back to article Brit hardware hacker turns Raspberry Pi Zeros into selfie slayers

Hipsters and selfie addicts beware: infosec man Steve Lord has crafted a tool designed to sever your line of addiction to Instagram by quietly blocking it over public Wi-Fi. The British security bod built the Raspberry Pi Zero-powered "hipster slayer" out of nothing more than off-the-shelf components and "questionable life …

  1. Will Godfrey Silver badge
    Meh

    Hmm

    Nice idea, but rather risky

    1. BillG
      Devil

      Re: Hmm

      I want one.

      I want to block access to social networking sites during family gatherings.

      1. Eddy Ito
        Pint

        Re: Hmm

        Now hang on, what's wrong with popping out to the pub? After all, it's unlikely Aunt Edna will notice you were gone for an hour, maybe more if the children do their job right.

        1. Grikath

          Re: Hmm @ Eddy

          It's the selfie-bastards who ruin that, because they always tend to include *other people* in their antics. Murphy states that Aunt Edna, or great-cousin Jeeves *will* find those pics at the most importune moments and *will* spread the pain. Because Family.

      2. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        I'm fairly sure a WiFi pineapple would suffice for such a nefarious task.

        Not that i'd know anything about that.

        Else pop online and buy a GSM/WIFI jammer.

    2. Voland's right hand Silver badge

      Re: Hmm

      Risky - dunno.

      Half-baked and ineffective as described? Definitely.

      If you kill the wifi cleanly and immediately upon DNS lookup it will just switch to cellular. You need to mark "an idiot" by collecting his DNS packets, then wait until he establishes a TCP connection to anywhere (the first connection after the lookup is likely to be instagram or f*book) and only after that kill the WiFi mid-session so it buggers up the TCP connection.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hmm

        No, it'll just return a can't connect message, by which time the device has dropped out of WiFi, the victim figures the hotspot broke, and tries again on the cellular network. This can only work in an area with weak cell signals, meaning people start relying on the WiFi.

        1. APA

          Re: Hmm

          "This can only work in an area with weak cell signals"

          So a music festival, then. As described in article. Where the concentration of people in a relatively small area is too big a job for the local cell infrastructure.

          Though to be honest in my experience the bigger problem faced at events is battery life. It's quite funny watching half a dozen people fight over the single proprietary apple connector at a charging point and then being given evil looks as you waltz up with your phone with a standard connector and have so many to choose from...

          The point being "connection" is a luxury if you can't take the pictures in the first place. So if you really want to annoy people, have exactly one apple connector at the event and set up a coffee shop nearby to watch the fallout. (I am in no way thinking of Big Feastival 2015 where there was a Lavazza stall that had done exactly this, honest)

  2. Anonymous Coward
    Anonymous Coward

    So he's a terrorist disrupting the Internet

    I expect him to be spied on, extradited, waterboarded then shot.

    1. Anonymous Coward
      Anonymous Coward

      a cyber-terrorist

      and Mark Zuckerberg knows where he lives...he better be careful starting his computer in the morning.

    2. Otto is a bear.

      Re: So he's a terrorist disrupting the Internet

      or alternately he's a freedom fighter, depends on your viewpoint, and the circumstances.

      Warning - Contains gross simplifications

      Adult = A freedom fighter for traditional family values.

      Child = Terrorist disrupting their fun.

      I can see a ready market in Schools.

  3. frank ly

    I'm wondering

    Would it be possible to spoof a connection and deliver a mocked up error page saying "Get a life" or something like that? I have a more evil idea in mind but I'm not going to say what it is, in case it happens to one of you lot one day.

    1. DropBear
      Trollface

      Re: I'm wondering

      Absolutely - as long as the victim has a recent but not very up-to-date Dell laptop...

    2. petur

      Re: I'm wondering

      Sure, check out the Wifi Pineapple, quite more expensive but less work :)

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm wondering

      My favourite jape was by the guy who discovered his neighbours were leeching his wi-fi connection, so he redirected their traffic via a proxy that turned all the images upside down.

      http://www.ex-parrot.com/~pete/upside-down-ternet.html

      1. TeeCee Gold badge
        Coat

        Re: I'm wondering

        I remember that.

        Wouldn't have as much impact these days, people would just assume it was a known iPad problem.

