Am I correct in understanding that the device works by presenting itself as an Ethernet adapter and then poisoning the browser cache? Would the solution be as simple as an OS update that didn't use unknown network interfaces until the computer was unlocked?
Since no one seems to be talking about how to secure devices, I guess I'll get started...
USB devices should not accept any incoming connection when the computer is locked. The only use of USB ports when a computer is locked should be for charging devices (current out, no data in). We also need to ensure that devices that were connected before the computer was locked continue to function.
Now obviously, the issue with this would be about external devices that are connected after the device has been locked (drives, keyboards etc. - say for example, keyboard stopped working so you switched it out) but in my opinion, that's an edge case and should not cause too much inconvenience.
> The only use of USB ports when a computer is locked should be for charging devices (current out, no data in). We also need to ensure that devices that were connected before the computer was locked continue to function.
Good idea, but...
(hypothetical helpdesk ticket) Oh crap! I knocked my coffee on my keyboard and ruined it as I was sitting down at my locked computer. I connected another keyboard, but the lock screen is not accepting my password!
Allow HID class devices to be connected when locked, and that should be OK.
I didn't realize PoisonTap's creator, Samy, is also the creator of the Evercookie[0], a persistent identifying cookie that remains sharded(then recombines) in your system even after clearing your cookies. While a very cool project, it has some scary implications on users not trained in their removal.
He's a prolific security researcher. Evercookie got him the fame and since then he's been researching all sorts of security vulnerabilities even on things like combination locks [1], I enjoy his video tutorials a lot.
It seems that such exploit would require some kind of `network-manager` running. But if `network-manager` is disabled, and all interfaces configured in `/etc/network/interfaces`, then the new malicious interface will be just ignored. It will not come up.
Presuming you are given free access to a USB port on the computer - and as we all know once you have physical control security is somewhat out the window anyway.
>and as we all know once you have physical control security is somewhat out the window anyway.
No, just no. It's long, LONG past time to retire this bit of ancient lore, which came out of a completely different time and place in computing. These days for most users not always having physical control is by far the norm, not the exception. And there are absolutely ways to make to mitigate security issues from physical access, that is after all the entire point of technologies like full disk encryption. FDE is completely pointless if physical security can be taken for granted, it exists entirely because physical security cannot be taken for granted. I presume you don't spend your days advocating nobody bother "because it's pointless anyway."
Technologies like specific CPU/SoC/chipset level hardware security zones, HSMs, use of IOMMUs and the like to prevent DMA from ports, etc. are all there in part to help prevent or mitigate certain physical attacks. For that matter, simple locks and/or sealing of computer units aids with both making attacks more difficult, slower (another key part of threat mitigation) and, just as importantly, making them noticeable. The final fallback of a good security system is to at least try to let the owner know that it broke if all else fails. There is a certain amount of disgruntlement amongst some tech people at highly sealed devices, but they do make it significantly more challenging to perform certain physical attacks quickly or undetectably.
So yes, anything which unexpected speeds up physical attacks, renders them less/unnoticeable, or both, is a legitimate issue. Normal users of portable systems should be able to expect that, under normal circumstances, they can warm lock it (screen lock, put it to sleep), leave for a few minutes, and have a low likelihood of a low energy persistent evil maid attack being pulled off in the mean time. Treating modern security like it only needs to consider servers stashed in a secured room/data center is wrong.
This is much faster than other ways of cracking a computer though. I can see this working while someone steps away for a few minutes.
Say you go in for a job interview at a company and the interviewer leaves for a minute with their computer locked but still on their desk. Most traditional methods would require you to move to the other side of the desk or pull the computer to you which is risky, but with this you can just reach over for a few seconds.
Not to mention many traditional attacks require rebooting the computer to a bootable CD which will be suspicious if the user has an active login system and all the sudden all their apps are closed.
Or say you are at a doctor's office and there is no CD drive and rebooting the computer would be suspicious. I'm left unattended in exam rooms with computers all the time.
I also imagine it could be fairly easily modified to act like a USB hub and be inserted between the computer and a legitimate device.
Edit: Think of how less dramatic the scenes will be in Mr. Robot and the like if the "hacker" doesn't have to rush to get back to their seat just in-time for the target to get back to their desk.
