back to article How to hack Wi-Fi for fun and imprisonment with crypto-mining inject

Thanks to the ridiculous valuation of Bitcoin and other cryptocurrencies, cryptomining code has become a common mechanism for converting authorized and stolen computing cycles into potential cash. Antivirus and ad-blocker makers have responded by trying to halt crafty coin-crafting code from hijacking CPU time, particularly in …

  1. Mark 85

    Reseachers.. white hat or black hat?

    I'm torn on this habit of researchers posting their work (many with code). Yes, it needs to be available in case the exploit is used but publishing the exploit practically guarantees it ending up in the wild. The Nigerian Princes were so much easier to ignore.

    1. DNTP

      Re: Reseachers.. white hat or black hat?

      If an exploit is simple enough to understand by studying the released code, than it might able to be reverse-engineered just from publishing the concept and vulnerability without the code.

      Also since the vast majority of black-hats are basically just script kiddies, if they copy published code they are using a known attack vector which might help the security experts anticipate it rather than have to respond to something a bit more novel.

    2. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        'if just one crim had this and was using it in relative isolation'

        Maybe there needs to be a fund, like an insurance pool, but for the tech industry... Where ethical hackers can still claim income / reward, but vulnerabilities are not automatically disclosed publicly.

  2. Palpy

    Mmmm, JavaScript.

    JavaScript. So convenient. So available. So ubiquitous. Creamy and smooth, with crunchy bits hidden in the syntax.

    Just turn it off.

    For those who find the new WebEx version of the NoScript add-on problematic, try an add-on to toggle it on and off with a single click.

    Research notes that public toilet seats are actually not primary vectors for disease. Public wifi is a different matter. MitM attacks are well-established. In this case, you can catch a nasty from a public installation.

    So publication of this particular hack seems a good thing. It should lift consciousness about the risks. (Once again...) Perhaps a few more people will take note.

    1. JohnG

      Re: Mmmm, JavaScript.

      All true - but the snag is, a number of public WiFi services require the use of Javascript for their "collect your details for marketing" page that has to be completed, in order to get connected.

      1. Mage Silver badge

        Re: public WiFi services

        I don't use those now.

        Even apart from javascript they are a problem unless you only use a VPN. The library wifi service here is unusable by eReaders at all and unusable for laptops / tablets / phones due to security / privacy issues. You have to log in with a library password AND your unique library ID. Sorry but I don't want anyone tracking my research or casual browsing.

        I certainly have not used cafe / hotel wifi for about 14 years without using a VPN. Esp. for email.

        1. veti Silver badge

          Re: public WiFi services

          I've been using Noscript for some months now, and it's rendered (sorry) my browser almost useless.

          Granted, it stops a lot of annoying stuff. But it makes quite a few web pages - fail to show me anything interesting. I can, of course, enable the scripts - but there's, like, 30 of them, from ten different domains - am I going to tick each one in turn to see which ones are or aren't necessary? Am I hell.

          No, instead I'll open a separate session in Chrome for that page.

          I'm sorry, you may be happy living with a Javascript-less browser and good for you. But it doesn't work for me.

          1. tiggity Silver badge

            Re: public WiFi services

            @ veti

            If there's huge numbers of different domains of js referenced on a page you are trying to use (& NoScript is blocking them) - maybe that's a hint that you should find an alternative to that web site..

            If I see a page with blocks on huge numbers of domains & scripts, and it will not work with most dross still disabled (e.g. by looking at script blocks I can decide if I will risk any of them / need them e.g. some sloppily written sites might need you to enable sagepay (or similar payment service) to complete purchase of an item ) then I find an alternative site

            Blocking lots (but not always all) of js is mainly done to reduce my chance of virus / Trojan (side benefit of saving bandwidth and making performance, rendering acceptably quick) - note reduce not stop. Its a bit like condom use, pretend your PC is a male, it will not stop all infections, but will reduce infection chances compared to not using a condom

            If you prefer convenience over security I advise you have good AV and take regular backups in case a nasty gets through

    2. Mage Silver badge

      Re: Mmmm, JavaScript.

      uMatrix seems nicer than Noscript?

    3. Hans 1
      Facepalm

      Re: Mmmm, JavaScript.

