Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Privacy Security Communications Crime Encryption Network Networking Software The Internet Hardware

A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute (vice.com) 172

An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.
This discussion has been archived. No new comments can be posted.

A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute

Comments Filter:
  • News at 11 (Score:5, Informative)

    by Anonymous Coward on Wednesday November 16, 2016 @11:33PM (#53302627)

    Physical access to equipment trumps (Trumps, heheheh!) almost all security. News at 11.

    • Re:News at 11 (Score:5, Insightful)

      by lucm ( 889690 ) on Wednesday November 16, 2016 @11:39PM (#53302661)

      Physical access, browser running, and it only work if you use cookies on sites that don't require SSL.

      At that point it s probably best to invest that $5 in a box-cutter and force the user to give your their password.

      • and it only work if you use cookies on sites that don't require SSL.

        You mean, except for the part where they are able to hijack any site that uses Google's, jQuery's, or other scripting CDN by replacing the legit Javascript with a version that opens a persistent connection to the attacker's server, through which they can serve up anything to your browser? Or the part where they strip out a whole slew of HTTP header security features by serving up fake, insecure versions that they tell your browser to perma-cache for every single one of the Alexa top 1,000,000 sites? Or the


      • Not really. Even when SSL is used, a redirect to HTTP can be forced. If the cookie doesn't have the "Secure" flag, it will happily send the cookie over HTTP in this case.
      • by vinlud ( 230623 )

        Forcing with a box-cutter at least gives the user the knowledge they've been compromised, so not realyl the same thing.

    • Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.
      • by unrtst ( 777550 )

        Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.

        ... and risk getting stuck at bios password. Get around that and get stuck at disk encryption password (usb boot not enabled). Re-enable usb boot in bios and unable to mount encrypted disks. Or, stick this thing in a usb port for a bit and get access to everything remotely thereafter. Never reboot a box if you can avoid it.

    • by Anonymous Coward

      Even better flamebait :
      'This text can hack your computer'
      just by reading this text, your computer has been hacked!! of course you need to have physical access to the computer and the person, a baseball bat, a wrench, an installation of kali linux on a usb drive, a non encrypted disk, cotton candy, and a captain crunch whistle ( optional, but very amusing )

      • by AK Marc ( 707885 )
        And that guy's leg.
      • Even better flamebait :
        'This text can hack your computer'
        just by reading this text, your computer has been hacked!!

        X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

        Tag.

    • by Anonymous Coward

      This attack can in no way determine operating system passwords. It cannot "hack your locked computer".

      Now if they had described powering off the computer and then booting it from external media running something like l0phtcrack, then they would be actually "hacking your (no longer) locked computer" - that's only if you do not have a bios power-on password set.

      Hey, if I have physical access why not just remove the hard-disk(s) and put it in another system?

      And neither of these approaches would be news.

      This is

  • Okay... (Score:5, Informative)

    by 93 Escort Wagon ( 326346 ) on Wednesday November 16, 2016 @11:39PM (#53302663)

    "Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar."

    While I do think the fact that this works at all is problematic... if you're doing anything non-trivial on any website which doesn't employ https, that information has likely been available to anyone who really wanted it already.

    • I did this in college since our dorm still had a Hub. How is this new (other than being smaller)?

      • Exactly, won't a more useful tool be one that clones the SID and MAC of a open WAP at a coffee shop, over powers the existing network, and then forcefully disconnects all the clients so they reconnect automatically to the hacking device?

        Only people using their own data connections would be safe, but who actually does that versus using the free connection?

        You could then do everything this does without needing to physically connect to the machine.

    • if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.
      • Re:Okay... (Score:5, Insightful)

        by geekmux ( 1040042 ) on Thursday November 17, 2016 @06:40AM (#53304193)

        if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

        Corporate users hardly notice anything odd plugged into their systems. I could set a bowling ball under their desk and they probably wouldn't ask about it for a month, because that's not their job. They're far too busy doing the other three jobs they maintain now.

        For those of us managing the average user community, the problem is far more systemic than you dismiss here. Behavior modification is one of the hardest jobs in Security.

        • Behavior modification is one of the hardest jobs in Security.

          That's what the sucker rod is for...

          rgb

        • by pnutjam ( 523990 )
          I was discussing this with on of the security guys at work. He seemed to think the VPN software they use, which forces everything over the VPN for unknown networks, would prevent this from working. I tend to agree.