Imagine this built into a USB-C power adapter you could loan to a coworker, "leave behind" or install into a co-working space or coffee shop. Don't even need physical access in that case, just need to be a "Good Samaritan".
> and as we all know once you have physical control security is somewhat out the window anyway.
This is such a defeatist attitude, and it has also proven to be (mostly) false by Apple and its iPhones. If we stopped saying that every time there is a hack like this, perhaps companies would actually give a damn to make sure it doesn't happen anymore, or not nearly as easily.
It's one thing to pay from tens of thousands of dollars to a million for modification of a chip in a factory or with highly-advanced equipment, and it's quite another to just insert a USB stick into a random PC and hack it.
As a writer who just included a plot device of providing a loaded USB flash drive as temptation for a target to pick up and plug into their computer and deliver a payload, I'm exceptionally pleased this device reaffirms the risk of malware being deployed by way of USB ports. From time to time it's hard as a writer to try and pick tech and things that hopefully won't sound dated, or if they eventually do, will at least fit within a specific story's time-place-world-setting.
> The primary motivation is to demonstrate that even on a
> password-protected computer running off of a WPA2 Wi-Fi,
> your system and network can still be attacked quickly
> and easily.
Generally, once an attacker has physical access to your machine, you're already owned.
However, something like this would make insider threats a bit more dangerous. Leaving your laptop at your desk when you go to a meeting or to the bathroom is perfectly normal, and if a coworker can sneak in and break into your machine while you're not looking, that's a game changer.
I don't see how this device is in a more privileged position than the router your system is connected to. The way I see it, any vulnerabilities used in this attack are MITM-vulnerabilities plain and simple and need to be fixed regardless of this specific attack. Am I missing something?
If the router you are connected to is a WiFi router, then this device is indeed in a more priviledged position because as a LAN connection it will have precedence over WiFi.
There is a lot of cool hackery going on here but the most beautiful part is how it tricks the target computer into thinking that the entire internet is directly connected to the computer via the USB ethernet interface (I think, I thought the 128.0.0.0 subnet would mean half the addressable space? I've never gotten to 100% understanding of subnets). Although the deception relies on the priority in routing (LAN over outside), it's still a real beaut.
OpenVPN uses the same trick to establish a higher-priority default gateway:
def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway.
This works because routing tables prioritize "tighter" routes. I do think that 128.0.0.0/1 would only map to 1/2 of the address space. I cannot find the isc-dhcp server config files in the source code to verify. :disappointed:
Is there some way to configure network-manager to not autoconnect to new ethernet adapters that show up? I don't mind clicking the nm-applet dropdown and clicking on the device...
If you concerned about security, you should have full disk encryption (FileVault) turned on and be powered down anytime you walk away. Though you question still has value for the low percentage of times one forgets to power down.
[+] [-] Analemma_|9 years ago|reply
[+] [-] SCHiM|9 years ago|reply
[+] [-] olzaya|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] ohstopitu|9 years ago|reply
USB devices should not accept any incoming connection when the computer is locked. The only use of USB ports when a computer is locked should be for charging devices (current out, no data in). We also need to ensure that devices that were connected before the computer was locked continue to function.
Now obviously, the issue with this would be about external devices that are connected after the device has been locked (drives, keyboards etc. - say for example, keyboard stopped working so you switched it out) but in my opinion, that's an edge case and should not cause too much inconvenience.
[+] [-] theandrewbailey|9 years ago|reply
Good idea, but...
(hypothetical helpdesk ticket) Oh crap! I knocked my coffee on my keyboard and ruined it as I was sitting down at my locked computer. I connected another keyboard, but the lock screen is not accepting my password!
Allow HID class devices to be connected when locked, and that should be OK.
[+] [-] Tepix|9 years ago|reply
[+] [-] throwaway2016a|9 years ago|reply
I really dislike this trend of making the link text have little to nothing to do with where the link goes.
Edit: for research, I don't plan on using this against someone.
[+] [-] smarx007|9 years ago|reply
https://samy.pl/poisontap/
But he has a history of intentionally withholding instructions on how to run it just to avoid script kiddies from using this not for research.