      Public wifi is a different matter. MitM attacks are well-established.

      Yes, that is why you get a "data plan", public Wifi should NEVER BE USED, f00ls! You use it, you lose!

  3. Anonymous Coward
    Anonymous Coward

    Coffee miner

    Love it. Strip out the context, and ... where do I apply?

    1. Anonymous Coward
      Anonymous Coward

      Re: Love it. Strip out the context, and ...

      Wait, that's given me an idea! Can broke academic researchers use this concept to crowdtheft photonic bandstructure calculations? :-D

  4. Paul Crawford Silver badge

    VPN use

    Yet another good reason to use a good VPN on any unknown/untrusted WiFi connection.

    And yes, VPNs are not perfect security and also using public wifi is not good practice either, but sometimes it is just the only useful/practical way to get a reliable connection when you 3G, etc, connection sucks (or is charging usurious fees in certain countries abroad).

    What is shitty is some places like Bonn airport where the "free wifi" blocks VPN use.

    1. Anonymous Coward
      Anonymous Coward

      'Bonn airport'

      Sorry to say they slurp that data and sell it, that's why basically. In the game of privacy versus their profiteering etc. We lose!!!

    2. Anonymous Coward
      Anonymous Coward

      Re: VPN use

      et another good reason to use a good VPN on any unknown/untrusted WiFi connection.

      A good idea. But could you suggest which stores/coffee shops/airports I could visit in the UK that don't block VPN traffic? Because it's been a long time since I last came across one.

      1. herman

        Re: VPN use

        Well, they must have port 25, 53, 80 and 443 open, so just run your own VPN or Socks Proxy on one of these unblockable ports.

      2. Paul Crawford Silver badge

        Re: @ Credas

        Any of the small coffee shops I visit have no problems, neither do most smaller hotels, etc. Also have not had problems at Edinburgh airport (don't remember details, maybe some over-priced eating places wifi instead of the airport's one).

        Also as another commentard has pointed out you can run VPNs over port 443 like https to avoid problems (as I do). I suspect in many cases they are not specifically trying to stop VPNs (except Bonn, where it blocked VPN on port 443 but allowed https to the VPN's web site) but file sharing, etc, so they probable block most ports except the few common DNS/web/email ones.

        1. DainB Bronze badge

          Re: @ Credas

          Softether

      3. JohnG

        Re: VPN use

        I typically connect my VPN using port 443 to avoid this issue. I have found that some services block name resolution of popular VPN services but this can be mitigated by using IP addresses in the VPN client.

    3. Mage Silver badge

      Re: VPN use

      The local uni blocked VPN, so we set up our router to map port 80 to our VPN server. Then VPN worked as the Uni was only blocking ports and not doing inspection.

  5. Anonymous Coward
    Anonymous Coward

    Easy to mitigate, just order a coffee and give your name as "leet haxxor" or "crypto miner", if anyone collects it don't use the WiFi.

  6. Adrian 4

    mining efficiency

    We're constantly told that the only effective bitcoin mining now is done with asics. CPUs are completely useless at it. Admittedly this is largely an efficiency argument : a matter of the power used to mine being worth the bitcoins.

    But can a bit of javascript really mine anything worth having ? AIUI, it would take years to produce anything measurable.

    1. herman

      Re: mining efficiency

      Sure, but if you get 100 million other people mining bitcoin on your behalf...

    2. handleoclast

      Re: mining efficiency

      We're constantly told that the only effective bitcoin mining now is done with asics.

      Some cryptocurrencies are designed to work best on ordinary CPUs and to not benefit from ASICs and/or GPUs. Monero, for one. Which is the one that most frequently crops up in those JavaScript exploits. Strange coincidence, that.

    3. John Smith 19 Gold badge
      Coat

      "a matter of the power used to mine being worth the bitcoins."

      That's what this is for.

      So someone else (many "someone else's" in fact) pay the power bill.

      It's big time 'leccy scrounging.

    4. d3vy

      Re: mining efficiency

      It's scale that does it.

      Conhive is basically a mining pools where all participants recieved a share of the block reward based on their contribution in hashes per second.

