Cafe
CoffeeMiner uses public Wi-Fi to mine for cryptocurrency. sakuraismjp0/Pixabay

A security researcher recently discovered a new exploit that would allow attackers to harness the computing power of devices connected to public Wi-Fi networks to secretly mine for cryptocurrencies.

Software developer Arnau Code published a proof-of-concept (PoC) project called CoffeeMiner that showed the theoretical cryptocurrency mining attack in action.

CoffeeMiner works similarly to a man-in-the-middle attack, in which a threat actor is able to sit in between an individual and the server they believe they are communicating directly with in order to intercept information or send back false information that appears to be coming from the server.

Instead of stealing information, CoffeeMiner makes use of its access by serving code to all devices connected on the network. That code directs the machines to covertly mine for cryptocurrency, which is reaped by the attacker.

The attack works by spoofing messages from the Address Resolution Protocol (ARP)—a process that maps IP addresses to machines connected to the network. This is done through the dsniff library, which sees all traffic that occurs on the public network.

CoffeeMiner then injects JavaScript code into the webpages that users visit while connected to the compromised Wi-Fi network. That single line of code requests a cryptocurrency miner, which is served through a remote server.

Once the miner has been served and compiled on a device, it can be used to mine for cryptocurrency for as long as it is connected to the Wi-Fi network. Users likely won’t notice the mining process other than webpages loading slower than normal or their processor seeming to be overworked.

“As we have seen, the attack can be easily performed, and also can be deployed to be an autonomous attack in a WiFi network,” Code wrote of the attack.

The mining software used in the attack is CoinHive, one of the most popular scripts for cryptomining. While CoinHive in itself is not intended to be malicious—at least according to its creators—it has gained a reputation for being used in these types of attacks.

CoinHive is one of the most popular tools for cryptojacking , an attack that steals a user’s computing power and uses it to mine profitable cryptocurrencies. Cryptojacking attacks have cropped up a number of ways online. Some websites have used the tactics to generate income without disclosing the practice to users. Cryptomining code has also been hidden in web browser extensions and other tools that hijack a user’s processor.

While CoffeeMiner lays out how an attacker could hijack an entire Wi-Fi network to mine for cryptocurrency, there has already been at least one instance of a similar attack in the wild.

The Wi-Fi network of a Starbucks coffee shop located in Buenos Aires, Argentina was discovered to have been injecting cryptomining code onto the machines of customers who connected to the store network. Starbucks claimed the issue stemmed from the internet provider and was isolated to only that store location.