DroidSheep [ROOT]

What is this about?
If you know Firesheep or Faceniff, you probably know what this is about – OpenSource one-click session hijacking using your android smartphone or tablet computer.

If you do not know one of these tools, I’ll try to explain what DroidSheep is.

Maybe you know Bob. Bob is a wellknown person and Bob loves coffee. Every morning, he takes his laptop and visits one the famous green coffee bars, has a “grande vanilla latte” and writes messages to his facebook friends. For doing that, Bob uses the coffee bars WiFi – because it´s free and fast.

One Morning, Bob is just writing a message to his girlfriend, Eve enters the coffee bar. Eve has an Android phone and Eve uses DroidSheep. After ordering a “venti caramel macchiato”, Eve sits down, takes her phone and starts browsing facebook. Using Bobs identity. She can watch at his friends. Read his messages. Write messages. Write wall posts. Remove friends. Delete Bobs account. Without getting ever in touch with Bob.

What happened?

When Bob is using the WiFi, his laptop sends all the data intended to be received by facebook, over the air to the coffee bars wireless router. As “over the air” means “captureable by everybody”, Eve (or her phone) can read all the data sent by Bob. As some data is encrypted before being sent, she cannot read Bobs facebook password, but in order not to make Bob enter his password after each click, facebook sends Bob a so called “session id” after logging in, which Bob sends with each interaction, making it possible for facebook to identify Bob. Usually only Bob knows this id, as he receives it encrypted. But when Bob uses the coffee bars WiFi, he spreads his session id over the air to everybody. So Eve takes this session id and uses it as hers – and facebook cannot determine, if Bob or Eve uses this id.

DroidSheep demonstrates how easy an attack like this can be – Just start DroidSheep, click the START button and wait until someone uses one of the supported websites. Jumping on his session simply needs one more click. That´s it.

Although DroidSheep is not made for doing such attacks, anyone can test and assure that it really works. For the ones who are interested in how this works, there is the source code public available (see download section).

It shall show the weak security properties of big websites.
Please be always aware of what you’re doing.