A $5 tool called PoisonTap can allow malicious actors to easily hack into a locked computer.
Discovered by well-known independent white-hat hacker and developer, Samy Kamkar, PoisonTap siphons cookies, exposes internal routers and installs web backdoors on locked computers.
A physical device, PoisonTap simply needs to be plugged into a locked or password-protected computer to work its black magic. It emulates an Ethernet device over USB, and hijacks all internet traffic from the machine (despite being a low priority/unknown network interface).
In all, it allows the attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain. It exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding, and installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning. On the cookie front, it stores HTTP cookies and sessions from the web browser for the Alexa top million websites.
“PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable and microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle,” Kamkar explained in an analysis. “PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.
A video demonstration of just how easy it is to use can be found here.
While the initial compromise of the device requires physical access, consequent access to the machine can be pulled off remotely. The backdoors and remote access persist even after device is removed and attacker “sashays away,” Kamkar noted.
The discovery represents a new threat vector. “There have been attacks that look similar to the PoisonTap; however, this one is exploiting a completely different system weakness,” said Craig Smith, research director of transportation security at Rapid7, via email. “A key difference with PoisonTap is that it emulates a network device and attacks all outbound communications from the target system. This attack works on both Windows and Mac operating systems, and can hijack a large number of connections, even if the machine is locked. If a user gets up to use the restroom—or even if it's a kiosk that has disabled the keyboard, but the interface is a web backend—this device will still work.”
He added, “The brilliance of the attack is actually in its simplicity: the most complex code in PoisonTap is the beautiful HTML5 canvas animation by Ara. On a $5 Raspberry Pi, Samy pulled together several clever attacks that add up to something really masterful.”
Photo © vixenkristy