A $5 Tool Called PoisonTap Can Hack Your Locked Computer In One Minute

An anonymous reader quotes a report from Motherboard: A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks. Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there's a browser open in the background. Kamkar explained how it works in a blog post published on Wednesday. And all a hacker has to do is plug it in and wait. PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it's plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar. Security experts that reviewed Kamkar's research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That's the key of PoisonTap's attacks -- once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.

News at 11

Physical access to equipment trumps (Trumps, heheheh!) almost all security. News at 11.

Re:News at 11

[lucm]

Physical access, browser running, and it only work if you use cookies on sites that don't require SSL.

At that point it s probably best to invest that $5 in a box-cutter and force the user to give your their password.

Re:News at 11

[hcs_$reboot]

Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.

Re:News at 11

[Anubis+IV]

and it only work if you use cookies on sites that don't require SSL.

You mean, except for the part where they are able to hijack any site that uses Google's, jQuery's, or other scripting CDN by replacing the legit Javascript with a version that opens a persistent connection to the attacker's server, through which they can serve up anything to your browser? Or the part where they strip out a whole slew of HTTP header security features by serving up fake, insecure versions that they tell your browser to perma-cache for every single one of the Alexa top 1,000,000 sites? Or the part where they open virtually every site up to cross-site scripting attacks by tricking your browser into thinking that the hidden iframes they're now secretly loading whenever you visit any site belong to that site?

But you're quite correct. They can't get properly secured cookies. Thank goodness for that small mercy.

Re:News at 11

[Anubis+IV]

It's the default setting for every major OS, apparently. It exploits a weird quirk where it claims the the entire Internet is part of its LAN, which causes it to get priority over any existing connections to the Internet you might have, since they'll all be via WAN. It won't work on any computer, but it will work on most.

Re:News at 11

[sithlord2]

Not really. Even when SSL is used, a redirect to HTTP can be forced. If the cookie doesn't have the "Secure" flag, it will happily send the cookie over HTTP in this case.

Re:News at 11

It won't work on any computer but Microsoft Windows computer. It is like the autoexec cd-rom all over again.

If they want to make it work on ALL computer, they need to use a Ethernet interface.

Re:News at 11

> Major OS

> It won't work on any computer but Microsoft Windows computer.

That's what he said.

Re:News at 11

[vinlud]

Forcing with a box-cutter at least gives the user the knowledge they've been compromised, so not realyl the same thing.

Re:News at 11

[jarran]

Indeed. Also: How worrying is is that there are people here who think that an attack that doesn't involve threatening another person with violent assault offers no advantages over one that does?

Re:News at 11

[Gadget_Guy]

It won't work on any computer but Microsoft Windows computer.

Blind hope that your choice of operating system is safe is the worst form of security. From the article:

PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected

Re:News at 11

https://samy.pl/poisontap/

Creator demonstrates with his own Mac.

Re:News at 11

PoisonTap emulates an Ethernet device (eg, Ethernet over USB/Thunderbolt) - by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it, even when the machine is locked or password protected

The real test will be to see which OSes get patched first.

Re:News at 11

Why a $5 box-cutter instead of a wrench and some drugs?

Re:News at 11

[ilsaloving]

It's basically a MITM attack. There's no difference between this and using a malicious network router. In fact, that's exactly what this is. The only difference is that you're connecting directly to the computer and pretending to be a network adapter rather that it being something upstream.

If a malicious actor has physical access to your PC, then this is the *least* of your worries. There are all sorts of things that could be done.

Re:News at 11

[lucm]

If a malicious actor has physical access to your PC, then this is the *least* of your worries.

True. I don't even want to think about what Russell Crowe would do if he had physical access to my computer.

Re:News at 11

[lucm]

So if you had to choose you'd prefer to be box-cutted than quietly hacked?

Re:News at 11

[kuzb]

...which is why in the demonstration videos he's running it on a mac....

Re:News at 11

[ilsaloving]

It's times like this I wish I could mod posts on the same article I posted a comment on.

Re:News at 11

[unrtst]

Indeed. Boot the pc on a USB Linux, mount the computer disk, enjoy.

... and risk getting stuck at bios password. Get around that and get stuck at disk encryption password (usb boot not enabled). Re-enable usb boot in bios and unable to mount encrypted disks. Or, stick this thing in a usb port for a bit and get access to everything remotely thereafter. Never reboot a box if you can avoid it.

