injecting, “President Bacon addressed the nation last night…” or would you do the responsible thing and put the “(D)s” and “(R)s” in their proper places?

The Newstweek team posted a video of a short demonstration, but check out the video after the break for the “incredibly geeky and thorough demo.”

Comments

  1. localroger says:

    This is a bit more black hat than what I’m accustomed to seeing on HaD.

  2. ferdie says:

    wtf thats creapy
    now we can not trust the news from the bbc site
    what is next

    this is more mind fucking and make pepole angry than hacking

  3. turn.self.off says:

    This on top existing issues with MITM on public wifi…

  4. ean bool says:

    oh well.. the news wasn’t to be trusted anyway… now at least we -know- it’s being tampered with :)

  5. jordan says:

    This is easily the best thing i have ever seen

  6. UltimateJim says:

    Where the beer?

  7. Paul says:

    fascinating idea with ironically very news-worthy consequences

  8. drake says:

    Or instead of news add in some pay per view ads
    2) ???
    3) Profit?

  9. Richard says:

    Bring on the lulz…
    That has to potential to be wonderfully disruptive, especially if the feed that’s being ‘got at’ is the one a journalist is reading so they did the hard work for you with a little comedy of your choosing…

  10. D_ says:

    LOL; as I was watching one of the videos I was thinking to myself it needs an AC power pass through, as not to hog a recp & getting unplugged. About that time someone plugged a carpet sweeper into one. That was before I found the parts list.

    Certainly hacking, and on several levels what to call it beyond that I don’t know.

    Also potentially disruptive, but will take a lot of long term dedication on the part of those creating similar networks to keep the faux news current with current issues. I have to admit I’m not entirely sure how the newstweek network functions. Not to mention keeping the hardware on locations as knowledge of this gets out. This is being described as an “art” project maybe they don’t intend any long term maintenance by the creators. The user of free hotspots who don’t do so know will of the learn to pay attention to the SSDI of the wifi connection they are using. That alone will have the appliance users calling for the heads of the spoofers.

  11. David says:

    You mean we could configure it to tell the truth!?

    That would be an amazing thing for many people to get a fresh injection of reality.

  12. octel says:

    @D_
    This device intercepts traffic and modifies keywords/sentences, relaying modified data seamlessly back to the client that originally requested the page.

    There is no maintenance or creation of fake news is required!

  13. Andy says:

    Anyone else notice that the london operative still had a European plug?

  14. Shadyman says:

    @octel:
    So what you’re saying is that it could be used to insert profanities into text where it would be fairly unexpected?

  15. MrBishop says:

    Now we just need to cook up a George Orwell’s styled web page, perhaps with a “live” video or audio stream. I think we all know how well it worked last time someone tried it. MAHAHAHAHAHAW

  16. TheCreator says:

    @ shadyman

    That is correct, i have several ettercap filters that i wrote that does exactly that. It can intercept on any TCP /UDP connection. Meaning it can be used on more than just http requests. Mine was set to work with AIM. Once the user sent out a packet it was manipulated so the receiver saw a totally different message. Same thing happened on incoming messages.

  17. lwatcdr says:

    Yea just think how bad this could be. How about “Small Pox threat at JFK” Or Terrorists use Nuclear Weapon to destroy LA.
    Please this think could be a disaster in a plug.

  18. DanJ says:

    @lwatchdr, not only in a plug but in a virtual machine in a laptop as well — in any public space. Brings the idea of crowdsourcing to a whole new level.

  19. Hirudinea says:

    Think what this could do to the Great Firewall of China, spreading the truth one coffee shop (tea shop?) at a time.

  20. dbear says:

    Have the Panther Moderns heard of this?

  21. HellWarrior says:

    I have set up something similar a while back with a original la fonera. Used it for packet injection and image spoofing.

  22. haexn says:

    This could be the future of news… everyone knows the news is bull already, better to have absurdly-fake news than fake-believable news.

  23. nosiam says:

    If the BBC’s news was tweaked and altered, I still wouldn’t believe it; its the same bullshit.

    Interesting hack through.

  24. Kim says:

    Skynet will begin when these start injecting news stories about themselves…

    Wicked idea though, as with most things there are some ethically questionable uses for it though – as well as incredibly good ones.

  25. highjumpman says:

    I wonder what happens if someone plugs that thing in at the stock exchange…

  26. KoPla says:

    even if it’s “black” … it’s nice to see it here… the most you know the better… maybe this info become “white” for someone

  27. xorpunk says:

    SSL or a newer router kills this..

