PoisonTap Hijacker

If you lock your computer and walk away, it takes only 30 seconds for a hacker armed with a small $5 Raspberry Pi Zero, which is loaded with devious code, to completely pwn your password-protected computer and install remotely accessible backdoors.

PoisonTap, the latest creation of hacker and developer Samy Kamkar, has a long list of wicked slick capabilities, including the fact that after an attacker removes the device from a USB port, a backdoor and remote access will persist on both your computer and your router.

When inserted into a USB port, PoisonTap tricks a computer into believing it was just plugged into a new Ethernet connection that takes over all internet traffic.

Even if you locked your computer, be that a Mac or PC, but leave an HTTP-based site open in a browser window, then the site continues to run HTTP requests in the background. PoisonTap intercepts all unencrypted web traffic and sends the data to an attacker-controlled server. By capturing non-encrypted authentication cookies, an attacker could access a user’s personal accounts.

Here’s a review of all of PoisonTap’s capabilities:

• Emulates an Ethernet device over USB
• Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
• Siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
• Exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding
• Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
• Allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
• Does not require the machine to be unlocked
• Backdoors and remote access persist even after device is removed and attacker sashays away

Security recommendations, for both server administrators and device owners.

• First and foremost, all websites should run via HTTPS
• HSTS should be used together with HTTPS
• Secure flag must be used with cookies at all time, to prevent websites from sending cookies accidentally via HTTP
• Servers should use Subresource Integrity (SRI) for delivering JavaScript files
• Blocking access to USB and Thunderbolt ports (Kamkar recommends using cement, as a joke)
• Closing browsers when walking away from a PC
• Putting the PC in sleep mode when walking away

FOR MORE INFORMATION CALL ABM COMPUTERS 510.522.4921