Surreptitious crypto-mining using unsuspecting victims’ computers has become a rapidly proliferating phenomenon – and now it has collided with coffee shop Wi-Fi hijacking.
A software developer known as Arnau Code has developed a proof-of-concept for a man-in-the-middle (MiTM) attack, for use in coffee shops and other places where legions of students and teleworkers take advantage of free Wi-Fi. It shows how the bad guys can gain access not just to one victim’s CPU resources to mine for virtual currency but to all of the compute power connected to that particular Wi-Fi network, all at once.
“Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way,” the developer explained in a blog, with the disclaimer that his research is “strictly for academic purposes.”
He added, “The goal of this article, is to explain how can be done the attack of MITM...to inject some javascript in the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.”
Appropriately named CoffeeMiner, the script allows for an autonomous attack on the Wi-Fi network to do just that. It’s the result of a multistep – but not challenging, according to Code – process.
First, CoffeeMiner intercepts the traffic flowing back and forth between the users and the router by setting up a virtual gateway. Then, using the “mitmproxy” software tool, CoffeeMiner injects a line of JavaScript code into the HTML pages that coffee shop denizens are visiting. The code in turn connects to a simple HTTP server running on an attacker machine, which then serves up the Coinhive crypto-miner to victims. Coinhive, which allows visited websites to mine for the Monero cryptocurrency, has gained notoriety, thanks to cybercriminals abusing it.
“CoinHive miner makes sense when user stays in a website for mid- [to] long term sessions,” the developer said. “So, for example, for a website where the users average session is around 40 seconds, it doesn’t make much sense. In our case, as we will inject the crypto miner into each one of the HTML pages that victims request, [so we] will have long term sessions to calculate hashes to mine Monero.”
Once created as a fully formed weapon, CoffeeMiner runs autonomously, as a sort of set-it-and-forget-it moneymaker.
Code also offered helpful suggestions for maximizing CoffeeMiner’s potential, including using a powerful Wi-Fi antenna, “to reach better all the physical zone,” and adding a piece of code, “sslstrip,” to make sure the injection will also work with websites that the user can request over HTTPS.
As far as protecting oneself against such an attack, which has the potential to slow victim machines down so far as to be virtually unusable, Scott Petry, CEO and co-founder of Authentic8, compared it to taking basic flu-season precautions.
“We don't even touch public doorknobs without a paper towel or a squirt of Purell,” he said via email. “Why on Earth would anyone freely connect to a public Wi-Fi network? There's no surprise in this story – it’s how the internet works. The surprise is that people are still exposing themselves to these exploits. Someday soon we'll look back in shock on how careless we were on the internet.”