Re:News at 11

[epine]

Blind hope that your choice of operating system is safe is the worst form of security. From the article:

When you deliberately choose and operating system so inconvenient by default that it's not even part of the mainstream conversation, it's hardly blind hope.

USB Tethering: How to auto-configure?

I have an LG G2 phone that can share its mobile internet via USB tethering. FreeBSD 9.3 recognizes it, but does not automatically obtain an IP address via DHCP and set it to the default route when I enable USB tethering on my device. Is there any way to do that? Just like under Windows.

I'm guessing, on the basis of that final sentence, he hadn't been bumping along on the BSD anti-bandwagon for very long.

Convenience, the simple recipe:
* mise en place: read everything Bruce Tognazzini ever wrote, back in the era where Apple still provided some modicum of external justification for random UI tweak of the randomly selected mountain
* blend into one long, hard night of inspired coding
* activate brew with one generous Pandora's box jigger of "assume trust"
* ladle up hot, attractive mess
* serve steaming

Re:News at 11

[tlhIngan]

The real test will be to see which OSes get patched first.

The problem is HOW do you patch it.

It's going to involve a heavy user space network manager to do it, because the way it works the simple routing engine the kernels have is the root cause.

You also need to consider that you may be connected to WiFi, and Ethernet devices always have routing priority over WiFi (being wired, the metric of connection is lower than WiFi) in practically every OS.

Then you have to consider the ethernet device might already be there - laptops and servers and desktops may have spare ethernet ports that are not connected so it'll be trivial for an attack like this to use Ethernet instead of USB. Servers may be trivially secured by having inactive ports blacked out, but laptops may migrate between WiFI and Ethernet on a rather frequent basis, or even attached to different networks simultaneously (work laptop is connected to work network via Ethernet, but also via guest WiFi to bypass work network firewall blocks).

You might get away with limiting how "wide" your LAN is - after all, there is a practical limit to how big your local Ethernet segment can be before it collapses from the sheer load. Perhaps you can modify the DHCP client to reject anything saying you have more than 65535 devices on the local segment (i.e., you cannot accept anything more than a /16). This seems like the only practical way to do it without basically rewriting every network assumption since the 70s.

Re:News at 11

[Cramer]

Correction: It "pretends" to be HALF the internet. 1.0.0.0/128.0.0.0 to be exact.

Re:News at 11

[Anubis+IV]

That's not what the original blog post said:

PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap’s local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255)

Re:News at 11

[Cramer]

His videos and animations show a netmask of 128.0.0.0. I don't know of any dhcp clients that will accept a 0.0.0.0 netmask. Also, his github repo doesn't include any of his system setup -- eg. the dhcp server configuration.

Re:News at 11

[Agripa]

The real test will be to see which OSes get patched first.

The problem is HOW do you patch it.

It is easy. Do what Apple does and remove the ports while requiring users to buy new systems.

Okay...

[93+Escort+Wagon]

"Once the device is positioned in the middle like this, it can steal the victim's cookies, as long as they come from websites that don't use HTTPS web encryption, according to Kamkar."

While I do think the fact that this works at all is problematic... if you're doing anything non-trivial on any website which doesn't employ https, that information has likely been available to anyone who really wanted it already.

Re:Okay...

[0100010001010011]

I did this in college since our dorm still had a Hub. How is this new (other than being smaller)?

Re:Okay...

[sheramil]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

Re:Okay...

[geekmux]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

Corporate users hardly notice anything odd plugged into their systems. I could set a bowling ball under their desk and they probably wouldn't ask about it for a month, because that's not their job. They're far too busy doing the other three jobs they maintain now.

For those of us managing the average user community, the problem is far more systemic than you dismiss here. Behavior modification is one of the hardest jobs in Security.

Re:Okay...

[rgbatduke]

Behavior modification is one of the hardest jobs in Security.

That's what the sucker rod is for...

rgb

Re:Okay...

[sudon't]

if you're using your computer and you didn't notice the paperback-sized device plugged into one of your USB ports, you may have other problems.

I walk into a lot of work places. What I see are a lot of those old "tower" boxes. You wouldn't see anything plugged into the back of one of those. Also, the device doesn't have to stay there forever. Not super-convenient, but workable. Also, the device is the size of a small cell phone, not the size of a paperback, and with a longer cable, and a little creativity, could be disguised and/or placed out of sight.

Re:Okay...

[chispito]

It's roughly 2/3 the size of a business card. Even if it were the size of a paperback, would it be so easy to spot if it were taped under or behind your desk?

Re:Okay...

[Yvan256]

The Raspberry Pi zero dimensions are 65 x 30 x 4.5mm

Re:Okay...