  28. Nick says:

    @xorpunk, how does a newer router kill this? Do you just mean better wifi security kills it?

  29. Pete says:

    Here are a couple of options on how to defeat this thing (ordered easiest to hardest, least effective most effective):

    1: You can use HTTPS whenever possible. Some sites (like Google Reader) will work through HTTPS. Since the SSL/TLS mechanism used by HTTPS provides end-to-end encryption and integrity checks, it would be impossible for this thing to work without a spoofed SSL cert. Just be careful not to accept any new certs when visiting the sites and make sure to check to make sure you’re on an HTTPS-based webpage before accepting any news you get form it.

    2: Tunnel your browser connection through an SSH-based SOCKS proxy. There are plenty of instructions on the web on how to do this. Basically, you set up an SSH tunnel to a remote machine and then pipe all your web traffic through it. This won’t help if the remote machine is being victimized, but if that machine is on a wired connection at your house, then it’s far less likely to be attacked in this way. This will even protect you when using sites that don’t offer HTTPS.

    3: Use a VPN. A VPN works like #2 but will help to make sure all traffic (even non-HTTP) traffic gets encrypted and validated. So this is the best option if it’s available to you.

    All of these methods also protect against FireSheep and other forms of attack based on the complete lack security around HTTP.

  30. TheCreator says:

    @ pete

    you can strip the SSL encryption request on the outgoing packet. This will send all information in plain text.

    Same thing with the SSH connection. Since the MITM attack can manipulate any protocol it is possible to strip the request for encryption causing the incoming packet to be in plain text. They also have SSL Strip, which will do the same thing without a filter.

    If you want to really secure this you can configure the router to reject duplicate IP’s. This is how the MITM attacks are performed by having the host (the box plugged into the wall) act like the router and manipulate the information that is passed through it.

  31. mithodin says:

    You know what would be hilarious? Altering images with some face recognition system to give everyone in any picture a funny moustache.

  32. TheReality says:

    This is nothing new. I worked for a company which provided IT services for various government agencies like the AF and DOD and 10 years ago someone came in and demonstrated a product like this. The device was designed to be installed at the ISP level, but could be used at individual locations of a company/agency and then any data could be changed on any website or email.

    If you think you can trust information on the web, you are sadly mistaken. The government has complete control.

  33. efnord says:

    That router needs 5W to run; 1.5A of 3.3V. Why make this plug in? Seems to me it’d be trivial to build into a thick Frisbee-style disc with a solar panel on top. Network penetration by tossing a toy on a roof.

  34. wabbit_ says:

    ..can someone explain more,about how to more than the site??

  35. VogVoo says:

    Whoa! A time machine? do want!

    http://www.privacy-web.no.tc

  36. Polymath says:

    Two questions
    1: Does anyone remember what happened when War of the Worlds was broadcast for the first time over the radio?

    2: Where’s the beer?

  37. Hitek146 says:

    ^@Polymath
    1)Yea, that was some funny shit… :)

    2)In my hand!

  38. TheCapt says:

    Now, inject photos of the people in the cafe that you plug this in at.. and watch the fireworks as they are listed as “Wanted” or “Suspect”, better if they see themselves.

  39. Pete says:

    @TheCreator

    I hadn’t heard of the method of stripping the HTTPS from the request. I’m really not sure how that would work. If the browser is expecting the request to be HTTPS, it will initiate a connection to port 443 to send the request and initiate the SSL connection before it even sends the header. So that would probably prevent such an attack from working because the request headers are never sent in the clear over the network.

    That sort of attack MAY work if you’re on an HTTP page and expecting a link to take you to an HTTPS page (such as with many sites that have logins on their HTTP pages that are supposed to post to their HTTPS sites). Of course, if you explicitly type the address (e.g. “https://reader.google.com”) into your browser (as I recommend), that sort of attack wouldn’t work.

    Any sort of MITM attack with SSH or HTTPS would have to attack those protocols and/or the implementation of those protocols in order to succeed. So it would take an entirely different (and FAR more sophisticated) kind of attack for that to actually work.

    So I still feel pretty confident that all three of my methods would be effective to varying degrees. The VPN and SSH-tunneling methods should be nearly fool-proof against this sort of attack (assuming users don’t accept fraudulent SSL certs or host identifiers).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 93,810 other followers