Jump to content

FBI / Police confiscating the pineapple - Lawyer up and shut your mouth


nmap

Recommended Posts

SITUATION:

Bob is pentesting with the pineapple. A nosy old lady sees bob and his pineapple sitting at a Starbucks and calls the police to report "suspicious activity". Police arrive and notice Bob has a bag with wires running into it with with flashing lights. They take the bag which contains the pineapple back to the station and a forensic investigator examines everything on the pineapple along with the SD card. They find a lot of "suspicious stuff' according to the police. Bob tries to explain to the police that he is pen testing a client that asked him to be discrete so he sat across the street from the business which happens to be Starbucks. Police say that he also picked up a lot of traffic from nearby people so they charge him with a bullshit computer law and throw him in jail.

SOLUTION:

As soon as Bob notices two police officers / detectives / FBI / etc... entering Starbucks he simply unplugs the power cable discreetly on the pineapple. If police confiscate the pineapple everything is encrypted (i.e. TrueCrypt, luks,etc) on it and he doesn't have to disclose the password.

Can someone create a script/infusion and call it something like "Fort Knox" or something along those lines that fully encrypted the pineapple and on startup requires a password and or USB drive with pass key to decrypt everything on startup. If the pineapple is powered off it's the same as a laptop, ram is wiped and everything is safe.

As it stands right now, if one police officer / detective doesn't understand exactly what the pineapple is doing and wants to charge you with a bullshit computer law you are screwed since the pineapple stores everything on it in cleartext and nothing is encrypted. If the entire filesytem can be encyrpted and require a pass phrase/usb key present that would at least provide some protection against over zelous law enforcement individuals and feds.

Link to comment
Share on other sites

One, you're not going to be "pentesting" starbucks wifi. On an actual pentest you're going to have a written contract from the company you're doing the pentest on, that will state what you can and can't do. No company in their right mind would allow you to spoof a public wifi network they don't own. If they do, it's still not going to cover your ass. Running a pineapple in a starbucks or any public wifi without the owner's, not the manager, the freaking owner's, written permission is illegal. You'll most likely be brought up on the state's wiretapping laws, and any other computer crimes laws the local DA can justify.

Link to comment
Share on other sites

One, you're not going to be "pentesting" starbucks wifi. On an actual pentest you're going to have a written contract from the company you're doing the pentest on, that will state what you can and can't do. No company in their right mind would allow you to spoof a public wifi network they don't own. If they do, it's still not going to cover your ass. Running a pineapple in a starbucks or any public wifi without the owner's, not the manager, the freaking owner's, written permission is illegal. You'll most likely be brought up on the state's wiretapping laws, and any other computer crimes laws the local DA can justify.

^This, glad you saved me the time typing it out ;)

Link to comment
Share on other sites

One, you're not going to be "pentesting" starbucks wifi. On an actual pentest you're going to have a written contract from the company you're doing the pentest on, that will state what you can and can't do. No company in their right mind would allow you to spoof a public wifi network they don't own. If they do, it's still not going to cover your ass. Running a pineapple in a starbucks or any public wifi without the owner's, not the manager, the freaking owner's, written permission is illegal. You'll most likely be brought up on the state's wiretapping laws, and any other computer crimes laws the local DA can justify.

^This, glad you saved me the time typing it out ;)

Exactly.

(and the bullshit, "i was just going to be testing in a starbucks etc" will not fly either. know enough to test at home or the office not in public. if you do need to check your hardware or work in public be a bit more discrete so you do not scare the locals.....

Edited by Z4ub4d3
Link to comment
Share on other sites

The encryption is not a bad idea but the situation is a bit of a stretch. And I'd love to know where that interpretation of legality comes from barry. I know that if you are on the "Starbucks" network you can run wireshark and collect information; which is why the Terms Of Service usually has a clause about it being inherently insecure... and while running wireshark may be a violation of the TOS that you may have agreed to when connecting, I didn't believe that it was illegal. It's what you do with whatever you collect. As soon as you use a username/password that you collected that's when it became illegal. Same thing with using a Pineapple at the front end of someone elses free network. Or am I completely off here. Of course if you are truely pen testing a place your comments are absolutely correct. I'm just talking about the other situation.

Link to comment
Share on other sites

It's still being argued in court cases what is deemed as assumed right of privacy or not. Either way, I highly doubt a legit pen test would happen at a coffee shop. If you were in a corp environment doing a pen test on a company, and happened to get personal information while performing the on-site; it becomes an ethical issue and if abused can turn into legal issues. But attempting a penetration test from a coffee shop next door, is an unlikely the scenario.