          Anyone want to weigh in? I know OpenVPN uses a similar routing entry to preempt traffic and force it into the VPN tunnel.
      • by sudon't ( 580652 )

        if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

        I walk into a lot of work places. What I see are a lot of those old "tower" boxes. You wouldn't see anything plugged into the back of one of those. Also, the device doesn't have to stay there forever. Not super-convenient, but workable. Also, the device is the size of a small cell phone, not the size of a paperback, and with a longer cable, and a little creativity, could be disguised and/or placed out of sight.

      • It's roughly 2/3 the size of a business card. Even if it were the size of a paperback, would it be so easy to spot if it were taped under or behind your desk?
      • by Yvan256 ( 722131 )

        The Raspberry Pi zero dimensions [raspberrypi.org] are 65 x 30 x 4.5mm [raspiworld.com]

      • Does it need to be plugged directly into the desktop? Why not use a USB cable to hide it. Or the back of a monitor (many have USB hubs built-in now).

        There's many ways to hide these devices. The vast majority of users don't look over their work area before they start working.

  • by Anonymous Coward

    just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

    • It is an offline attack, and all traces are removed quickly. There are a few things that it makes me want to switch to force https on my LAN, but even /. is https now...
      • by gl4ss ( 559668 ) on Thursday November 17, 2016 @01:45AM (#53303345) Homepage Journal

        what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

        how is plugging a computer into a network an offline attack?

        requiring physical access is less novel, especially when there are a number of attacks described where if you can place something like that, you could just get the keyboard codes by audio, em and a number of other ways - or heck, do this attack over recording the led at the router.

        also it requires you to be logged into the sites already, the sites to not be https.. sorry about the yelling but this seems like a dolt just taking an existing concept, putting it on a raspberry pi and claiming fame based on that.

        • what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

          because to send it to the MS account site you would need to man in the middle the SSL tunnel which in turn requires you to have either compromised the computer already with a fake CA to be trusted or have a compromised public CA. basically nothing at all remotely interesting with this attack.

        • by AmiMoJo ( 196126 )

          Windows versions since Vista won't send plaintext passwords without the user first confirming that the network is a trusted one. I think since 8 they disabled even that, or it might have been 8.1.

    • by sudon't ( 580652 )

      just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

      Why not RTFA? You don't even have to google - the links are right at the top of this page.

  • Pi Zero (Score:4, Interesting)

    by amiga3D ( 567632 ) on Wednesday November 16, 2016 @11:46PM (#53302695)

    Yet another interesting use of a Raspberry Pi Zero. Give people a $5 computer and they just have to come up with something to use it for.

  • by slazzy ( 864185 ) on Wednesday November 16, 2016 @11:50PM (#53302717) Homepage Journal
  • by djinn6 ( 1868030 ) on Thursday November 17, 2016 @12:02AM (#53302783)
    If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.
    • If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

      I think the more valid point being made here is the "specialized hardware" in this case costs five bucks, and can be purchased pretty much anywhere by anyone.

    • If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

      The Amiga used Sram for memory. You could play say the game "Blood Money", turn off the system and then boot up with a disk with a program to view the memory.

      You could then grab the haunting music of the game or any other sound byte
      https://www.youtube.com/watch?... [youtube.com]

      Sram is in just about everywhere now, even Intel CPU's use it for it's speed and ability to maintain it's contents without being refreshed. You really can't tell what's it's being using in anymore.

      I always turn off my system(s) for an extended per

      • The Amiga used Sram for memory.

        no it didnt

        • The Amiga used Sram for memory.

          no it didnt

          Yep sure did. I should of been more specific, the Amiga 3000 came with 2megs stock (a guess) that was just memory, opposite that memory were memory slots for Sram you purchased separately, it was the only ram that would fit. I put in 10 megs of Sram which disabled the stock memory. I ran a Cnet BBS from it, an 8 line chat board so not much else. I'd search the Sram every now and again just to see what was there.

          Had a friend not sure what Amiga he had I thought a 500. It was what he did, he ripped music out

          • No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
            1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
            2 ramdisk for storing files in ram.

            SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

            • No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
              1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
              2 ramdisk for storing files in ram.

              SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

              Don't know if you went through the "computer wars", but to purchase an Amiga was was to put ones self on the front line. I could of really gone off on this thread, a direction of nobodies real interest, or use.

