How cryptocurrency miners can hack your computer on public Wi-Fi for big gains

As the hubbub around cryptocurrencies continues to grow, so, too do the ways that more nefarious folks can exploit clueless individuals. And one coder has shown how you could be at risk when browsing on a public Wi-Fi server.

Software developer Arnau flagged the issue recently (via ZDNet), citing a recent case in which someone was exploiting public Wi-Fi at a Buenos Ares Starbucks, and explored what's called a "MITM (Man-In-The-Middle)" attack.

In these attacks, the hacker can "inject a javascript" into the html of a page using a public Wi-Fi connection and, in turn, use the computers of other unsuspecting users on the same network to mine cryptocurrency for the hacker.

This Tweet is currently unavailable. It might be loading or has been removed.

As ZDNet explains it, for the more technically-inclined among us:

The attack works through the spoofing of Address Resolution Protocol (ARP) messages by way of the dsniff library which intercepts all traffic on the public network.

Mitmproxy is then used to inject JavaScript into pages the Wi-Fi users visit. To keep the process clean, the developer injected only one line of code which calls a cryptocurrency miner.

Arnau was able to successfully recreate the exploit described in the Starbucks case, which was then, appropriately named CoffeeMiner thanks to those dark-roasted origins.

The lone weakness of the mining script is time. CoinHive, a miner mentioned by Arnau, needs the victim to be on a page for at least 40 seconds to make the effort worthwhile.

But your best bet in protecting yourself against such attacks, besides limiting your time on unsecured public networks, are a handful of security tools, such as the ones Motherboard pointed out in December of 2017.

Symantec had to “fine-tune” some of its security tools in September to block malicious cryptocurrency miners, [Candid Wueest, principal threat researcher for Symantec] said. There are free ways to protect yourself too: You can add mining scripts to Adblock Plus’s block list, and there’s even an open source script blocker on GitHub called No Coin.

So update your tools and stay sharp out there -- which you really should be doing anyway because of, well, everything -- because as cryptocurrency values skyrocket, so will the number of folks looking to get rich off of the oblivious.