Be careful, next time that you leave your computer unattended at your office!

Some time ago I spoke about a USB dongle that allows access to password-locked computers in a few seconds.

Now the hardware hacker Samy Kamkar has released a similar tool that allows you to install a backdoor on a target system by simply connecting it to the USB port for a few seconds.

The new exploit tool is called PoisonTap, runs with freely available software on a tiny Raspberry Pi Zero microcomputer that once plugged into a Windows or Mac computer via USB port, starts impersonating a new ethernet connection and starts a man-in-the-middle attack.

How it works?

From Samy’s post:

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

  • emulates an Ethernet device over USB (or Thunderbolt)
  • hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
  • siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
  • exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
  • installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
  • allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
  • does not require the machine to be unlocked
  • backdoors and remote access persist even after device is removed and attacker sashays away

Kamkar has also published a video demo of the tool:

[embed]https://www.youtube.com/watch?v=Aatp5gCskvk[/embed]

For all technical explanations, refer to the original post:

[embed]https://samy.pl/poisontap/[/embed]

How i can protect my computer against PoisonTap?

Kamkar’s suggestions are ironic and slightly useless:

  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB/Thunderbolt ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up