[Samy Kamkar], leet haxor extraordinaire, has taken a treasure trove of exploits and backdoors and turned it into a simple hardware device that hijacks all network traffic, enables remote access, and does it all while a machine is locked. It’s PoisonTap, and it’s based on the Raspberry Pi Zero for all that awesome tech blog cred we crave so much.
PoisonTap takes a Raspberry Pi Zero and configures it as a USB Gadget, emulating a network device. When this Pi-come-USB-to-Ethernet adapter is plugged into a computer (even a locked one), the computer sends out a DHCP request, and PoisonTap responds by telling the machine the entire IPv4 space is part of the Pi’s local network. All Internet traffic on the locked computer is then sent over PoisonTap, and if a browser is running on the locked computer, all requests are sent to this tiny exploit device.
With all network access going through PoisonTap, cookies are siphoned off, and the browser cache is poisoned with an exploit providing a WebSocket to the outside world. Even after PoisonTap is unplugged, an attacker can remotely send commands to the target computer and force the browser to execute JavaScript. From there, it’s all pretty much over.
Of course, any device designed to plug into a USB port and run a few exploits has a few limitations. PoisonTap only works if a browser is running. PoisonTap does not work on HTTPS cookies with the Secure cookie flag set. PoisonTap does not work if you have filled your USB ports with epoxy. There are a thousand limitations to PoisonTap, all of which probably don’t apply if you take PoisonTap into any office, plug it into a computer, and walk away. That is, after all, the point of this exploit.
As with all ub3r-1337 pen testing tools, we expect to see a version of PoisonTap for sale next August in the vendor area of DEF CON. Don’t buy it. A Raspberry Pi Zero costs $5, a USB OTG cable less than that, and all the code is available on Github. If you buy a device like PoisonTap, you are too technically illiterate to use it.
[Samy] has a demonstration of PoisonTap in the video below.
Which just serves to reiterate the fact “physical access = owned”.
(BTW – Typo in article title)
That was me, sorry. Fixed!
Might be worse than that if USB over ethernet protocols are in use, though you’d then need care in configuration not to cut yourself off.
Does this work on Linux? I suppose you need to provide root access to install new hardware, but who knows.
I believe it might get some of the way on some with PnP enabled for USB devices,…. depending on distro, also how plug and play the networking is, and whether javascript is on.
My linux machines (Ubuntu, Raspian) all happily auto-configure USB Wifi devices, so I don’t see why not. Whether they’re tricked by the same address range I’m not sure, but I would be willing to bet that they are.
Networking over USB is pretty much plug-and-play on Linux. But if you care about security, you have a manually-configured firewall that blocks traffic from/to unknown interfaces, and the attack won’t work. Unless maybe poisontap is smart enough to spoof the MAC address of an existing interface.
I almost immunized my Win10 _by accident_ thanks to paranoia about blocking W10 spying.
>netsh advfirewall firewall show rule name=all
…
Rule Name: Core Networking – Dynamic Host Configuration Protocol (DHCP-In)
———————————————————————-
Enabled: Yes
Direction: In
Profiles: Domain,Private,Public
Grouping: Core Networking
LocalIP: Any
RemoteIP: LocalSubnet
Protocol: UDP
LocalPort: 68
RemotePort: 67
Edge traversal: No
Action: Allow
Rule Name: Core Networking – Dynamic Host Configuration Protocol (DHCP-Out)
———————————————————————-
Enabled: Yes
Direction: Out
Profiles: Domain,Private,Public
Grouping: Core Networking
LocalIP: Any
RemoteIP: LocalSubnet
Protocol: UDP
LocalPort: 68
RemotePort: 67
Edge traversal: No
Action: Allow
Basically I only allow DHCP from LocalSubnet. Of course according to Microsoft LocalSubnet :
“The keyword localsubnet, which includes all addresses that are on the local computer’s current subnet.”
but how the hell does your computer know “local computer’s current subnet” BEFORE it receives its IP from DHCP server???
Hmm, I think Ill just hardcode this to private subnet (192.168.0.0/16).
“If you buy a device like PoisonTap, you are too technically illiterate to use it.”
or you’re so 1337 that “ain’t nobody got time for that” cause you’re busy actually breaking things?
It’s not a lot of time to buy a Raspberry Pi and compile some code on it.
No compiling necessary. Looks like js/html and one bash file that sets up the hardware. It does need nodejs and dnsspoof installed though.
Pi Zeros are often hard to find.
Like how you can find them on Amazon all day long?
Yeah for at least $20. You can buy ANYTHING for the right price, doesn’t mean it makes any sense to try and do it.
They’re about $20 with shipping through typical channels as well. With RPI nothing is just $5, in general.
Easier to get your hands on than the bit of kit this thing is based on. A certain spy catalogue, full of fun things.