      2. Haku
      3. Lord_Beavis
        Trollface

        Re: I'm wondering

        My favourite jape was by the guy who discovered his neighbours were leeching his wi-fi connection, so he redirected their traffic via a proxy that turned all the images upside down.

        I setup one of these once but directed any page requests to the local Apache server and Rick Rolled them... Great fun watching the kids going from the school bus stop in the afternoon looking for Wi-Fi.

    4. TimeMaster T

      Re: I'm wondering

      Fun idea but ...

      You would be getting into legally questionable territory with spoofing. Right now the device just makes a polite request to the WiFi connected mobile/laptop/tablet to "get lost", its up to the connected device to preform the actual disconnect.

      By spoofing a web site or redirecting the connection you get into legal areas covered by cyber security laws, unauthorized use of a system, intrusion, and other legal grey areas.

      Better to just get a device to drop the connection. No one gets hurt and you can rightfully claim that you have done nothing to intercept or tamper with data on another persons device.

      That said I want one of these things. Not sure what I would do with it but I'm sure I would think of something.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm wondering

        if someone's using your WiFi without permission - which iirc was the purpose of the upside-down-ternet? - then they've committed the unauthorised use and intrusion, not you? THe disconnect thing is cleaner, yes, but you aren't tampering with authorised user's data .....

        1. dan1980

          Re: I'm wondering

          @AC

          "if someone's using your WiFi without permission - which iirc was the purpose of the upside-down-ternet? - then they've committed the unauthorised use and intrusion, not you? THe disconnect thing is cleaner, yes, but you aren't tampering with authorised user's data ....."

          Well yes, but that's common sense speaking.

          And indeed there might be no harm attributable to someone dealing with unauthorised access this way BUT, I would never do this because it would open a (small) potential legal liability. Not in disrupting someones service but in you potentially being responsible for what those people access and do over your connection.

          Consider that a key claim of the plaintiff's in the MPAA Roadshow vs iiNet case was that iiNet was responsible for any illegal actions of the people using their network because they had the visibility to identify offending traffic and the power to stop it.

          If you had a claim against you for, say sharing copyrighted content over you connection, your ability to assert that you are not liable due to the infringement being conducted by an unauthorised person utilising your connection would be likely be hampered if it was shown that you not only had mechanisms in place to control access to the connection but that some of those mechanisms were put in place specifically to detect and affect unauthorised users and traffic.

          Maybe you would still be successful in that argument but I would think it would be a much harder sell!

        2. John Savard

          Re: I'm wondering

          I think this is about using such a device in a place like a public library where the wi-fi is not encrypted. So the signal from your box is being mistaken from the signal from the library's wi-fi system that you're connected to.

          The solution is, of course, to switch to encrypting the wi-fi, and just arrange in a different way for everyone to be able to use it.

      2. Stoneshop
        Devil

        Re: I'm wondering

        You would be getting into legally questionable territory with spoofing.

        Would proxying be a problem? You're not altering the data, or redirecting the connection, just adjusting the connection speed.

        Full WiFi speed in, 56k out.

        1. dan1980

          Re: I'm wondering

          @Stoneshop

          If you are 'adjusting the connection speed', on what basis are you doing so? The point is that to do anything to access you classify as unauthorised, you must first identify what that is. And if you have done that and can then affect it, you could also block it and a plaintiff (i.e. the RIAA/MPAA) may well argue that you have proven that you could have blocked the traffic and thus prevented anyone else using your connection for illegal activities. BUT YOU DIDN'T.

          I think that concept - that you should be responsible for what others do through your connection - is f%$king absurd but that doesn't mean that it wouldn't see you in a harrowing legal battle to prove that. You would probably win the case but proving that you at least had the capability and technical knowledge to block the traffic would make such a case far more likely to pass muster.

    5. Robert Helpmann??
      Childcatcher

      Re: I'm wondering

      Yeah, my first thought was that this would be perfect for mobile man-in-the-middle attacks. Just drop a few of these off wherever targets with low technical ability but who have deep pockets happen to hang out (e.g. Starbucks) and it would pay for itself in no time.

    6. Ben Bonsall

      Re: I'm wondering

      Would it be possible to spoof a connection and deliver a mocked up error page saying "Get a life" or something like that?

      Something like a 404.1 - Life not found.

      Most likely causes:

      There is an error in your brain.

      If you clicked a link, you may be out of date.

