Hacking Facebook Sessions from Android with Droidsheep

Droidsheep is a navite app for the Android platform that requires root access to perform a Man in the Middle attack against a network in order to hijack HTTP sessions. You can find more information on the app as well as the source code here:

Proof of Concept:

The Attack:

Step 1) Arp poison the router. This leverages the root capabilities of a rooted android operating system to perform a Man in the Middle attack against all the hosts on the network. Because it attacks the arp cache of the router, you will be able to MITM both wired and wireless hosts on the same network from a single wireless connection. This also requires that you have already obtained an IP Address from the victim network which means Wireless Encryption will not prevent this attack if the attacker already knows the encryption key.

Step 2) Wait for a cookie to pass through. Because this attack only works against HTTP protocol, all the cookies will fly by unencrypted allowing an attacker to copy any cookie that passes through the router without connecting over HTTPS.

Step 3) Copy the cookie to a local browser. This step essentially tricks Facebook or any other service into thinking that your browser has already successfully authenticated to the service allowing the attacker to assume the identity of the victim.

Preventing this Attack:

SSL encrypted sessions will not stop the attacker from ARP poisoning the router and performing the MITM attack. It will successfuly prevent Step 2 of this attack by encrypting the cookie every time it is transmitted.

Any time you connect to a service, make sure it is SSL encrypted. This will completely prevent this attack.

Further information on Session Hijacking can be found at the Wikipedia page here.