Prolific and dramatic security researcher Samy Kamkar (previously) has unveiled a terrifying device that reveals the devastating vulnerabilities of computers, even when in sleep mode.
The new device, Poisontap, is a $5 Raspberry Pi controller with a USB plug that impersonates an Ethernet connection when it is inserted into a computer. During the network setup process, Poisontap tricks the computer into preferring it for internet connections, then it waits for one of the open tabs in the user's browser to make a web connection (something that many websites do routinely -- to fetch updated content, to get new ads, or for other purposes).
Poisontap contains fake versions of the one million highest-ranked websites on Alexa. If the target's computer requests data from any of these sites, Poisontap serves back the fake, capturing the target's cookies (and login credentials) in the process. Because he controls the target's network interface, Kamkar is able to bypass the normal security measures that sites take to prevent this, such as using X-Frame-Options to prevent iframes from being embedded in sensitive sites. Capturing the cookies also lets Kamkar bypass any two-factor authentication. He can also bypass some HTTPS-based protections and bypass DNS pinning (by exhausting the the DNS pinning table).
There's more -- to be honest, the number of ways in which Poisontap can attack your computer and your sensitive internal networks is limited only by your imagination (Kamkar has a fiendishly good imagination).
There are two main lines of defense against these attacks: first, serve all sites, including internal ones, over HTTPS. Second, configure your computer so that it doesn't automatically recognize new Ethernet interfaces (this is how recent versions of Ubuntu work -- when I tether to my phone as an Ethernet interface, I have to manually select the phone before it starts working, every time).
PoisonTap’s cached browser backdoors can allow a hacker to pull off either of two attacks, Kamkar says: He or she can connect via the browser to the victim’s router, cycling through IP addresses to find the device, and then either break in with one of the common exploits affecting routers that are frequently unpatched and out-of-date, or try the default username and password that many still use. That can allow the hacker to eavesdrop on virtually all unencrypted traffic that passes over the victim’s network.
Or if the hacker knows the address of a company’s corporate intranet website—and the site doesn’t use HTTPS, as is often the case for sites restricted to local access—PoisonTap can give the hacker an invisible foothold on the local network to connect to the intranet site and siphon data to a remote server. “If I tell the browser to look up some customer’s data, I can have it sent back to me,” Kamkar says. “That might not have been accessible remotely, but I have a local backdoor.”
Poisontap [Samy Kamkar]
Wickedly Clever USB Stick Installs a Backdoor on Locked PCs [Andy Greenberg/Wired]