A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute

An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.

Pi Zero

[amiga3D]

Yet another interesting use of a Raspberry Pi Zero. Give people a $5 computer and they just have to come up with something to use it for.

There is some novelty here

[davidwr]

Sure, you can do anything with physical access if you have some time on your hands.

Sure, you can be persistent if you can leave something behind, like a modified keyboard.

Sure, you can be persistent if you can install something, but that USUALLY requires either the ability to use the mouse or keyboard on an unlocked machine or tricking the user to do so for you.

The novelty here is that it's a "plug it in, wait a few minutes, unplug it, and walk away" compromise, AND it doesn't make any permanent hardware changes such as blowing up your PC by sending a few hundred volts down the USB ports.

It's also novel in that it exposes a design flaw that should've been noticed and widely discussed decades ago.

By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?

Re:Not the worst that can happen

[maelkum]

Not yet, but AMD Zen CPUs will have such a feature. Have some articles:

http://wccftech.com/amd-zen-en...
http://www.phoronix.com/scan.p...
http://www.redgamingtech.com/a...

Re:This means nothing

[rgbatduke]

....and, good luck reading my fully encrypted hard drive when you get it home. For that, you might need the $5 billion NSA complex. Or (as noted above) a $5 wrench and physical access to my person.

Which would work, very quickly actually. I don't keep anything on a computer drive, encrypted or not, that I wouldn't want my mother to read. Or the Feeb. Or Soviet Russia, where your disk reads you! Because seriously, if somebody REALLY REALLY wants to get into your disk, and you're not dead, they probably can. With 4096 bit encryption and a nice long pseudorandom key, maybe not. But only MAYBE, and over time, it is even probable that they will eventually be able to do so. I remember a time when 6 digit passwords were relatively safe. Then 7. At this point 8 in lower case ASCII is easily searchable by the NSA or anyone with teraflop resources, and teraflop resources aren't even that expensive, petaflops are out there. If one assumes 64 characters, it is still only order of 10^15 permutations, so a petaflop cluster could do it in minutes, a teraflop cluster in days, and that's if one chooses a GOOD password that is essentially random. At this point, I'm not sure that a 12 character password is secure against NSA-level exhaustive attacks, although with 10^22 possibilities it would start to take a while even with a petaflop -- say a couple or three years. Again, unless you use a truly random 12 character string, they can probably cut this down to months just by searching on the most probable strings first.

But if I were alive, and (say) my hard drive had the coordinates of a nuclear bomb planted somewhere in Manhattan, I'm guessing that they'd opt for the drugs and the wrench and a bit of electricity applied to the testicles to see if they couldn't get the key in minutes instead of weeks or months. Cheaper, faster, and who takes the Constitution seriously any more anyway?

rgb