      Things you can try:

      Growing up.

      Cutting off that silly beard.

      Going outside without your phone to search for one.

    7. Ken 16 Silver badge

      never going to give you up

      Or a proxy replacing the uploaded photo or video with another?

      1. Michael Wojcik Silver badge

        Re: never going to give you up

        Or a proxy replacing the uploaded photo or video with another?

        Better yet, adapt the idea of upside-down-ternet, and use ImageMagick to mess with the photo that's being uploaded. You could do something obvious, like overlay it with amusing text; something subtle, like a mild Gaussian blur ("Man, all my selfies from the festival are crap! I need a new phone."), or something in the middle - like UDT's flipping the image upside down ("How wasted were you? You were holding the phone upside down the whole time.")

        Oh, the possibilities. Overlay part of the image with an extreme closeup of a fingertip. Mess with the gamma. If you really want to spend some computing power, do face-identification, then swap faces on the people. (This last is doable - I've seen automated face-swapping done on images. Results are hilarious.)

        I have to stop thinking about this. It's too damn tempting.

        Though, now that I think about it, I don't know whether any of the clients for these services can be coaxed into downgrading to insecure connections, or into accepting server certificates they shouldn't. So MITMing them might not be feasible. (UDT only worked with unsecured HTTP, which was fine because nearly everything that wasn't commerce or banking was unsecured in those days.)

  4. Ugotta B. Kiddingme
    Happy

    the most worthwhile DIY projects

    are nearly always built 'out of nothing more than off-the-shelf components and "questionable life choices." '

    1. Michael Wojcik Silver badge

      Re: the most worthwhile DIY projects

      I have a couple of houses that were largely constructed from off-the-shelf components and questionable life choices. (By choosing them I am following the tradition, of course.)

  5. nilfs2

    I want one to block facebook and whatsapp

    Imagine how productive could humans beings be without those two time wasters.

    1. Chris G

      Re: I want one to block facebook and whatsapp

      You will destroy life as we know it!

      I want one too.

      Most of the management droids at my company use wartsapp and complain constantly because I'm not a 'Team Player' and they have to use other means to contact me with their meaningless little notices, the HR bloke being one of the most irritating and least useful.

      I am in a team of one, perfect for me.

      1. Doctor Syntax Silver badge

        Re: I want one to block facebook and whatsapp

        "the HR bloke being one of the most irritating and least useful."

        By definition.

        1. a_yank_lurker

          Re: I want one to block facebook and whatsapp

          HR is not most irritating and least useful but most verminous.

      2. JetSetJim
        Mushroom

        Re: I want one to block facebook and whatsapp

        >I want one too.

        But imagine if some nark added forums.theregister.co.uk to the list....

    2. Dr Scrum Master

      Re: I want one to block facebook and whatsapp

      Imagine how productive could humans beings be without those two time wasters.

      Add in Twitter and I'll wholeheartedly agree.

    3. Anonymous Coward
      Anonymous Coward

      Re: I want one to block facebook and whatsapp

      Just be a refusenik and say NO to all anti-social media sites.

      Block them at your home router. The family when they come visiting will stay a lot less time... Yay!

      Your life will be a lot less stressful because you aren't constantly checking to see what your so called friends are saying about you... How we existed before Facebook etc I really don't know.

      These sites are just as addictive (IMHO) as drugs. People once hooked find it almost impossible to get off them.

      That's why they are blocked on my home WiFi.

      Refuseniks Rule Ok!

      1. Slartybardfast

        Re: I want one to block facebook and whatsapp

        "That's why they are blocked on my home WiFi."

        It's your WiFi and you're obviously free to block whatever you want. Stopping other people visiting sites that they want to does sound a bit like control freakery though. So you're stopping your wife/girlfriend/boyfriend and or children (if you have any of them) visiting sites that you don't like. When other people are using your WiFi then you are to a certain degree being their 'ISP by proxy'. Wouldn't you moan if your ISP blocked access to sites you wanted to go to?

        1. Stoneshop
          Thumb Down

          Re: I want one to block facebook and whatsapp

          When other people are using your WiFi then you are to a certain degree being their 'ISP by proxy'.

          My router, my rules. Also applies to ad networks trying to route packets in.

          If people are paying for connectivity, they can expect sites to be blocked or not according to their wishes. If they don't, tough shit.

