PoisonTap Hijacker
If you lock your computer and walk away, it takes only 30 seconds for a hacker armed with a small $5 Raspberry Pi Zero, which is loaded with devious code, to completely pwn your password-protected computer and install remotely accessible backdoors.
PoisonTap, the latest creation of hacker and developer Samy Kamkar, has a long list of wicked slick capabilities, including the fact that after an attacker removes the device from a USB port, a backdoor and remote access will persist on both your computer and your router.
When inserted into a USB port, PoisonTap tricks a computer into believing it was just plugged into a new Ethernet connection that takes over all internet traffic.
Even if you locked your computer, be that a Mac or PC, but leave an HTTP-based site open in a browser window, then the site continues to run HTTP requests in the background. PoisonTap intercepts all unencrypted web traffic and sends the data to an attacker-controlled server. By capturing non-encrypted authentication cookies, an attacker could access a user’s personal accounts.
Here’s a review of all of PoisonTap’s capabilities:
- Emulates an Ethernet device over USB
- Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
- Siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
- Exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding
- Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
- Allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
- Does not require the machine to be unlocked
- Backdoors and remote access persist even after device is removed and attacker sashays away
Security recommendations, for both server administrators and device owners.
- First and foremost, all websites should run via HTTPS
- HSTS should be used together with HTTPS
- Secure flag must be used with cookies at all time, to prevent websites from sending cookies accidentally via HTTP
- Servers should use Subresource Integrity (SRI) for delivering JavaScript files
- Blocking access to USB and Thunderbolt ports (Kamkar recommends using cement, as a joke)
- Closing browsers when walking away from a PC
- Putting the PC in sleep mode when walking away
FOR MORE INFORMATION CALL ABM COMPUTERS 510.522.4921
Posted on November 21, 2016, in Computer Advice. Bookmark the permalink. Leave a comment.