PoisonTap, a tool made by
security researcher Samy Kamkar is capable of taking down locked, password-protected computer armed with only a insanely cheap
US$5 Raspberry Pi.
Once again it is proven that with small investment and some talent it is possible to cause great harm.
The relatively low-tech cookie-siphoning intrusion is one of Kamkar’s simplest hacks ever.
He previously has unlocked car doors, garages, wireless remote cameras and other devices,
with with an amazing precision.
Kamkar’s latest hack, PoisonTap, uses a Raspberry Pi Zero, a micro SD card,
and a micro USB cable or other device that copies USB, including USB Armory or LAN Turtle.
Windows, OS X and Linux indentify PoisonTap as an Ethernet device, load it as a low-priority network device,
and perform a DHCP request across it, even if the computer is locked or password-protected, Kamkar explained.
PoisonTap provides the computer with an IP address. However, the DHCP response tells the machine that the
IPv4 space is part of PoisonTap’s local network, rather than a small subnet, he said.
If a Web browser is running in the background, one of the open pages will perform an HTTP request in the background,
noted Kamkar. PoisonTap responds with a spoof, returning its own address, and the HTTP request hits the PoisonTap Web server.
The attacker is able to hijack all Internet traffic from the machine and siphon and store HTTP cookies
from the Web browser or the top 1,000,000 Alexa websites.
“The PoisonTap project is an extremely clever and creative attack that can have serious consequences,”
said Mark Nunnikhoven, vice president for cloud research at Trend Micro.
The risk is lower when a machine has restricted physical access. The risk is higher when a machine is in the public domain,
where anyone potentially has access to it — for example, at a sidewalk cafe.
Truly an Open Source Factor
It might be easier to build a solution to the hack, given that Kamkar’s attack was conducted over an open source language,
suggested the Symantec researcher. “If someone slips a secret backdoor into an open source project,
chances are someone will find it quickly. Often open source is quicker to address vulnerabilities as
an open source community can be very large.”
In addition, if someone creates a tool and the source code is publicly available, anyone would be able to read the code
and develop proper protection for the future, the Symantec researcher pointed out.
“It’s certainly very creative work, and it shows just how many attack vectors exist that we’ve yet to really consider,”
said Troy Hunt, Microsoft MVP-Developer Security.
“However, it also requires physical access — and once you get to that point, there’s a lot of avenues available to an attacker,”
The use of HTTPS could have crippled this particular attack, Hunt noted, and we don’t normally think of that
as being a defense against an adversary with physical access.