[pnutjam]

I was discussing this with on of the security guys at work. He seemed to think the VPN software they use, which forces everything over the VPN for unknown networks, would prevent this from working. I tend to agree.

Anyone want to weigh in? I know OpenVPN uses a similar routing entry to preempt traffic and force it into the VPN tunnel.

Re:Okay...

[acoustix]

Does it need to be plugged directly into the desktop? Why not use a USB cable to hide it. Or the back of a monitor (many have USB hubs built-in now).

There's many ways to hide these devices. The vast majority of users don't look over their work area before they start working.

Re:Okay...

[SScorpio]

Exactly, won't a more useful tool be one that clones the SID and MAC of a open WAP at a coffee shop, over powers the existing network, and then forcefully disconnects all the clients so they reconnect automatically to the hacking device?

Only people using their own data connections would be safe, but who actually does that versus using the free connection?

You could then do everything this does without needing to physically connect to the machine.

Re:Okay...

[JesseMcDonald]

Only people using their own data connections would be safe...

Or those using a VPN.

Isn't this

just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

Re:Isn't this

[aaarrrgggh]

It is an offline attack, and all traces are removed quickly. There are a few things that it makes me want to switch to force https on my LAN, but even /. is https now...

Re:Isn't this

[sudon't]

just a run of the mill man in the middle attack? How is that novel? And, where's the part where they break into the actual computer?

Why not RTFA? You don't even have to google - the links are right at the top of this page.

Pi Zero

[amiga3D]

Yet another interesting use of a Raspberry Pi Zero. Give people a $5 computer and they just have to come up with something to use it for.

Obligatory xkcd

[slazzy]

https://xkcd.com/538/

Re:Obligatory xkcd

[davidwr]

$5 hammer, $5 Pi. Well played sir, well played.

Not the worst that can happen

[djinn6]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

Re:Not the worst that can happen

[tepples]

Which widely used computers encrypt RAM?

Re:Not the worst that can happen

[hcs_$reboot]

Memory is not encrypted, applications that use memory may encrypt the data they put in it.

Re:Not the worst that can happen

[maelkum]

Not yet, but AMD Zen CPUs will have such a feature. Have some articles:

http://wccftech.com/amd-zen-en...
http://www.phoronix.com/scan.p...
http://www.redgamingtech.com/a...

Re:Not the worst that can happen

[geekmux]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

I think the more valid point being made here is the "specialized hardware" in this case costs five bucks, and can be purchased pretty much anywhere by anyone.

Re:Not the worst that can happen

[Trax3001BBS]

If you have physical access and the computer is on, you can already read the contents of RAM with some specialized hardware. That gives you access to pretty much everything.

The Amiga used Sram for memory. You could play say the game "Blood Money", turn off the system and then boot up with a disk with a program to view the memory.

You could then grab the haunting music of the game or any other sound byte
https://www.youtube.com/watch?...

Sram is in just about everywhere now, even Intel CPU's use it for it's speed and ability to maintain it's contents without being refreshed. You really can't tell what's it's being using in anymore.

I always turn off my system(s) for an extended period before I consider all it's memory flushed. Not for security as much as being sure a possible memory problem that showed up is really gone.

Re:Not the worst that can happen

Yeh, in the iOS setup menu, select Processor tab, check 'encrypt processor', select apply and reboot.

Re:Not the worst that can happen

[citizenr]

The Amiga used Sram for memory.

no it didnt

Re:Not the worst that can happen

[Trax3001BBS]

The Amiga used Sram for memory.

no it didnt

Yep sure did. I should of been more specific, the Amiga 3000 came with 2megs stock (a guess) that was just memory, opposite that memory were memory slots for Sram you purchased separately, it was the only ram that would fit. I put in 10 megs of Sram which disabled the stock memory. I ran a Cnet BBS from it, an 8 line chat board so not much else. I'd search the Sram every now and again just to see what was there.

Had a friend not sure what Amiga he had I thought a 500. It was what he did, he ripped music out of the ram. He'd load a game or whatever till he got to a point of his choosing, shut down, insert his floppy, boot back up and search the ram. I used Blood Money as an example due to it's copy protection, yet it couldn't keep. you out of the ram. He had quite the collection obtained just that way.

Re:Not the worst that can happen

[citizenr]

No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.

SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

Re:Not the worst that can happen

[Trax3001BBS]

No. Amiga used DRAM just like every home computer of that period. You are confusing couple of things.
1 you can reset machine without losing ram contents, this was possible in pretty much every computer at the time.
2 ramdisk for storing files in ram.