[+] [-] ddworken|9 years ago|reply
https://github.com/samyk/poisontap
[0]: https://samy.pl/poisontap/
[+] [-] throwaway2016a|9 years ago|reply
[+] [-] FilterSweep|9 years ago|reply
[0] https://github.com/samyk/evercookie
[+] [-] devy|9 years ago|reply
[1] http://samy.pl/combobreaker/
[+] [-] oandrei|9 years ago|reply
[+] [-] EwanG|9 years ago|reply
[+] [-] xoa|9 years ago|reply
No, just no. It's long, LONG past time to retire this bit of ancient lore, which came out of a completely different time and place in computing. These days for most users not always having physical control is by far the norm, not the exception. And there are absolutely ways to make to mitigate security issues from physical access, that is after all the entire point of technologies like full disk encryption. FDE is completely pointless if physical security can be taken for granted, it exists entirely because physical security cannot be taken for granted. I presume you don't spend your days advocating nobody bother "because it's pointless anyway."
Technologies like specific CPU/SoC/chipset level hardware security zones, HSMs, use of IOMMUs and the like to prevent DMA from ports, etc. are all there in part to help prevent or mitigate certain physical attacks. For that matter, simple locks and/or sealing of computer units aids with both making attacks more difficult, slower (another key part of threat mitigation) and, just as importantly, making them noticeable. The final fallback of a good security system is to at least try to let the owner know that it broke if all else fails. There is a certain amount of disgruntlement amongst some tech people at highly sealed devices, but they do make it significantly more challenging to perform certain physical attacks quickly or undetectably.
So yes, anything which unexpected speeds up physical attacks, renders them less/unnoticeable, or both, is a legitimate issue. Normal users of portable systems should be able to expect that, under normal circumstances, they can warm lock it (screen lock, put it to sleep), leave for a few minutes, and have a low likelihood of a low energy persistent evil maid attack being pulled off in the mean time. Treating modern security like it only needs to consider servers stashed in a secured room/data center is wrong.
[+] [-] throwaway2016a|9 years ago|reply
Say you go in for a job interview at a company and the interviewer leaves for a minute with their computer locked but still on their desk. Most traditional methods would require you to move to the other side of the desk or pull the computer to you which is risky, but with this you can just reach over for a few seconds.
Not to mention many traditional attacks require rebooting the computer to a bootable CD which will be suspicious if the user has an active login system and all the sudden all their apps are closed.
Or say you are at a doctor's office and there is no CD drive and rebooting the computer would be suspicious. I'm left unattended in exam rooms with computers all the time.
I also imagine it could be fairly easily modified to act like a USB hub and be inserted between the computer and a legitimate device.
Edit: Think of how less dramatic the scenes will be in Mr. Robot and the like if the "hacker" doesn't have to rush to get back to their seat just in-time for the target to get back to their desk.
[+] [-] falcolas|9 years ago|reply
[+] [-] mpeg|9 years ago|reply
[+] [-] mtgx|9 years ago|reply
This is such a defeatist attitude, and it has also proven to be (mostly) false by Apple and its iPhones. If we stopped saying that every time there is a hack like this, perhaps companies would actually give a damn to make sure it doesn't happen anymore, or not nearly as easily.
It's one thing to pay from tens of thousands of dollars to a million for modification of a chip in a factory or with highly-advanced equipment, and it's quite another to just insert a USB stick into a random PC and hack it.
[+] [-] 6stringmerc|9 years ago|reply
[+] [-] JoeAltmaier|9 years ago|reply
[+] [-] OJFord|9 years ago|reply
[+] [-] freehunter|9 years ago|reply
However, something like this would make insider threats a bit more dangerous. Leaving your laptop at your desk when you go to a meeting or to the bathroom is perfectly normal, and if a coworker can sneak in and break into your machine while you're not looking, that's a game changer.
[+] [-] lolc|9 years ago|reply
[+] [-] Tepix|9 years ago|reply
[+] [-] snake_plissken|9 years ago|reply
[+] [-] aftbit|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] aftbit|9 years ago|reply
[+] [-] DINKDINK|9 years ago|reply
[+] [-] jbverschoor|9 years ago|reply
[+] [-] swehner|9 years ago|reply