              The main point of my first post was that Sram is everywhere and a reboot isn't resetting ones system, it takes a full shutdown and a wait.

              "SRAM is also used in personal computers, workstations, routers and peripheral equipment: CPU register files, internal CPU caches and external burst mode SRAM cache

              • there is no sram in amigas (except for 768 bytes of palette inside Lisa chip)
                The difference between sram and dram is _not_ that one of them can keep the data over a reset, its that one of them keeps data without explicit _refresh cycles_ when rest of computer is powered down completely. Reboot is not doing ANYTHING to ANY type or ram. Resetting a running computer without stopping current program was standard on Intel 286 (dram simms) when switching from protected mode back to real addressing: https://blogs. [microsoft.com]

                • so again, there never was any sram in amigas

                  I have an 8 Meg expansion card for the 2000, I only got as far as I needed
                  http://amiga.resource.cx/searc... [resource.cx]

                  ps: I fix computers on a component level since nineties :/

                  Got a late start eh, I don't think many on /. haven't worked on computers

                  • I have an 8 Meg expansion card for the 2000, I only got as far as I needed
                    http://amiga.resource.cx/searc... [resource.cx]

                    1 this is A500 expansion
                    2 this is fast ram expansion, Amiga stores images/sounds in the chip ram (separate memory bus) so even if you had third party sram expansion it would do nothing for you because pictures and music was stored in different part of the computer. Amiga rasterizer and sound chips had no access to fast ram (where this particular sram extension installs). https://en.wikipedia.org/wiki/... [wikipedia.org]
                    3 again - what you described (reset to rip memory content) _never_ required special memory type. You coul

                    • Got a late start eh, I don't think many on /. haven't worked on computers

                      cute :)

                      I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.

                      If I found it to be Sram you can sure bet I'd of sent off a message, so in all fairness.

                      I stopped by my storage today to pick my stereo with no HDMI. I'm going digital optical connections instead - it's a much nicer receiver.

                      Just so happened all my Amigas were there, so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
                      it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that). In fact if you search for 9A9Z you ge

                    • so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
                      it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that).

                      Its not close to sram at all other than similarly sounding name, as I wrote in previous post it is an improved variant of page mode DRAM:
                      >and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard... [jedec.org]

                      even wiki has a section on it https://en.wikipedia.org/wiki/... [wikipedia.org]

                      In fact if you search for 9A9Z you get all sorts of answers of what it is.

                      datasheet: http://datasheet.datasheetarch... [datasheetarchive.com]
                      a big hints are
                      -a whole timing diagrams section on refresh
                      -multiplexed address bus
                      -fact 4Mbit sram chips didnt exist until 1993, and wh

  • wait till he discovers ARP Poisoning
  • You don't even need access to the computer to do this "hack" - just use an existing network cable or be on the same network and you can read and modify any plain text sent over the wire. This isn't even "new", compromised USB network cards were all the rage 10 years ago when they first came out with those wallplug computers (before RPi even existed)

  • by davidwr ( 791652 ) on Thursday November 17, 2016 @12:33AM (#53303011) Homepage Journal

    Sure, you can do anything with physical access if you have some time on your hands.

    Sure, you can be persistent if you can leave something behind, like a modified keyboard.

    Sure, you can be persistent if you can install something, but that USUALLY requires either the ability to use the mouse or keyboard on an unlocked machine or tricking the user to do so for you.

    The novelty here is that it's a "plug it in, wait a few minutes, unplug it, and walk away" compromise, AND it doesn't make any permanent hardware changes such as blowing up your PC by sending a few hundred volts down the USB ports.

    It's also novel in that it exposes a design flaw that should've been noticed and widely discussed decades ago.

    By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?

    • Re: (Score:3, Insightful)

      by Anonymous Coward
      The biggest flaw is that the OS doesn't ask if the user wants to install the device, but this exploit has been known for years. Just look up "BadUSB exploit".
    • well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

      *snooze*

      • well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

        *snooze*

        I have no ethernet jack - I have a Mac, you insensitive clod.

      • I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

        *snooze*

        You didn't read TFA. It requires an available USB port and a minute or two. That's it. It does not require pass through and does not interrupt the network connectivity of the running machine, and has a good chance to work on an average workstation (a workstation that is locked with a web browser open). It also is an incredibly cheap tool:

        It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

        • I read TFA. If I have physical access to machine there is no end to the bad things I can do. Not impressed

          • by suutar ( 1860506 )

            how many of them can you do without even unlocking the screen and thereby indicating to the user that something changed? (Serious question - the two factors here that seem to make it interesting are low cost and low visible impact.)