SRAM is static, that means you dont need to refresh it = you can power down whole computer leaving only ram voltage rail. This is how storage worked on early portables like portfolio.

Don't know if you went through the "computer wars", but to purchase an Amiga was was to put ones self on the front line. I could of really gone off on this thread, a direction of nobodies real interest, or use.

The main point of my first post was that Sram is everywhere and a reboot isn't resetting ones system, it takes a full shutdown and a wait.

"SRAM is also used in personal computers, workstations, routers and peripheral equipment: CPU register files, internal CPU caches and external burst mode SRAM caches, hard disk buffers, router buffers, etc. LCD screens and printers also normally employ static RAM to hold the image displayed (or to be printed)."
https://en.wikipedia.org/wiki/...

Re:Not the worst that can happen

[citizenr]

there is no sram in amigas (except for 768 bytes of palette inside Lisa chip)
The difference between sram and dram is _not_ that one of them can keep the data over a reset, its that one of them keeps data without explicit _refresh cycles_ when rest of computer is powered down completely. Reboot is not doing ANYTHING to ANY type or ram. Resetting a running computer without stopping current program was standard on Intel 286 (dram simms) when switching from protected mode back to real addressing: https://blogs.msdn.microsoft.c... Windows 2 and XMS could do it multiple times per second, this was early nineties.

This is Amiga 3000 dram: http://www.ubbcentral.com/stor...

as seen on page 6 of schematic http://www.amigawiki.de/dnl/sc...
here is detailed specs: http://amiga.resource.cx/mod/a...
and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard...
even scan doubler FRAM is based on DRAM

so again, there never was any sram in amigas

ps: I fix computers on a component level since nineties :/

Re:Not the worst that can happen

[Trax3001BBS]

so again, there never was any sram in amigas

I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc...

ps: I fix computers on a component level since nineties :/

Got a late start eh, I don't think many on /. haven't worked on computers

Re:Not the worst that can happen

[citizenr]

I have an 8 Meg expansion card for the 2000, I only got as far as I needed
http://amiga.resource.cx/searc...

1 this is A500 expansion
2 this is fast ram expansion, Amiga stores images/sounds in the chip ram (separate memory bus) so even if you had third party sram expansion it would do nothing for you because pictures and music was stored in different part of the computer. Amiga rasterizer and sound chips had no access to fast ram (where this particular sram extension installs). https://en.wikipedia.org/wiki/...
3 again - what you described (reset to rip memory content) _never_ required special memory type. You could do it on C64, Amiga, Atari, even consoles.
4 pointing at third party products to corroborate your faulty memory is like claiming Honda Civics came with Spoon engines, T66 turbo, NOS, and MoTeC system exhaust.

Got a late start eh, I don't think many on /. haven't worked on computers

cute :)

I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.

Re:Not the worst that can happen

[Trax3001BBS]

Got a late start eh, I don't think many on /. haven't worked on computers

cute :)

I get it man, you miss remembered something and now just cant let go. Its ok, its not the end of the world. I will leave you and your cognitive dissonance in peace.

If I found it to be Sram you can sure bet I'd of sent off a message, so in all fairness.

I stopped by my storage today to pick my stereo with no HDMI. I'm going digital optical connections instead - it's a much nicer receiver.

Just so happened all my Amigas were there, so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that). In fact if you search for 9A9Z you get
all sorts of answers of what it is.

This ram allows the same search and grab as Sram, the bottom line being "Under some conditions, most of the data in DRAM can be recovered even if the DRAM has not been refreshed for several minutes."
https://en.wikipedia.org/wiki/... How I got there https://groups.google.com/foru...

So shutdown, wait then reboot.

My Ram http://i66.tinypic.com/dx23uw....

Re:Not the worst that can happen

[citizenr]

so I brought the 3000 home, snapped a shot of the ram and found it's not Sram and it's not Dram
it's called static column ram - which is as close to Sram as you can get (but not Sram, yet we called it that).

Its not close to sram at all other than similarly sounding name, as I wrote in previous post it is an improved variant of page mode DRAM:
>and here a definition of "static column mode" in case you would somehow think this means SRAM: https://www.jedec.org/standard...

even wiki has a section on it https://en.wikipedia.org/wiki/...