Link to comment
Share on other sites

Bob needs to come up with better reasons as to why he is using a wireless router in a public coffee shop. Like he doesn't trust an open network, so he is using his own router as a firewall between his PC and said open network. Or Bob just simply needs to be a bit more discrete, for example by changing the public SSID of his pineapple to whatever he wants it to be, then connecting wirelessly to his own pineapple and accessing the UI that way, and using his second radio in client mode to connect to the free public wifi. Then Bob can leave the pineapple completely hidden in his laptop bag/backpack, with no wires running to his laptop, and no visible flashing multi-colored LED's. In fact, Bob may want to set up his pineapple in his car prior to entering the coffee shop, so no one ever even sees Bob turning on his pineapple in the shop. Bob may go so far as to even want to park his car as close to the entrance of the coffee shop as possible, and leave the pineapple operating in his car. :)

Link to comment
Share on other sites

The encryption is not a bad idea but the situation is a bit of a stretch. And I'd love to know where that interpretation of legality comes from barry. I know that if you are on the "Starbucks" network you can run wireshark and collect information; which is why the Terms Of Service usually has a clause about it being inherently insecure... and while running wireshark may be a violation of the TOS that you may have agreed to when connecting, I didn't believe that it was illegal. It's what you do with whatever you collect. As soon as you use a username/password that you collected that's when it became illegal. Same thing with using a Pineapple at the front end of someone elses free network. Or am I completely off here. Of course if you are truely pen testing a place your comments are absolutely correct. I'm just talking about the other situation.

Ask Google's lawyers. They got fined for collecting shit that's just being transmitted in the clear. The pineapple is purpose built to do a man in the middle, which does fall under wiretapping laws. Doesn't matter if it's public wifi.

Link to comment
Share on other sites

OK I want to chime in. Yes, the Starbuck's situation is a horrible example. My team have had this argument about MITM in my workplace on legitimate pentests. I personally would prefer the encryption so that if I do collect any sensitive information, ie account logins, I am covered so that no one else can access until I can redact the data properly. We have had many meetings around this and have discussed using encryption to help protect the collected information from being read by anyone not part of the pentest team. I also have stated I would feel better knowing it is encrypted. You accidentally exposing the CEO's password can be a resume generating move. So could you possible run the SD card encrypted and log to it to make sure any legitimate information you collect is protected. Also, we worry n this point because we are in finance and PCI is always hanging over our heads. To add to this. We as a team, have avoided using MITM at this point because we are still trying out how to make sure the information we collect is kept secure.

Edited by korang
Link to comment
Share on other sites

barry,

I would think the difference between what Google was doing and what Pineapple users do is obvious. I don't go around hoovering up all the floating bits of data out there like Google was doing, and I'm not convinced they should have been fined for other peoples stupidity seeing as how that is what this community kinda thrives on... I think a key point to the argument is that if I setup my pineapple as an Access Point and I put up a splash page about it being inherently insecure, and you agree to those terms, you have no expectation to privacy on someone else's network. I'm not holding a gun to there heads... Now, having said that, the use of Karma to draw them in takes advantage of a well known security flaw. Even that, to me, takes advantage of ignorant consumers and exposes a flaw in the security standards of the wireless router manufacturing realm. Just my opinions here... Not trying to have an armchair quarterback's philosophical debate. I'm not a lawyer but in order to use the pineapple i've had to think through my reasons and expectations on the various legal aspects. There's too much at stake personally to get caught up in any kind of legal trouble involving a pineapple. But I don't mind pushing the boundaries on what is legal and socially acceptable in order to make a point. I just have to be able to live with any consequences. I wonder if the Hak5 folks would ever have a special episode where the EFF is invited to talk to the legal aspects of pineapple use in the wild.

korang,

Have you ever thought of deploying the pineapples in Locked pelican cases? Two locks would be best to maintain a two person integrity system. Maybe only collect them after a preset time where the batteries have run out... That way any access to the data is only possible physically and the locks would prove data integrity.

Link to comment
Share on other sites

I wonder if the Hak5 folks would ever have a special episode where the EFF is invited to talk to the legal aspects of pineapple use in the wild.

i am not sure if this is there domain, but if it is then i would love to hear there thoughts. i would like to see them on the show regarding other concerns as well.

Link to comment
Share on other sites

http://ellabakercenter.org/know-your-rights



Also




Searches



Never consent to a search! If the police try to search your house, car, backpack, pockets, etc. say the Magic Words 2: "I do not consent to this search." This may not stop them from forcing their way in and searching anyway, but if they search you illegally, they probably won't be able to use the evidence against you in court. You have nothing to lose from refusing to consent to a search and lots to gain. Do not physically resist cops when they are trying to search because you could get hurt and charged with resisting arrest or assault. Just keep repeating the Magic Words 2 so that the cops and all witnesses know that this is your policy.



Be careful about casual consent. That is, if you are stopped by the cops and you get out of the car but don't close the door, they can search the car and claim that they though you were indicating consent by leaving the door ajar. Also, if you say, "I'd rather you didn't search," they can claim that you were reluctantly giving them permission to search. Always just say the Magic Words 2: "I do not consent to this search."



