The most expensive security systems running on the most advanced devices can now be circumvented using nothing more than a $5 tool and access to a USB port. Even password-protected machines are at risk as there’s little they can do to prevent the attack besides filling their USB ports with cement.
The attack was developed by hacker and security researcher Samy Kamkar, who built the tool using only some code and a Raspberry Pi Zero. PoisonTap, as he’s dubbed the device, is able to siphon cookies, expose internal routers and install Web backdoors on even locked machines.
Web-Based Backdoor
When plugged into a locked or password-protected PC, PoisonTap is able to momentarily take over all Internet traffic by spoofing the IP addresses of the top 1 million Web sites. It then siphons and stores all the HTTP cookies placed by those Web sites on the target machine.
The tool also exposes the internal network router, making it accessible to the attacker remotely. It then installs a Web-based backdoor in HTTP cache for hundreds of thousands of domains. That backdoor persists even after the device is removed, giving the attacker the ability to hijack the machine remotely at a later time.
PoisonTap works by emulating an Ethernet-over-USB device. The computer than attempts to make a DHCP (Dynamic Host Configuration Protocol) request to the device, which returns an IP address while making it appear as though almost all IP addresses on the Internet are actually part of the LAN (local area network). The response forces the target computer to route its Internet traffic to PoisonTap instead of the actual Internet.
The strategy allows PoisonTap to exploit any browser running on a machine, even in cases where it is running in the background. Any automatic HTTP requests made by an advertisement, AJAX request, or dynamic Web content, causes PoisonTap to respond with attack code that is then interpreted by the browser. Once executed, the code launches 1 million hidden iframes to the top Web sites, stealing all the cookies being sent.
Use File System Encryption
There is little device users can currently do to protect their computers against the PoisonTap attack other than enabling file system encryption and putting their machines to sleep whenever other users can gain physical access to them. Only the Web servers can defend against a PoisonTap attack by using the secure flag on cookies and only allowing the HTTPS protocol to be used, instead of HTTP.
The device also poisons the cache of each domain, indefinitely force caching a Web-based backdoor that produces a Web socket to a command and control server run by the attacker. Whenever the socket is open, the attacker can remotely send commands to the target machine and force its browser to execute JavaScript code.
The attacker can also make requests from Web sites as the victim, with the user’s cookies, and view the responses from the site without the victim being aware of the penetration.
