2

I watched a documentary where hackers entered a victim's house by pretending to be from the ISP and then connected a box to a router in order to spy on all of the victim's traffic. Later, the hackers retrieved many passwords, e.g., iCloud and Gmail passwords. What is that box called?

I was surprised that it was so easy to do as all traffic was normally encrypted. How did they do that?

Rodrigo de Azevedo
  • 244
  • 2
  • 13
Noodler
  • 23
  • 2
  • 1
    You might mean this: https://shop.hak5.org/products/wifi-pineapple – schroeder Aug 30 '22 at 22:25
  • *" I saw a documentary ... How did they do that?"* - please be more specific what you saw, ideally so that others can actually have a look themselves. Note that media tend to "simplify" things if it helps to get more attention. – Steffen Ullrich Aug 30 '22 at 22:41
  • @SteffenUllrich That is exactly what I saw. The documentary was first available on the internet but they removed it from the internet six months ago for some reason. – Noodler Aug 31 '22 at 00:05
  • @Noodler Is that documentary on IMDb? – Rodrigo de Azevedo Sep 01 '22 at 10:16
  • @RodrigodeAzevedo It was a flemish documentary with Axel Daeseleire. It was interesting though. – Noodler Sep 02 '22 at 20:13
  • 1
    @RodrigodeAzevedo It's this but the video is not available [link](https://www.goplay.be/video/trafiek-axel/hacker-confronteert-axel-daeseleire-met-gestolen-data-fuck-man-wat-is-dat) – Noodler Sep 03 '22 at 21:12

2 Answers2

3

Unfortunately is not clear what exactly was shown there, we have only your description of it. This description might lack important details they have shown or they might have omitted these details in order to "simplify" it and/or make it sound more dangerous in order to increase attention and clicks. So we can only speculate what might have happened here due to a lack of details, which is not a good base for an answer. But lets speculate ...

What you describe was maybe an active MITM attack against HTTPS connection to "break" encryption combined with traffic analysis to extract passwords from the traffic. No special magic box is needed to do this, freely available software is sufficient. But there are things like WiFi Pinapple which come preconfigured to make such attacks simpler.

An active MITM attack can be used to "break" encryption and sniff passwords. It does this by intercepting and modifying the traffic. Instead of creating the intended direct end-to-end encrypted encryption between client and server, which is authenticated by the servers certificate, it will create a HTTPS connection between server and attacker and another one between attacker and client. This will allow the man in the middle attacker to get access to the plain traffic.

But the HTTPS connection between attacker and client cannot be authenticated using the original certificate of the server, since the attacker does not have the servers private key. The attacker thus needs to create a new certificate for this. This means that such an attack is not a silent when certificates are properly checked (which they usually are today): when accessing the site with the browser the victim will get a warning that someone is fiddling with the connection and has explicitly to skip this warning. Skipping is often not even possible due to HSTS.

That is at least the case unless somebody has specifically prepared the victim system in order to accept the attacker certificates instead of the real certificate from the server - but this would require access to the victims systems before doing the attack. Or the victims system came with broken certificates preinstalled like in case of the Superfish CA certificate on Lenove Laptops.

For more in this see Does https prevent man in the middle attacks by proxy server? and Did HTTPS and HSTS kill MITM?.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
-3

The box was used to perform a man-in-the-middle attack. It was grabbing information and passing it on, including the encryption keys for the https traffic. Once it had the keys it could sniff all the traffic and keep the useful bits for later.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Gregory Morton
  • 95
  • 1
  • But you can only sniff the public key right? The public key is worthless. You need the private key to decrypt the traffic and the private key is never sent on the network. How did they still managed to retrieve the passwords? – Noodler Aug 30 '22 at 23:41
  • When you create a https tunnel there is a public key that goes out, but then a key comes back, then the tunnel key gets created. See here: https://howhttps.works/the-handshake/ Soo I create a key with you AND I create another key with, your target. I grab the packets from you, unwrap them, keep a copy, and re-wrap and send on their way. – Gregory Morton Aug 30 '22 at 23:45
  • You are right but that's where the certificate comes in right? You can't impersonate the server as the checksum will change and the client will see that something suspicious is happening. – Noodler Aug 31 '22 at 00:01
  • I don't have to impersonate anything after the initial handshake. Once I have the symmetric key I can pass the certificate directly to you without modifying it. Me in the middle passing things back and forth is working like a router. – Gregory Morton Aug 31 '22 at 00:16
  • 4
    @GregoryMorton: *"Once I have the symmetric key I can pass the certificate directly to you without modifying it. "* - you cannot simply grab the symmetric key from the connection and pass the certificate through - it is not visible for the attacker. You need to use an active MITM attack with separate TLS connections between server and attacker and attacker and client - and a new certificate between for the latter one. You cannot simply use the servers certificate since you don't have the private key for it. – Steffen Ullrich Aug 31 '22 at 04:55
  • 1
    The OP appears to be asking for "the box" not the "technique". So, I'm not sure this answers the question. And you have some misconceptions about TLS interception. – schroeder Aug 31 '22 at 07:26