Meet PoisonTap, the $5 tool that ransacks password-protected computers

Posted by Unknown on Sunday, November 27, 2016



Proving once again that you can do a lot of damage with a little investment and a lot of ingenuity, security researcher Samy Kamkar recently managed to take down a locked, password-protected computer armed with only a US$5 Raspberry Pi.

The low-tech cookie-siphoning intrusion is one of Kamkar's simplest hacks ever. He previously has unlocked car doors, garages, wireless remote cameras and other devices, with MacGyver-like precision.

Kamkar's latest hack, PoisonTap, uses a Raspberry Pi Zero, a micro SD card, and a micro USB cable or other device that emulates USB, including USB Armory or LAN Turtle.

Windows, OS X and Linux recognize PoisonTap as an Ethernet device, load it as a low-priority network device, and perform a DHCP request across it, even if the computer is locked or password-protected, Kamkar explained.

PoisonTap provides the computer with an IP address. However, the DHCP response tells the machine that the IPv4 space is part of PoisonTap's local network, rather than a small subnet, he said.

If a Web browser is running in the background, one of the open pages will perform an HTTP request in the background, noted Kamkar. PoisonTap responds with a spoof, returning its own address, and the HTTP request hits the PoisonTap Web server.

When the node Web server gets the request, PoisonTap's response is interpreted as HTML or JavaScript.

The attacker is able to hijack all Internet traffic from the machine and siphon and store HTTP cookies from the Web browser or the top 1,000,000 Alexa websites.
Low-Cost Havoc

"The PoisonTap project is an extremely clever and creative attack that can have serious consequences," said Mark Nunnikhoven, vice president for cloud research at Trend Micro.

"The code is public, and hardware required to run it is only a few dollars, which increases the risk to average users," he told TechNewsWorld. "However, it still takes some effort for an attacker to steal the user's data."

For the device to work, the attacker needs physical access to the machine while a Web browser is running in the background, noted a Symantec researcher in comments provided to TechNewsWorld by spokesperson Jenn Foss.

The risk is lower when a machine has restricted physical access. The risk is higher when a machine is in the public domain, where anyone potentially has access to it -- for example, at a sidewalk cafe.

Open Source Factor

It might be easier to build a solution to the hack, given that Kamkar's attack was conducted over an open source language, suggested the Symantec researcher. "If someone slips a secret backdoor into an open source project, chances are someone will find it quickly. Often open source is quicker to address vulnerabilities as an open source community can be very large."

In addition, if someone creates a tool and the source code is publicly available, anyone can read the code and develop proper protection for the future, the Symantec researcher pointed out.

"It's certainly very creative work, and it shows just how many attack vectors exist that we've yet to really consider," remarked Troy Hunt, Microsoft MVP-Developer Security.

"However, it also requires physical access -- and once you get to that point, there's a lot of avenues available to an attacker," he told TechNewsWorld.

The use of HTTPS could have crippled this particular attack, Hunt noted, and we don't normally think of that as being a defense against an adversary with physical access.