laptop
A security researcher uncovered how public Wi-Fi networks at coffee shops could be hijacked to mine cryptocurrency Reuters/Mario Anzuoni

A security researcher has uncovered a new exploit that could potentially allow hackers to harness public Wi-Fi networks to secretly mine cryptocurrency. Software developer Arnau Code published a report detailing a proof-of-concept (PoC) project dubbed "CoffeeMiner" that highlights how devices connected to public Wi-Fi network in cafes could be ensnared to mine cryptocurrency for a threat actor.

"Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack in a different way," Arnau wrote in a blog post published Thursday (4 January).

CoffeeMiner works in a similar way as a man-in-the-middle attack to insert Javascript into the HTML pages visited by users. The attack is carried out by sending spoofed Address Resolution Protocol (ARP) messages using the dSniff library onto the targeted network. This allows the attacker to intercept all traffic on the public network.

The software tool mitmproxy is then used to inject the Javascript into the webpages users visit while connected to the public Wi-Fi network. To keep the process "clean", just a line of code is injected into the targeted HTML pages, which calls a cryptocurrency miner.

The miner is then deployed in an HTTP server. In this case, the miner used is the infamous Coinhive script. Although the developers behind Coinhive claim it is not intended to be malicious in nature, the script has been used in several crypto jacking attacks in the past.

"The idea is to have the CoffeeMiner script that performs the ARPspoofing attack and sets up the mitmproxy to inject the CoinHive cryptominer into victims HTML pages," Arnau said.

After the miner is deployed, the devices of unsuspecting users that are connected to the compromised network are secretly hijacked to mine cryptocurrency as the victims browse.

According to Arnau, the only drawback is the actual amount of time users spend on a page.

"CoinHive miner makes sense when a user stays on a website for mid-long term sessions," he said. "For a website where the users' average session is around 40 seconds, it doesn't make much sense. In our case, as we will inject the crypto miner in each one of the HTML pages that victims request, we will have long-term sessions to calculate hashes to mine Monero."

The researcher said he already successfully tested the CoffeeMiner attack in real-life scenarios including in cafes.

"As we have seen, the attack can be easily performed, and also can be deployed to be an autonomous attack in a WiFi network," the researcher wrote. "For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victims' list. Another further feature could be adding sslstrip to make sure the injection also in the websites that the user can request over HTTPS."

Researchers have previously warned that unsecured public Wi-Fi networks, particularly at coffee shops, could be a hotbed for nefarious cyberattacks and activities.

In a recent similar attack, a cryptominer was discovered on the free, in-store Wi-Fi network of a Starbucks store in Buenos Aires, Argentina, that exploited the processing power of customers' devices to mine Monero coins.

Starbucks blamed the issue on the internet service provider and said the issue was isolated to just that store.