    4. Michael Wojcik Silver badge

      Re: I want one to block facebook and whatsapp

      Imagine how productive could humans beings be without those two time wasters.

      I doubt there'd be a significant difference. The historical record shows that human ingenuity is virtually unlimited when it comes to wasting time.

      Not that this forum is any sort of evidence for that thesis, of course. We're doing important work here. Important work.

  6. David 132 Silver badge
    WTF?

    Interesting and eclectic choice of targets

    "In this case it's Instagram, things like political Islam, men's wedges, and rugby."

    I have to admit that on my mental Venn diagram of social media users, politicised Islamists and rugby players, there's not a huge amount of overlap.

    Hipsters/Islamists... other than epic beards, do they have much in common?

    Is Daesh going for the "we were cutting peoples' heads off and throwing gays off buildings before it was cool" excuse?

    1. Steven Roper

      Re: Interesting and eclectic choice of targets

      "I have to admit that on my mental Venn diagram of social media users, politicised Islamists and rugby players, there's not a huge amount of overlap."

      Are you sure about that? Rugby players, yes, but ISIS and Daesh are huge users of social media for recruitment to their causes, so much so that the Pentagon thinks it's a big enough problem to oppose with counter-propaganda.

      There's quite a bit of overlap there, and the potential of this device to thwart those efforts cannot be understated!

      I would say the chap who invented this thing is likely to get a visit from some men in black suits and dark sunglasses pretty soonish...

      1. Destroy All Monsters Silver badge
        Facepalm

        Re: Interesting and eclectic choice of targets

        > after 15 years of wrecking the middle east

        > daesh (which happens to be the same as ISIS btw) in need of ideological recruitment

        > implying

        The Pentagon ALWAYS thinks that there are huge problems that need to be opposed with counter-propaganda which is somewhere between annoying (complete amurrica-centric bullshit being foisted on unsupecting locals) and frankly toxic (enabling nasty nazi bastards and/or pretending to see sovietsPUTIN wherever unamericanism mushrooms), thus becoming a huge fucking problem for mankind.

      2. Geoff332

        Re: Interesting and eclectic choice of targets

        These men, you mean?

  7. Old Used Programmer

    That was fast...

    This is the same (basic) activity that got a major hotel chain in the US in trouble. They were sending deauth packets to personal hotpots and it get them a hefty fine from the FCC. Part of the problem was that they were turning around and trying to *sell* the same people access to the hotel WiFi.

    Interesting choice of hardware, though. The Pi0 has be out for less than a week.

    1. Mark 85

      Re: That was fast...

      While that's true, they were in a fixed location and had complaints. If you have one of these devices in your pocket and trigger it randomly, you probably won't get caught. I'm sure the manager at the local Starbucks will just assume there's some problem with the Wifi or the customer's equipment.

  8. Number6

    Been Done

    Didn't some US hotel get on the wrong side of the FCC for pretty much doing this? They were sending deauth packets to anything trying to use a mobile hotspot in the hotel in an attempt to encourage everyone to pay to use the hotel WiFi instead. All this guy has done is slimmed it down and made it more selective about what it attacks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Been Done

      The hotel chain was trying to force users to connect via their expensive hotel connection.

      This is not doing that by a long chalk. I'd love one of these in my Backpack. Walk along the road with a 'No social media bubble' surrounding you. Brilliant.

      Sigh, one can dream can't one?

      1. Black Rat

        Re: Been Done

        You know... manipulating the image itself would be so much more fun.

      2. Jimmy2Cows Silver badge
        Pint

        a 'No social media bubble'...

        Brilliant!

  9. Anonymous Coward
    Anonymous Coward

    What the hell are men's wedges?

    1. Anonymous Coward
      1. Anonymous Coward
        Anonymous Coward

        Thanks.

        That is at least a little less bizarre that what was in my head.

  10. Amorous Cowherder
    Mushroom

    Bit of a self righteous prick then!

    What business is it is of his or any of us how much time someone wants to spend sending pictures of themselves to their mates? That's their problem not yours. Same as it's not my business to find random junkies and try to get them of their poison of choice.

    The problem today, too much obsession with other's business. I suggest this self-righteous twat and his gadget find something far more productive to do with his talents than bothering people who aren't bothering him!

    1. Stoneshop
      FAIL

      Re: Bit of a self righteous prick then!

