Hardware hacker Samy Kamkar has released a new tool called PoisonTap that is capable of a plethora of malicious actions, all of which work even against password-protected computers on which an attacker can't access the desktop.
PoisonTap is a small device built on top of a Raspberry Pi Zero $5 board, which runs custom software and a Node.js server.
An attacker can connect PoisonTap to any computer via its USB ports. There is no interaction needed, and PoisonTap will carry out the attacks automatically after a few seconds.
PoisonTap disguises itself as an Ethernet interface
PoisonTap works by spoofing an over-USB Ethernet adapter, which sets up as the primary source of Internet traffic for all IPv4 addresses.
Windows and OS X will automatically recognize and install the fake Ethernet adapter, even when the machine is locked. This tricks the computer in sending all web traffic to PoisonTap.
PoisonTap steals browser cookies
In case the user has left a browser running on his PC, PoisonTap will wait for at least one tab to make an HTTP request, and then spoof the response, sending it to the victim's browser. This fake response tells the browser to open hidden iframes for the top one million websites.
This action forces the browser to authenticate by sending cookies holding sensitive information to each of the one million websites, which PoisonTap will happily record.
Browsers and websites use cookies to store information on authenticated sessions and various user preferences.
Kamkar says that this attack only works on websites that send their cookies via HTTP and don't use the "secure" flag.
PoisonTap poisons local web caches
Besides stealing cookies, PoisonTap can also alter the user's local browser cache, which is a collection of files that store local versions of various websites that the user recently accessed, kept on the computer to speed up future page load times.
PoisonTap allows an attacker to save malicious versions of certain websites, such as Gmail, Facebook, banking portals, and more, and carry out attacks at later points.
PoisonTap installs permanent remotely accessible backdoors
As Kamkar explains, those initial iframes that accessed the top websites also loaded malicious HTML and JavaScript code that is cached indefinitely and works as a backdoor to the user's browser.
An attacker can use this backdoors to force the user's browser to make calls to malicious servers and continue to deliver new attack code to the user's computer, long after the attacker has unplugged PoisonTap.
PoisonTap exposes the internal router
Kamkar's novel device is also able to make requests to the user's local router. PoisonTap installs a backdoor and makes the router accessible from the Internet using DNS rebinding.
The attacker can access a special URL that grants him access the user's router interface, allowing the attacker to sniff the local network's unencrypted traffic or alter router settings.
Kamkar says that PoisonTap attacks can bypass a slew of security measures such as password-protected computers, Same-Origin Policy (SOP), Cross-Origin Resource Sharing (CORS), X-Frame-Options, SameSite cookie attribute, HttpOnly Cookies, DNS pinning, sites that use 2FA and 2SV mechanism, and even the special case when a website is using HTTPS cookie protection with Secure cookie flag but without using HSTS (HTTP Strict Transport Security).
Below is a video of Kamkar presenting his device:
Here's a review of all of PoisonTap's capabilities:
- Emulates an Ethernet device over USB
- Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
- Siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
- Exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding
- Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
- Allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
- Does not require the machine to be unlocked
- Backdoors and remote access persist even after device is removed and attacker sashays away
Kamkar has a series of security recommendations, for both server administrators and device owners.
- First and foremost, all websites should run via HTTPS
- HSTS should be used together with HTTPS
- Secure flag must be used with cookies at all time, to prevent websites from sending cookies accidentally via HTTP
- Servers should use Subresource Integrity (SRI) for delivering JavaScript files
- Blocking access to USB and Thunderbolt ports (Kamkar recommends using cement, as a joke)
- Closing browsers when walking away from a PC
- Putting the PC in sleep mode when walking away
Kamkar has open-sourced the code behind PoisonTap on GitHub. The researcher has previously created many devices and tools that can be used for questionable actions, such as:
KeySweeper - device disguised as a wall charger that can log keystrokes
SkyJack - a drone that can hijack other nearby drones
Evercookie - a cookie that lasts for years
Combo Breaker - a motorized device for speed-cracking safes and locks
MagSpoof - a wireless device for spoofing credit card magnetic stripes
ProxyGambit - a tool that hides a user's IP address using various methods
OpenSesame - a tool for opening various types of garage doors
Quickjack - a tool for automating click-jacking attacks
Comments
Mike_Walsh - 7 years ago
Ah yes.....but there's ONE scenario where not a single one of these devices will make any headway at all.
Where the machine in question is powered down, and unplugged....and then the fuses removed.
SuperSapien64 - 7 years ago
I wonder if this would work on Linux?
rp88 - 7 years ago
This is a pretty concerning thing, albeit one at present only dangerous if someone has physical access to your system, but...
Although the risk of them copying cookies and logins is still present wouldn't having a properly patched browser, using anti-exploit software and a script blocker mean that they still couldn't do anything to achieve remote code execution. It is as far as I can tell a matter of the person who plugs in the little device being able to send any traffic they like to your browser, if your browser is protected against exploits well enough won't that mean they can't drive-by you any more than a website could?
Wolverine 7 - 7 years ago
I dont find this too concerning because anyone trying this malaky on any of my systems would find themselves on the recieving end of my Sean Connery impresion with my boot up their wosname ,so i wont fret overmuch.
kenhall5551 - 7 years ago
If this works on password protected machines and desktops, why use a password at all? It's like living in the wild west(in America). No one is safe. this developer should be in prison.