In fact if you search for 9A9Z you get all sorts of answers of what it is.

datasheet: http://datasheet.datasheetarch...
a big hints are
-a whole timing diagrams section on refresh
-multiplexed address bus
-fact 4Mbit sram chips didnt exist until 1993, and when they first showed up they were >$140 a pop!!!
-and fifth word of the datasheet reading 'dynamic' :-)

This ram allows the same search and grab as Sram,

Now we are moving 2 posts back. You are confusing two separate things, type of ram and ability to recover data after reset. Those two are independent.
  Both types of ram will keep its data mostly intact over a reset, and somewhat intact after total power loss depending on process size, temperature, time etc.
  Difference between SRAM and DRAM is in physical construction. One uses multiple(4-8) transistor latch arrangement - you put logic level in and it stays there until powered down. The other uses _one_ transistor and capacitor and needs frequent refresh (recharging that capacitor).

  More transistors to build sram means more expensive, around x10 was the minimum. This is why in the nineties a 256KB sram cache for a PC motherboard cost around the same as 4MB simm. This price difference (and use of slow processors) was the reason not a single Amiga featured sram.

old news

[Lehk228]

wait till he discovers ARP Poisoning

Re:old news

[hcs_$reboot]

been done already
(don't whooosh me or you'll be whoooshed in return!)

Re:Kamkar is a foreign name

[BlueStrat]

Someone should inform Trump of this immediately. Kamkar is a foreign sounding name, he should be deported immediately. Put Steve Bannon on it right away!

That'll fix it!

What do you mean, he's already sacked Bannon?? That was quick.

No worries. Trump already hired Steve's brother.

https://youtu.be/diAGexlJtHk

Strat

Next from Kamkar: plain text can be read anywhere

[guruevi]

You don't even need access to the computer to do this "hack" - just use an existing network cable or be on the same network and you can read and modify any plain text sent over the wire. This isn't even "new", compromised USB network cards were all the rage 10 years ago when they first came out with those wallplug computers (before RPi even existed)

There is some novelty here

[davidwr]

Sure, you can do anything with physical access if you have some time on your hands.

Sure, you can be persistent if you can leave something behind, like a modified keyboard.

Sure, you can be persistent if you can install something, but that USUALLY requires either the ability to use the mouse or keyboard on an unlocked machine or tricking the user to do so for you.

The novelty here is that it's a "plug it in, wait a few minutes, unplug it, and walk away" compromise, AND it doesn't make any permanent hardware changes such as blowing up your PC by sending a few hundred volts down the USB ports.

It's also novel in that it exposes a design flaw that should've been noticed and widely discussed decades ago.

By the way, am I the only one that remembers Thick Ethernet, aka 10BASE5, and its "vampire taps"?

Re:There is some novelty here

The biggest flaw is that the OS doesn't ask if the user wants to install the device, but this exploit has been known for years. Just look up "BadUSB exploit".

Re:There is some novelty here

[iggymanz]

well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

Re:There is some novelty here

[chispito]

I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

You didn't read TFA. It requires an available USB port and a minute or two. That's it. It does not require pass through and does not interrupt the network connectivity of the running machine, and has a good chance to work on an average workstation (a workstation that is locked with a web browser open). It also is an incredibly cheap tool:

It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

Re:There is some novelty here

[davidwr]

laptop with ... no actual moving parts

I assume you mean fanless and optical-drive-less in addition to the SSD hard disk that you mentioned.

Convection cooling is nice but sometimes I miss the optical drive.

I guess circulating air, circulating electrons, and vibrating atoms don't count as "moving parts" in this context.

Re:There is some novelty here

[iggymanz]

I read TFA. If I have physical access to machine there is no end to the bad things I can do. Not impressed

Re:There is some novelty here

[suutar]

how many of them can you do without even unlocking the screen and thereby indicating to the user that something changed? (Serious question - the two factors here that seem to make it interesting are low cost and low visible impact.)

Re:There is some novelty here

[drinkypoo]

It also is an incredibly cheap tool:
It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

Re:There is some novelty here

[chispito]

It also is an incredibly cheap tool: It requires a $5 Raspberry Pi, a microSD card of probably 4GB or greater, and a USB micro cable. It doesn't even need to be powered, as the Pi is powered from the host.

A $5 R-Pi is actually substantially more expensive for everyone who doesn't live near a Micro Center. (Why oh why can't they put it in Rat Shack? I have one of those near me. They are everywhere. Oh, that's why. They can't make that many.) But a $9 CHIP can be had for less than typical Pi Zero prices on the interwebs, and it has onboard flash.

Adafruit and other online vendors have had them in stock for most of the year. Can the CHIP connect as a USB device?

