PoisonTap: This $5 Device Hacks A Locked Computer In Seconds
Short Bytes: What can you do with your $5 bill? You can get a trickster Raspberry Pi Zero which can fool a locked and password protected computer. It can hijack cookies, create backdoors, compromise the internal router, and above all, make the computer believe it’s connected to the internet.
Pi boards are often a part of various DIY hacks. For instance, using it as a device for Wardriving around your city. We have seen many instances of people taking advantage of the USB to gain access to a device. A Raspberry Pi board can be a good companion while doing such activities.
Usually, these USB hacking activities take advantage of one or more vulnerabilities in the operating system. But, what about a $5 Raspberry Pi Zero that’s an imposter.
PoisonTap, a trickster Pi Zero board, has been created by Samy Karkar. When connected to an exposed USB or Thunderbolt port, the device says to a computer that it’s an ethernet (via USB) device, not a regular USB device, and it’s a door to the entire internet.
Your innocent machine quickly believes what is said by the PoisonTap, completely unknown of its real intentions. The worst part, PoisonTap can gain access to a machine even if it’s locked – and password protected – by taking advantage of the trust factor a computer has on the ethernet devices.
Upon detecting an ethernet interface, your data hungry machine will make a switch from the regular battery-consuming WiFi to the wired internet. PoisonTap is equipped with the capabilities to assign an IP address to the fooled computer as a normal DHCP server would do. It will also tell the machine that it contains the whole IPv4 address space which is literally the entire internet if the newer IPv6 addresses are not included.
An active web browser on your computer can make efforts to connect to the false internet – powered by PoisonTap’s web server based on Node.js – to receive new data for the advertisement, analytics, and services. The USB hacking device is an unknown network interface to the machine with low priority, yet, it can hijack all the internet traffic.
PoisonTap can tunnel and store the HTTP cookies and session data of the web browser. It can also create web-based backdoors for an uncountable number of domains. These backdoors are stored in the HTTP cache. The device does it by making the browser load lots of iframes containing HTML and Javascript.
PoisonTap takes about a minute to all this stuff after it is connected to a computer.
The attacker also has the privilege to exploit these backdoors remotely because they continue to exist even if the device is removed and the attacker walks away. He can also use DNS rebinding and an outbound WebSocket interface to access the internal router of the computer already exposed by the hacking device.
For servers, the protection is easy by enabling Secure flag for cookies and implementing HSTS policy.
The most useful solution suggested by Karkar is cementing the open USB and Thunderbolt ports. And he literally put a link to a cement product. Some less practical, but effective to an extent, options would be closing the web browser every time you abandon your computer. Disabling the ports would remove slightest chance of your machine being hoodwinked. An effective way is to use encrypted deep sleep mode which will disable the web browser to make any requests when PoisonTap is connected.
You can read more about PoisonTap here. The source code is available on GitHub.
If you have something to add, tell us in the comments below.
Also Read: Chinese Secret Backdoor Is Sucking Data From 700 Million Android Smartphones Without Permission