If the cops have a search warrant, nothing changes - it's legally safest to just say the Magic Words 2. Again, you have nothing to lose from refusing to consent to a search, and lots to gain if the search warrant is incorrect or invalid in some way. If they do have a search warrant, ask to read it. A valid warrant must have a recent date (usually not more than a couple of weeks), the correct address, and a judge's or magistrate's signature; some warrants indicate the time of day the cops can search. You should say the Magic Words 2 whether or not the search warrant appears correct. The same goes for any government official who tries to search you, your belongings, or your house.
Edited by mrgray
Link to comment
Share on other sites

The scenario's very irresponsible. You shouldn't be at a public WiFi doing pen testing on any level, so if you get in trouble, then it's on you. That been said...

Google got into trouble because they gathered (and stored) data using their equipment. It's not much different than setting up a MITM and allowed people to connect through you and you stored their data, cookies and passwords for later use, which you have no authorization to do. I've set something up in the past and merely watched where most people connect to without storing anything on my equipment. Most were boring, mostly Facebook, Instagram, Youtube, *.edu sites and webmail but that's about it, got boring really fast.

I'm not entirely familiar with what the laws/policies are regarding the use of the Pineapple, I know some are fine with it, others believe it's like having a terrible weapon and are very much against it. I believe in the concept of ethical hacking for educational purposes, to understand and learn how things work for your personal use only. Anyone can go to a store and buy a kitchen knife but it becomes illegal as soon as you intend on using it in a malicious manner, other than its intended purpose.

One can argue that public WiFi's are "use at your own risk" thus having your data captured using an un-secure connection is not much different than having your password written on a napkin for people to see. I believe that users have a responsibility to learn how to reduce their risks from "snoopers" when at public places with their mobile devices, can't expect the law/governments to bottle feed you 100% risk free internet use.

Edited by Lockon
Link to comment
Share on other sites

Personally, the only thing I ever do in coffee shops in regards to the Pineapple is develop. It's great to sit in a comfortable big chair, sipping your coffee / tea and coding. A nice change in scenery. Saying that, I fully agree with everyone above. The original scenario is not really a good example.

Using encryption on your SD cards is entirely possible in the future and something we thought about already. It is at least something we can agree has a realistic scenario: You are on a legit pentest. You are on your way back home and for whatever silly reason you leave your bag on the bus. Or it get's stolen. Or it is deployed on a pentest and some employee wonders what it is, grabs it and wants to check out what's on it, but the SD card / pineapple may contain sensitive data even to some employees of the company.

All of the above are realistic scenarios and therefore encryption is something we can push -- a little later. We are doing lots of USB / SD improvements right now and this will be one of the upcoming things. Think encFS etc.

Best Regards,

Sebkinne

Link to comment
Share on other sites

Ignoring all the other issues in the OP original situation, what struck me was.

"Bob tries to explain to the police"

Huge mistake right there, NOTHING you explain to the police is going to help you.

Along the lines of what mrgray said consent to nothing, and ask for a/your lawyer.

Here is an video of a lawyer and police officer explaining why even if what you are doing is 100% legal.

http://youtu.be/6wXkI4t7nuc

Edited by lostngone
Link to comment
Share on other sites

crap.. business as usual..

root@Pineapple:/etc/config# opkg install sshfs
Installing sshfs (2.2-1) to root...
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies for sshfs:
* kernel (= 3.3.8-1-d6597ebf6203328d3519ea3c3371a493) *
* opkg_install_cmd: Cannot install package sshfs.
Link to comment
Share on other sites

https://en.wikipedia.org/wiki/Probable_cause

Police cannot legally confiscate equipment just because you are sitting somewhere with it. Even if they suspect it is a wireless appliance, there would be no evidence you're doing anything illegal. Even if they think you are doing something illegal, they would have to come up with an actual law that they think you are even breaking. You would have to either voluntarily give your pineapple to them, or be arrested on a charge. Evidence seized illegally could only result in any future charges against you being thrown out immediately. Worst case scenario is you would get asked to leave private property.

Still, would be prudent to have an encrypted data partition, though.

Link to comment
Share on other sites

https://en.wikipedia.org/wiki/Probable_cause

Police cannot legally confiscate equipment just because you are sitting somewhere with it. Even if they suspect it is a wireless appliance, there would be no evidence you're doing anything illegal. Even if they think you are doing something illegal, they would have to come up with an actual law that they think you are even breaking. You would have to either voluntarily give your pineapple to them, or be arrested on a charge. Evidence seized illegally could only result in any future charges against you being thrown out immediately. Worst case scenario is you would get asked to leave private property.

Still, would be prudent to have an encrypted data partition, though.

They can hold it to preserve the evidence by keeping you from it. So as long as they can articulate why they took it and it makes sense for a reasonable concern, then can. It would fall under exigent circumstance.

An emergency situation requiring swift action to prevent imminent danger to life or serious damage to property, or to forestall the imminent escape of a suspect, or destruction of evidence. There is no ready litmus test for determining whether such circumstances exist, and in each case the extraordinary situation must be measured by the facts known by officials.[1]
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...