PoisonTap, A $5 Device, Can Easily Hijack Your Computer’s Internet Connection

By Edwin Kee
PoisonTap
 Samy.pl

Now here is a very interesting proposition for those who are really curious about what kind of exploits that they can take advantage of on their home computer. Perhaps you have $5 to spare, and rather than spend it on Fiverr.com, how about picking up the PoisonTap source code? This is one unique and very, very clever exploit from a certain Samy Kamkar. All that it requires is but a few seconds, and the malicious code known as PoisonTap running on a Raspberry Pi Zero that is subsequently plugged into an exposed USB port of a notebook or computer that is asleep, can be hijacked.

Yes, you read that right. This $5 “trick” is more than capable of hijacking your expensive machine, all without the need for brute force attacks to bypass your password, or even work its way through zero days and million dollar back doors. PoisonTap is the latest project by Kamkar that clearly highlights the kind of weaknesses that are present in our modern day computers. How does PoisonTap work? Well, it will momentarily trick a computer which it is plugged into, into figuring out that the whole Internet actually is stashed on a piece of hardware that is worth $5 -- the Raspberry Pi Zero. This barebones computer will be able to connect to any available USB port of a computer, and when PoisonTap runs, it will present itself as an Ethernet interface as opposed to being a USB device.

The computer or notebook in question would be more than happy to know that it no longer has to rely on Wi-Fi that will sap it of its battery power unnecessarily, and it “expresses” itself by sending a DHCP request. This DHCP request will want to be assigned with an IP. PoisonTap gladly obliges, dishing out a list of IPs through a fake wired connection, as these IPs are actually connected locally on the LAN as opposed to be on servers elsewhere.

The computer or notebook will just swallow this front hook, line and sinker, sending data to the faux IPs on PoisonTap as opposed to the real websites and online services. Best of all is, you do not have to be physically present. The moment an HTTP request is sent, PoisonTap will respond accordingly, offering a slew of malicious iframes that will cache data, collecting vital information such as cookies and sessions before being converted for use by the attacker. Heck, even the router would end up as exposed to remote manipulation, and when the PoisonTap has been unplugged, you would not know what have hit you.

Most of the standard security measures are bypassed easily with PoisonTap, including password protection, two-factor authentication, and DNS pinning, among others. This is due to the operating system placing a large and unprecedented amount of trust on a USB connection that presents itself a LAN that represents the internet. If you are a server admin, there is hope. Prevention is better than cure, and you can opt to enforce HTTPS at every level. However, on the client’s side, Microsoft claims that “Regardless of operating system, for this to work, physical access to a machine is required. So, the best defense is to avoid leaving laptops and computers unattended and to keep your software up to date.”

Pretty basic but sound advice, don't you think so?