Good thing I always fill my USB ports and headers with epoxy
*nervously checks to see if an unfamiliar cable and bare circuit board with flashing LEDs is attached to side of my laptop less than three inches left of the screen I’m looking directly at all the time*
More seriously though, this is exactly the exploit you get with USB-C and the requirement to have a data connection into your computer if you want to charge it.
How long before such exploits are blocked in Chrome, Firefox and Edge? Will MS bother to put out a security update for later versions of Internet Explorer?
“PoisonTap does not work on HTTPS cookies with the Secure cookie flag set.”
One day browsers will refuse to send any data over HTTP. Every site will use HSTS.
Looks like he built hak5’s usb turtle (https://lanturtle.com/). Nice to see the code. Pity the only Pi zero I can find in this country costs $65
What is “this country”?
That’s more expensive than a normal RaspPi. I am sure this would work too. :-)
Nope, this requires a USB Gadget interface, which only the Zero offers.
Probably would work in a small company or one that would fail a security audit. Most companies with a professional security department would have by now setup company wide policies that disable the usb (beyond a keyboard or mouse) and cd rom. Mine has, the usb is only good to charging things and the cd is useless, a half dozen year ago that was not the case.
Most companies, even those with a “professional security department”, will fail a security audit.
Especially a surprise one, no chance to pull all the postit notes off things LOL…
but that actually does REALLY happen still, humans be humans.
The postIt Notes are in fact enforced by the IT security department :-) Because they mandate regular password changes. If they even enforce very different passwords every time, then there is nearly no other possibility.
P@ssword1 (upper and lower case with a number and special character)
P@ssword12 – after 1 month password policy change
P@ssword123 – repeat to fade
After six months the first password expires and can be reused.
IT corporate security FTW.
Even better than Dave’s is P@sswordMMYY (MMYY being the current month/year.) Change every 30 days and you’ll have unique passwords for the next 1200 changes (one catabase at my job won’t let me repeat any of the last 32 passwords and it has to be changed every 60 days.)
It is not hard to configure your systems to DROP all HTTP traffic and ACCEPT only HTTPS.
Especially if you want to block yourself from here :-D
https://www.youtube.com/watch?v=Qw9oX-kZ_9k
Did you even try?
Yes – and it seems to work with https.
Does anyone know how to run custom scripts when the PC is locked.
One could defeat this by using a firewall rule to block the plug and play service on 127.0.0.1 when the PC was locked.
I wonder would this work if 802.1X was in effect?
It should. 1x is designed to prevent unauthorized devices from connecting to the LAN. Your computer doesn’t care whether your ports have a certificate as long as it can connect.
I plug unknown devices only in “sacrifical” computer from scrap parts and use hirens boot stick – parted magic / xp loaded i n RAM to see inside.
If you can set up the computer to only connect to a known MAC address for network, the gadget would have to spoof the MAC – not perfect security but not bad. I do this on the router end; never tried it on the laptop/desktop. Can you do this?
I also wonder how hard it would be to modify PoisonTap to use WiFi instead of Ethernet? You could use that to pwn devices that automatically connect to open WiFi. If you know the SSID that a computer automatically connects to, you could probably get it to connect at a different location; accept any password and you pwn the “secure” login. What would keep this from working?
This exists, and is called Mana. And the network doesn’t even have to be open (with some caveats)
$5 pi where everywhere I go to buy one in AUD it’s $35 the RPI 3 from E14 is $35 aswell kind of pointless.
@Dave the RPI 3 IS NOT the Zero that the article is about!
I believe Dave is pointing out that the Pi Zero costs the same as the Pi 3: $35 Aus.
That’s quite a markup.
Life can be a bit crap like that. Too many people with hands in your wallet mate. One solution, move… ;)
Why complain of the prices when you haven’t even checked the right site … It’s in stock at many of the vendors listed at RaspberryPi.org !
I got 7, all in use. All cost less than £5 as I brought them when buying other stuff and got free shipping. All I can say, don’t buy other priced ones. They are good but not that good,
Combine this http://hackaday.com/2016/10/24/raspberry-pi-zero-as-a-usb-stick/ With poisontap
Yup, it’s all in the nice case.
Am I missing something?
I don’t see how you can route your network traffic through Poisontap. It would have to send the traffic back to the computer and have it route it to the real network since it has no other network connection. But a typical desktop doesn’t do IP routing/forwarding and even if, since local networks are prefered over the gateway and the device impersonates the whole Internet, no traffic will be sent to the gateway. You’d notice that pretty fast I think…
it doesnt route through, it pretends to be all of the internet and hopes one of the websites opened in the background requests something over http
Here’s a simple solution I’m running on LinuxMint which ensures networking is disabled when the screen is locked:
https://www.organicdesign.co.nz/PoisonTap_solution
Is there a charitable soul around willing to spend a little time to help me solving an issue concerning poison tap? Thanks anyway
I want to buy poison tab + device .. Where can i find it ?