
PoisonTap, a $5 tool that invades password-protected computers - emilong
http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/
======
Analemma_
Am I correct in understanding that the device works by presenting itself as an
Ethernet adapter and then poisoning the browser cache? Would the solution be
as simple as an OS update that didn't use unknown network interfaces until the
computer was unlocked?

~~~
SCHiM
I agree, it does appear that way. Do not trust _any_ USB ethernet devices when
the device is locked, (security) problem solved.

~~~
paulryanrogers
If there is only one desktop user and their only session is locked, then yes.
On a multi user workstation the current behavior--initiating new adapter--may
be preferred.

~~~
lgas
Why?

~~~
DINKDINK
Because one user on a multi-user workstation could prevent all of the other
users from adding an interface, I believe.

------
ohstopitu
Since no one seems to be talking about how to secure devices, I guess I'll get
started...

USB devices should not accept any incoming connection when the computer is
locked. The only use of USB ports when a computer is locked should be for
charging devices (current out, no data in). We also need to ensure that
devices that were connected before the computer was locked continue to
function.

Now obviously, the issue with this would be about external devices that are
connected after the device has been locked (drives, keyboards etc. - say for
example, keyboard stopped working so you switched it out) but in my opinion,
that's an edge case and should not cause too much inconvenience.

~~~
theandrewbailey
> The only use of USB ports when a computer is locked should be for charging
> devices (current out, no data in). We also need to ensure that devices that
> were connected before the computer was locked continue to function.

Good idea, but...

(hypothetical helpdesk ticket) Oh crap! I knocked my coffee on my keyboard and
ruined it as I was sitting down at my locked computer. I connected another
keyboard, but the lock screen is not accepting my password!

Allow HID class devices to be connected when locked, and that should be OK.

~~~
ohstopitu
While I can't seem to think of a solution of the top of my head....

Sammy had an older video [0] which showed a device that was not a keyboard
acting like a keyboard & mouse. While that required an unlocked computer to
function, I feel like adding exceptions to a rule would just make it worse.

Another solution would be to sign USB devices (for example, Apple keyboards
etc.) and only those signed devices would work when the computer was locked.

[0]
[https://www.youtube.com/watch?v=aSLEq7-hlmo](https://www.youtube.com/watch?v=aSLEq7-hlmo)

~~~
madamelic
>Another solution would be to sign USB devices (for example, Apple keyboards
etc.) and only those signed devices would work when the computer was locked.

Are you proposing DRM for input devices? How would this fix the problem of
"Oops, messed up my keyboard, now I have to plug in a new, 'unknown' device"

~~~
paulmd
It would have to have its drivers signed by a known CA before it was capable
of operating while the device was locked - that's all.

------
throwaway2016a
Is there somewhere I can get the source code for this to install on my own Pi
0? I tried a bunch of the links but couldn't find it.

I really dislike this trend of making the link text have little to nothing to
do with where the link goes.

Edit: for research, I don't plan on using this against someone.

~~~
smarx007
[https://github.com/samyk/poisontap](https://github.com/samyk/poisontap)

[https://samy.pl/poisontap/](https://samy.pl/poisontap/)

But he has a history of intentionally withholding instructions on how to run
it just to avoid script kiddies from using this not for research.

~~~
throwaway2016a
> But he has a history of intentionally withholding instructions on how to run
> it just to avoid script kiddies from using this not for research.

Interesting approach. Although looking at the Github it seems pretty straight
forward (not being a script kiddie I can't speak for if it would be straight
forward to them).

~~~
s_q_b
It's a vintage approach. I don't see much of this anymore, but before
responsible disclosure was widely used, many exploit authors would
intentionally insert small bugs (usually in the assembly payloads such as an
interruption in the NOP slide) to prevent neophytes from abusing them.

~~~
FilterSweep
Another vintage approach I see right off the bat are a few references in his
code that is pointing toward Samy's own servers.... interesting he didn't
obfuscate it or use a MITM server.

At the minimum, the host(victim) is establishing a websocket with Samy, so his
server is aware who is being compromised or researched on.

------
FilterSweep
I didn't realize PoisonTap's creator, Samy, is also the creator of the
Evercookie[0], a persistent identifying cookie that remains sharded(then
recombines) in your system even after clearing your cookies. While a very cool
project, it has some scary implications on users not trained in their removal.

[0] [https://github.com/samyk/evercookie](https://github.com/samyk/evercookie)

~~~
devy
He's a prolific security researcher. Evercookie got him the fame and since
then he's been researching all sorts of security vulnerabilities even on
things like combination locks [1], I enjoy his video tutorials a lot.

[1] [http://samy.pl/combobreaker/](http://samy.pl/combobreaker/)

~~~
rudolf0
I'd argue the Myspace worm [1] was what really got him the fame.

