Pierluigi Paganini
November 16, 2016
PoisonTap is a new hacking tool that could be used by attackers to easily access to a password-protected computer, hijack all its Internet traffic, and also install backdoors.
Try to imagine who is the hacker behind this new tool?
Samy Kamkar, of course.
I’ve released PoisonTap; attacks *locked* machines, siphons cookies, exposes router & backdoors browser w/RasPi&Node https://t.co/mbTAti33wy
— Samy Kamkar (@samykamkar) 16 novembre 2016
Samy Kamkar (@SamyKamkar) is one of the most prolific experts that periodically presents to the security community his astonishing creations, such as MagSpoof, the Combo Breaker, OpenSesame and KeySweeper
PoisonTap is a $5 Raspberry Pi Zero runs some Node.js code that the expert has publicly released. Once the attacker connects the hacking tool to a Windows or Mac computer via USB, it starts loading the exploits needed to hack the machine.
Samy Kamkar explained that the device is able to compromise machines, even if they are locked.
“[PoisonTap] produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors,” explained Kamkar.
Once the hacking tool is recognized by the host machine (Windows and OS X) it is loaded as a low-priority network device that emulates an Ethernet device over USB.
The machine sends a DHCP request to the tool that in response tells it that the entire IPv4 address space is part of PoisonTap’s local network. In this way, the entire traffic it routed through the PoisonTap device before reaching the legitimate gateway to the Internet. With this trick, the hacking tool is able to steal HTTP cookies and sessions for the Alexa top 1 million websites from the victim’s browser.
Once the attacker has collected the cookies he is able to take over the victim’s online accounts, also bypassing two-factor authentication (2FA).
“As long as a browser is running on the machine and an HTTP request is made automatically – such as through an ad, AJAX request, or other dynamic web content, which happens on most sites, even when the browser is entirely in the background, PoisonTap intercepts the request and responds with attack code that’s interpreted by the browser,” Kamkar explains in the video.
The attacker could also use the device to install web-based backdoors for hundreds of thousands of domains, and establish a remote access channel to the victim’s router.
Since PoisonTap is able to bypass HTTPS protection if the “secure” cookie flag and HSTS are not enabled.
The device is powerful, Kamkar explained that it can also bypass many other security mechanisms, including same-origin policy (SOP), HttpOnly cookies, X-Frame-Options HTTP response headers, DNS pinning and cross-origin resource sharing (CORS).
Once the machine is compromised and the backdoor is established, the attacker is able to control the target even after the hacking tool is unplugged.
“Whenever the websocket is open, the attacker can remotely send commands to the victim and force their browser to execute JavaScript code,” added Kamkar.
Below the video PoS published by Kamkar.
In order to mitigate such kind of attacks on a server side operators can properly implement HTTPS and use HSTS to prevent downgrade attacks.
Below the measures suggested by Samy for Server-Side Security:
[adrotate banner=”9″]
(Security Affairs – PoisonTap, Hacking)
