So they essentially stuck a Pineapple on a quadcopter? This method of attack certainly isn’t anything new.
Furthermore, Android doesn’t probe for networks that have been added by choosing the network from the list of broadcasting networks, only for networks added via “Add Network”/“Other,” rendering Android essentially immune. quick citation - a mention in the SDK docs And even more info on this vector with Android.
I am fairly certain this type of attack is not possible for HTTPS connections, unless the client is not verifying certificates.
It would work on non-patched iDevices, because of the goto fail; bug in iOS. (Allowed a specially crafted self-signed certificate to impersonate any site).
The article claims that Paypal passwords were taken, and Paypal uses HTTPS. So, the researcher must have used some kind of exploit to compromise an HTTPS connection.
PayPal uses https unless a middle man intercepts the http request and doesn’t redirect you to the secure site. If I wanted to demonstrate stealing paypal passwords, I could certainly find a way to transmit them in the clear.
money.cnn’s past reporting of info sec has been spotty.
That’s a good point. In fact, it seems these drones may ultimately use Moxie Marlinspike’s sslstrip MITM tool, which does some of that automatically. Seems like the drone would need to implement a phishing page for each service it’s attacking.