        • It also is an incredibly cheap tool:
          It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

          A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

          • It also is an incredibly cheap tool: It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

            A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

            Adafruit and other online vendors have had them in stock for most of the year. Can the CHIP connect as a USB device?

  • by Anonymous Coward

    Made me think about who this will really affect. I mean who among us really leaves their browser window open and then logs out or times out from inactivity? I don't simply not to waste the cpu cycles when I know I'll be afk for long enough for inactivity to log me out. Most people I think this could affect are businesses and corporate workstations. They usually have a very short inactivity timer, log out whenever afk, and leave their browsers open while logging out. If your next thought is well who wan

  • by aonic ( 878715 ) on Thursday November 17, 2016 @01:38AM (#53303305) Homepage

    My Macbook doesn't have any USB ports!

  • by Neo-Rio-101 ( 700494 ) on Thursday November 17, 2016 @02:08AM (#53303409)

    The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

    • by Anonymous Coward

      The attacker will have to buy an Apple dongle for $200.

    • by houghi ( 78078 )

      Yes, but that would up the price to 104.99USD.

    • The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

      The $9 adapter approximately doubles the cost of the kit, on top of the $5 pi, mSD card and usb micro cable:

      http://www.apple.com/shop/product/MJ1M2AM/A/usb-c-to-usb-adapter?fnode=85

  • Physical access is king?

    How is this news? In highschool, I was stealing admin passwords with OPHcrack and selling them to other kids. Took less than 5 minutes to do.

  • by Anonymous Coward

    a good way to expose the excessive trust that Mac and Windows computers have in network devices.

    The problem is wider. The trust is wrongfully placed on USB devices in general, not just network devices. The simple fact that OS X and Windows auto-mount anything inserted into their slots is just pissing me off. I think some "user-friendly" Linux distributions are also doing that. It's too hard to click an "allow" button anymore, not to mention using the terminal to type mount commands.

    A much bigger problem is that device manufacturers typically don't care about security, allowing anyone to update their f

  • No news. But it is selling the weakness of non-https as something new. This is so old school.
    But hopefully somebody cn get the budget to implement HTTPS or whatever the purpose was.

  • Right and if you plug in a device straight into their ethernet port that snoops the line..

    Anyway..OH MY GOSH NEWS NEVER KNEW!?!?!

  • by Anonymous Coward

    > Man in the middle attack

    > Novel attack

    Sounds pretty contradictory to me.

  • by drinkypoo ( 153816 ) <martin.espinoza@gmail.com> on Thursday November 17, 2016 @08:00AM (#53304363) Homepage Journal

    We discussed this previously. Too lazy to find the conversation, but then, so are the Slashdot "editors". This is actually a non-problem in a Windows corporate environment because if you have not already prevented users from installing hardware via group policy, you have already failed as a Windows admin.

    It's not terribly difficult to prevent hardware hotplugging on Linux.

    Couldn't tell you about Mac, don't care.

    Wank wank, flonk flonk.

  • Too Many Secrets: https://www.youtube.com/watch?... [youtube.com]
  • by Lumpy ( 12016 ) on Thursday November 17, 2016 @08:19AM (#53304421) Homepage

    So that means it's pretty ineffective. everything that is important to me is HTTPS, even my routers config pages.

    I have yet to see any important site not force HTTPS. Will this see that I log into "fluffybunnypodcast.com" with the username bunnyman42 and the password 12345? yep. but I fully expect that the chinese hackers already have this as I really dont care if they get free copies of the latest free fluffybunny broadcast.

  • According to people right here on Slashdot, you can't find the Raspberry Pi Zero anywhere.

  • As above, where can we buy one?

  • Sound like a hardware version of a proxy

  • Coworker goes to lunch and locks his PC, you go and steal his cookies and mess with his project files while making it look like it's him.

    Many fat client applications have been replaced by REST apps and web based approaches, and many companies do not use HTTPS for servers that can only be accessed internally. Yes, even companies that should be security conscious. The attack scenario is not webservers out on the internet but company-internal servers. Once I was even told by a client that this actually increas

The difficult we do today; the impossible takes a little longer.

Working...