[1]
[https://en.wikipedia.org/wiki/Samy_(computer_worm)](https://en.wikipedia.org/wiki/Samy_\(computer_worm\))

~~~
FilterSweep
Thanks, I had no idea he was also behind that one!

That's quite a severe sentencing for a "Guestbook Signing" XSS exploit. I
wonder if the sentence was reduced.

~~~
rudolf0
Yeah, not sure why he was punished so harshly for something that probably
didn't inconvenience users too much and was clearly intended as a prank. I do
see that Myspace might've spent $20,000 or more to remediate th situation but
it seems harsh to make him pay all that.

------
oandrei
It seems that such exploit would require some kind of `network-manager`
running. But if `network-manager` is disabled, and all interfaces configured
in `/etc/network/interfaces`, then the new malicious interface will be just
ignored. It will not come up.

------
EwanG
Presuming you are given free access to a USB port on the computer - and as we
all know once you have physical control security is somewhat out the window
anyway.

~~~
mpeg
As a user, it'd be nice to assume that if I'm not logged in new USB devices
won't be installed though.

~~~
mnw21cam
What about a keyboard? How are you going to log in if your computer won't
accept the keyboard that you are trying to plug in?

~~~
throwaway2016a
To expand on that, you could just allow keyboards and not enable other devices
but then how do you log in if your login is a network based... now you have to
allow network cards. And now this hack is just as effective.

~~~
SparkyMcUnicorn
Beyond that, you could disguise non-keyboard hardware as a keyboard.

~~~
pavel_lishin
But then it doesn't get registered as an ethernet device, bypassing this
particular problem.

~~~
jrkatz
It does if you make a keyboard that registers as a hub with both a keyboard
and network adapter installed

------
6stringmerc
As a writer who just included a plot device of providing a loaded USB flash
drive as temptation for a target to pick up and plug into their computer and
deliver a payload, I'm exceptionally pleased this device reaffirms the risk of
malware being deployed by way of USB ports. From time to time it's hard as a
writer to try and pick tech and things that hopefully won't sound dated, or if
they eventually do, will at least fit within a specific story's time-place-
world-setting.

~~~
JoeAltmaier
Isn't how certain uranium refinement centrifuges were compromised? USB drives
entering a building contrary to security rules.

~~~
6stringmerc
I think I recall seeing that one of the pathways of Stuxnet was thought to
have been a found USB stick, so yes I think your hypothesis aligns with my
studies as well. Humans are so much more weak protocol wise, kind of sad and
funny at the same time.

------
OJFord

        > The primary motivation is to demonstrate that even on a
        > password-protected computer running off of a WPA2 Wi-Fi,
        > your system and network can still be attacked quickly
        > and easily.
    

Oh no!

    
    
        > [... with physical access.]
    

Oh. Has this ever been disputed?

~~~
freehunter
Generally, once an attacker has physical access to your machine, you're
already owned.

However, something like this would make insider threats a bit more dangerous.
Leaving your laptop at your desk when you go to a meeting or to the bathroom
is perfectly normal, and if a coworker can sneak in and break into your
machine while you're not looking, that's a game changer.

------
lolc
I don't see how this device is in a more privileged position than the router
your system is connected to. The way I see it, any vulnerabilities used in
this attack are MITM-vulnerabilities plain and simple and need to be fixed
regardless of this specific attack. Am I missing something?

~~~
Tepix
If the router you are connected to is a WiFi router, then this device is
indeed in a more priviledged position because as a LAN connection it will have
precedence over WiFi.

~~~
lolc
Well yes, but that's not the kind of privilege I had in mind. The router could
have used the very same attacks with lower risk of detection. So unless you
can trust the network you're connected to (which is rare) this attack is not
any more dangerous than any other MITM-attack.

I like the attack for how it combines different methods. I just had a hard
time understanding the risk from that article.

------
snake_plissken
There is a lot of cool hackery going on here but the most beautiful part is
how it tricks the target computer into thinking that the entire internet is
directly connected to the computer via the USB ethernet interface (I think, I
thought the 128.0.0.0 subnet would mean half the addressable space? I've never
gotten to 100% understanding of subnets). Although the deception relies on the
priority in routing (LAN over outside), it's still a real beaut.

~~~
aftbit
OpenVPN uses the same trick to establish a higher-priority default gateway:

    
    
        def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
    

This works because routing tables prioritize "tighter" routes. I do think that
128.0.0.0/1 would only map to 1/2 of the address space. I cannot find the isc-
dhcp server config files in the source code to verify. :disappointed:

------
aftbit
Is there some way to configure network-manager to not autoconnect to new
ethernet adapters that show up? I don't mind clicking the nm-applet dropdown
and clicking on the device...

~~~
DINKDINK
If you concerned about security, you should have full disk encryption
(FileVault) turned on and be powered down anytime you walk away. Though you
question still has value for the low percentage of times one forgets to power
down.

------
jbverschoor
What's the difference between this and just doing the same at the router
itself?

------
swehner
Wonder if this could be a useful device in some other way (e.g. PC not
responding)

