Try clicking around on that site. Most of the links all just go to 'newstweek.com' and none of what are apparently meant to look like links on the frontpage actually go anywhere. The only page that actually functions is the 'article' page. The only links on the page go to:
Both of the photos of the supposed perpetrators link to the home pages of the same guys that are in the Copyright notice at the bottom of the page. So far as I can tell this is a total hoax.
That was my impression, too. 30 euros is too good to be true for what they described, which made me suspicious. The rest of the site is an obvious hoax.
Is there any outside information on this? At first glance it looks like a complete hoax.
The supposed story about it is hosted on the homepage of the device in question, and I see no other hits for it on Google.
Edit: It looks like ibejoeb has the right of it. It is a hoax in the in the stunt/prank/hype/performance art manner, rather than the malicious deception sort.
Still, the hardware (a Sheeva Plug?) and consequent hack described is very possible, tho I understand that setting up a man-in-the-middle DHCP server to override that on the public hotspot is more straightforward.
I completely agree that it could be an actual thing.
From a hardware and security perspective it is, as you say, all of the shelf hardware and techniques, ARP poisoning vs. MitM DHCP server have tradeoffs which have slipped from memory, but you can basically go either way.
The doubt is entirely about the hype and false appearance of a third party news story.
Maybe the intent is to highlight the problems with using unencrypted HTTP? I can dream that it's a well intentioned stunt can't I?
Definitely looks like a joke given the BusyBox banner.
However, the technology described is something that is completely technically possible -- ARP spoofing on an open wireless network and performing MITM content modification.
I don't know if that's the original, but there have been many such 'pranks.' IIRC there was a video circulating a while ago showing the reactions of people at DEFCON who had their connection hijacked to redirect to goatse (or was it all of the images were replaced with the goatse guy, I can't remember full).
If this wasn't a joke, this would be way wrong. This article is so focused on the computer aspect of getting away with this that they forget the physical world. There is such a thing as a camera and if your going to be going about installing this at enough locations to be meaningful, enough information will eventually come out to get you caught. Moreover, once a device like this began to scare people enough to enter the news, people would find it near the hotspot and its threat would be neutralized.
This is obviously some kind of awareness campaign, but it makes me wonder where the joke ends. Did anyone actually make the device (it certainly is possible) or is it just a hoax news article?
This made me laugh though:
"a Nokia N900 phone turned in at a police station in the area had a number of images of the device on board, along with these two photos, taken just minutes after one installation in a large Starbucks in the central suburb of Mitte, east Berlin. Note the black hat worn by what may be a colleague in the first photograph."
If I'm not mistaken, the second photograph of the Asian man is the one taken by authorities of a man who boarded a plane as an old man, then removed his mask and by the time the plane landed, he was young:
"In a rush to leave I reached under the chair to pull out my laptop plug and accidentally knocked this little box to the floor. I plugged it back in and apologised to the cafe owners. They said they'd never seen it before.."
I really love their reference to running arpspoof as "a sophisticated modification of the Address Resolution Protocol Table" as opposed to "brute force flooding of the Address Resolution Protocol Table".
This looks like some hype for the forthcoming "Black Hat News Network" advertised on the same page. The article looks like it was written by the site directly.
It's obviously a joke, but ARP spoofing to mitm your gateway will easily work on a WPA2 network, WPA2-enterprise or even a wired network. This isn't passive eavesdropping.
It's a decent approach, though in most cases like that an sslstrip type of attack would still fool a majority. A certificate based VPN may be the most practical client only defense.
Engineering wise this is really a problem to solve at the local LAN, employing individual vlans or other techniques to strictly segment traffic on top of encryption, or simply implementing port based network access control via 802.1x.
There are still ways around this, easiest being to issue a redirect back to HTTP versions of the site when a HTTPS is requested - together with other tweaks it can still be made to fool a regular user - see http://www.thoughtcrime.org/software/sslstrip/
Another possible process would be to issue a self signed certificate when a session is being requested - obviously the user would be notified of the certificate issue, but depending on the level of knowledge of the end user, they may just accept the faked certificate. See http://crypto.stanford.edu/ssl-mitm/
* http://hotglue.org/
* http://julianoliver.com/
* http://k0a1a.net/
Both of the photos of the supposed perpetrators link to the home pages of the same guys that are in the Copyright notice at the bottom of the page. So far as I can tell this is a total hoax.