PoisonTap is an impressive hacking tool that can compromise computers via the USB port, even when they are password-protected. What's interesting is the chain of vulnerabilities the tool exploits. No individual vulnerability is a problem, but together they create a big problem.
Kamkar's trick works by chaining together a long, complex series of seemingly innocuous software security oversights that only together add up to a full-blown threat. When PoisonTap -- a tiny $5 Raspberry Pi microcomputer loaded with Kamkar's code and attached to a USB adapter -- is plugged into a computer's USB drive, it starts impersonating a new ethernet connection. Even if the computer is already connected to Wifi, PoisonTap is programmed to tell the victim's computer that any IP address accessed through that connection is actually on the computer's local network rather than the internet, fooling the machine into prioritizing its network connection to PoisonTap over that of the Wifi network.
With that interception point established, the malicious USB device waits for any request from the user's browser for new web content; if you leave your browser open when you walk away from your machine, chances are there's at least one tab in your browser that's still periodically loading new bits of HTTP data like ads or news updates. When PoisonTap sees that request, it spoofs a response and feeds your browser its own payload: a page that contains a collection of iframes -- a technique for invisibly loading content from one website inside anotherthat consist of carefully crafted versions of virtually every popular website address on the internet. (Kamkar pulled his list from web-popularity ranking service Alexa's top one million sites.)
As it loads that long list of site addresses, PoisonTap tricks your browser into sharing any cookies it's stored from visiting them, and writes all of that cookie data to a text file on the USB stick. Sites use cookies to check if a visitor has recently logged into the page, allowing visitors to avoid doing so repeatedly. So that list of cookies allows any hacker who walks away with the PoisonTap and its stored text file to access the user's accounts on those sites.
There's more. Here's another article with more details. Also note that HTTPS is a protection.
Yesterday, I testified about this at a joint hearing of the Subcommittee on Communications and Technology, and the Subcommittee on Commerce, Manufacturing, and Trade -- both part of the Committee on Energy and Commerce of the US House of Representatives. Here's the video; my testimony starts around 24:40.
The topic was the Dyn attacks and the Internet of Things. I talked about different market failures that will affect security on the Internet of Things. One of them was this problem of emergent vulnerabilities. I worry that as we continue to connect things to the Internet, we're going to be seeing a lot of these sorts of attacks: chains of tiny vulnerabilities that combine into a massive security risk. It'll be hard to defend against these types of attacks. If no one product or process is to blame, no one has responsibility to fix the problem. So I gave a mostly Republican audience a pro-regulation message. They were surprisingly polite and receptive.
from Hacking Password-Protected Computers via the USB Port
No comments:
Post a Comment