      Having your own pc mining on your own your probably hitting .2kh/s at best which means the odds of you getting the block reward on your own rounds to 0. As part of a mining pool that .2kh/s might translate to a few pennies a day.

      Now, if you can get thousands of machines all mining at .1kh/s all using your coin hive ID your share of the reward is much bigger!

    5. Black Rat

      Re: can a bit of javascript really mine anything worth having ?

      Yes & No ;)

      If done correctly this attack becomes a little more persistent continuing to run after you have left the area of the rogue access point. Plus the attacker could grab some if not all of your login credentials (Gmail, Amazon, PayPal, XHamster etc) and if really lucky an active session token for your banking.

  7. thegroucho
    Go

    How about we try another way

    Just do IPv6 RA and everybody on the WiFi will think you are the gateway ...

    Then you can do almost anything you want.

  8. Version 1.0 Silver badge
    Angel

    Don't blink

    This is simple, there's a energy differential here and free food (cpu cycles) for the taking - this is just the positive side of Darwinism in action, evolving to feed ... look on the bright side, it's not like the coffee shops have Weeping Angels serving the coffee.

  9. Omgwtfbbqtime
    Pint

    Alternatively -

    You could offer "free" wifi with the cryptomining levy openly disclosed as the cost of using the wifi.

    Say only 10% of cpu cycles.

    It wont pay for the wifi in itself but might generate a bit of extra profit - if held for long enough.

    1. Phil Endecott

      Re: Alternatively -

      > You could offer "free" wifi with the cryptomining levy openly

      > disclosed as the cost of using the wifi.

      For some fraction of those customers, you're also paying for their electricity...

      According to this: http://www.wired.co.uk/article/how-much-energy-does-bitcoin-mining-really-use

      Bitcoin mining might cost of the order of 50kWhr per $ mined. But that might include custom hardware, and certainly has vast margins of error. Anyone have better numbers? Is Monero significantly different?

      1. Mage Silver badge

        Re: might cost of the order of 50kWhr

        Coin meters on the power sockets. Or people run on batteries.

        Actually surprised people not doing this.

        "Free" USB charge outlets can use HID to install fun stuff. I only use my own charger. A custom USB charger cable with switch to set resistors on D+ and D- lines to set current and only + & - to host end plug seems a gap in the market. Also solve the issue of gadgets only charging at 0.1A on a 2A 3rd party charger that doesn't provide the expected resistors on data lines.

      2. veti Silver badge

        Re: Alternatively -

        Monero will be significantly different, for at least two reasons: it's designed to be mined with general purpose chips (not ASICs), and it's a newer currency, with a lot less effort put into mining it so far, so *if* it scales anything like bitcoin (I don't know if it does or not) - then the blocks will be quite a lot easier to mine at this stage.

        I'm curious as to why Monero seems to be the currency of choice for hackers currently. What drives these fashions? Is it just because the hacking tools have been published for Monero, and now every script kiddie is using them - and if the same tools were developed for Dogecoin (or whatever) then they'd adopt that as quickly? Or is there some more fundamental dynamic at work?

  10. Anonymous South African Coward Bronze badge

    2018 is going to be a lot more interesting than previously thought.

  11. Notwork

    Hmmmm, might be time to update the corporate screen saver :-)

    1. Anonymous Coward
      Anonymous Coward

      you jest... but at our school we are contemplating just this! running a script to mine monero when a Desktop PC is idle, monero is easy to mine with spare CPU cycles and while not making us millions, we should be (after taking energy into account) making (at current market rate) enough monero to cover a fair chunk of our current refresh cycle of staff laptops...

  12. Anonymous Coward
    Anonymous Coward

    The single biggest benefit of a successful expungement is that you can truthfully and legally say you were never arrested, accused or charged with a crime. It is as if the entire incident never happened and restores you to your state in life before you were ever arrested, charged or convicted. When you apply for a job, or if you are already working for an employer, they are not allowed to ask about an expunged conviction. It cannot be used against you in any employment decision either. An expunged conviction will also not show up in most all employer background checks as well. Thanks to whitehacker, he gave me a second chance at life by clearing my records & I recommend him to anyone whose background checks is limiting their potential, simply download ‘wickr me’ from your app store, add him up ‘whitehacker’’

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like