      Aren't you ever bothered by a selfie-stick-wielding hipster in front of a landmark, or forests of arms waving smartphones in front of you when at a concert?

      Do read the article carefully and try to glean his motivation for building this device.

      1. DropBear

        Re: Bit of a self righteous prick then!

        "Aren't you ever bothered by a selfie-stick-wielding hipster"

        And of course none of those will simply snap that picture(s), connectivity or not, leaving the software to auto-upload it wherever as soon as it gets a connection - which in this case is as soon as they eventually move a few meters away (not something they'll know to do before they actually would have decided to do it anyway)? That did nothing to prevent the action itself you seem to condemn; or is it just five-year-old level "YEAH! I really showed them this time!" vengefulness mixed in with some smug sense of superiority...?

    2. Nevermind
      Terminator

      Re: Bit of a self righteous prick then!

      "prick" in the title, and "twat" in the snark...is it transgender day or something?

    3. Michael Wojcik Silver badge

      Re: Bit of a self righteous prick then!

      The problem today, too much obsession with other's business.

      No, the real problem today is too much complaining on the Internet. I'm so tired of people posting messages in site forums just to say this or that is "the problem today", or to pick nits in one another's statements.

      Incidentally, you want "others'" there - apostrophe after the "s".

    4. Roland6 Silver badge

      Re: Bit of a self righteous prick then!

      Err you seem to have missed the real implications of what this guy has done, namely used the inherent connection management features of 802.11 and TCP/IP in a way that demonstrates just how insecure they are.

      The laugh (at the zealots expense) is that IPv6 will make little real difference to the success of this style of attack.

  11. Anonymous Coward
    Anonymous Coward

    Couldn't someone clevererer (and meaner?) than me

    relatively simply combine this principle with a hostlist or two from one of the better adblockers, so that every time someone's device (on the open WLAN) accessed a hostname associated with serving ads, the device fall off the WiFi?

    Christmas is coming. Go on. You know the world needs it.

    1. YetAnotherLocksmith Silver badge

      Re: Couldn't someone clevererer (and meaner?) than me

      That's backwards - the adverts are pushed to you, so you'd block the whole Internet, pretty much, as everything serves ads. A deauth on that simply knocks everyone local offline, even those with adblockers.

      Meanwhile, the Web server(s) sending ads won't care one dot.

      1. Loyal Commenter Silver badge

        Re: Couldn't someone clevererer (and meaner?) than me

        AdBlock blocks the requests to the spammer advertiser so that they are never made. It would block the internet to everyone not running an ad blocker. This would probably also have the effect of reducing malware infections by 99%.

      2. Anonymous Coward
        Anonymous Coward

        Re: Couldn't someone clevererer (and meaner?) than me

        "That's backwards - the adverts are pushed to you, so you'd block the whole Internet, pretty much, as everything serves ads."

        Depends. If the goal is to remind people of the Web as it was before the advertisers took it over... surely there are still two or three ad-free sites around?

  12. nijam Silver badge

    Selfie-stick (n): A stick for hitting people who are taking selfies.

    Seems a much better idea.

  13. The HLM

    Also add Facebook :-)

    It might be a good idea to encourage proper use of internet and also block completely useless sites like Facebook which also are a magnet for selphies...

  14. Anonymous Coward
    Anonymous Coward

    Nothing really changes

    In the 1960s the equivalent problem was people in public places such as beaches with transistor radios. There were also companies that sold untested or dropout electronic components dirt cheap.

    It was easily possible with no more than a couple of transistors, a few resistors, a bit of ferrite rod, a small capacitor or three and a battery, to make a simple wobbulator that took out the usual offending bit of medium wave in a radius of maybe 20M. This in an old crisp packet tucked under a rock or in a bush would cause approaching offenders to fiddle with the radio and eventually move to somewhere where there was a "better signal". If recovery was not possible at the end of the stay, it could be written off. Of course in those days there were no conferences where you could present "proof of concept" for stuff like this.

    Not of course that I or anyone I knew would ever have done such a thing.

    1. Michael Wojcik Silver badge

      Re: Nothing really changes

      Man, remember when you'd go to a festival and half the attendees would have easel and canvas out, painting their self-portraits? That was annoying.

      Or you'd be sitting around the hall, listening to the bard, and half the guys were composing their own epics instead of paying attention.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like