Re:What the fuck?

[FatdogHaiku]

Because it steals your browser's cookies.

It's a Monster!
A Cookie Monster!!!
Also, a guy was sighted near or in a trash can...
said trash can may actually be a giant cantenna!

Useful for Espionage

Made me think about who this will really affect. I mean who among us really leaves their browser window open and then logs out or times out from inactivity? I don't simply not to waste the cpu cycles when I know I'll be afk for long enough for inactivity to log me out. Most people I think this could affect are businesses and corporate workstations. They usually have a very short inactivity timer, log out whenever afk, and leave their browsers open while logging out. If your next thought is well who wants to compromise a single workstation anyway. Well what if it belongs to the admin in a server room? Perhaps a datacenter? Right tool for the right job and this certainly has espionage written all over it.

Joke's on you

[aonic]

My Macbook doesn't have any USB ports!

Re:Joke's on you

nice one ;)

Re:Joke's on you

[hcs_$reboot]

Next Apple will remove wifi access and you'll have the safest computer on Earth!

it's stupid and could be WAY "better".

[gl4ss]

what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

how is plugging a computer into a network an offline attack?

requiring physical access is less novel, especially when there are a number of attacks described where if you can place something like that, you could just get the keyboard codes by audio, em and a number of other ways - or heck, do this attack over recording the led at the router.

also it requires you to be logged into the sites already, the sites to not be https.. sorry about the yelling but this seems like a dolt just taking an existing concept, putting it on a raspberry pi and claiming fame based on that.

Re:it's stupid and could be WAY "better".

[gravewax]

what's puzzling is that why it doesn't just get full access as YOU COULD JUST REDIRECT THE STUFF TO SOMETHING THAT CAUSES WINDOWS TO SEND THE MS ACCOUNT PASSWORD AND USERNAME IN PLAIN TEXT.. and while at that create a tunnel that stays once it gets plugged to real internet.

because to send it to the MS account site you would need to man in the middle the SSL tunnel which in turn requires you to have either compromised the computer already with a fake CA to be trusted or have a compromised public CA. basically nothing at all remotely interesting with this attack.

Re:it's stupid and could be WAY "better".

[AmiMoJo]

Windows versions since Vista won't send plaintext passwords without the user first confirming that the network is a trusted one. I think since 8 they disabled even that, or it might have been 8.1.

What is this "ethernet jack" you speak of

[rsborg]

well gosh golly gumpers, I can also plug an evil thing into the ethernet jack, and then plug that evil thing into the wired network, and do all manner of bad also. Hell I can substitute an evil hub for a good one and do even more bad. where will it end?

*snooze*

I have no ethernet jack - I have a Mac, you insensitive clod.

The latest Macs need dongles

[Neo-Rio-101]

The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

Re:The latest Macs need dongles

[houghi]

Yes, but that would up the price to 104.99USD.

Re:The latest Macs need dongles

the mac user will have already bought the dongle because their expensive shiny turd is a brick without them.

Re:The latest Macs need dongles

[chispito]

The latest Macs don't even have many ports of which to speak. Did the attacker bring a dongle with them?

The $9 adapter approximately doubles the cost of the kit, on top of the $5 pi, mSD card and usb micro cable:

http://www.apple.com/shop/product/MJ1M2AM/A/usb-c-to-usb-adapter?fnode=85

So you're telling me...

[ArylAkamov]

Physical access is king?

How is this news? In highschool, I was stealing admin passwords with OPHcrack and selling them to other kids. Took less than 5 minutes to do.

Obligatory xkcd

[cfalcon]

https://xkcd.com/386/

Re: Kamkar is a foreign name

Unless your name is drawn from nature and given to you according to your Native American tribe's traditions, then it must also be a foreign name.

'This text can hack your computer'

Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!! of course you need to have physical access to the computer and the person, a baseball bat, a wrench, an installation of kali linux on a usb drive, a non encrypted disk, cotton candy, and a captain crunch whistle ( optional, but very amusing )

Re:'This text can hack your computer'

[AK+Marc]

And that guy's leg.

Re:'This text can hack your computer'

[Trax3001BBS]

Even better flamebait :
'This text can hack your computer'
just by reading this text, your computer has been hacked!!

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Tag.

He'll have to buy an Apple dongle for $200

The attacker will have to buy an Apple dongle for $200.

general USB insecurity problem

a good way to expose the excessive trust that Mac and Windows computers have in network devices.

The problem is wider. The trust is wrongfully placed on USB devices in general, not just network devices. The simple fact that OS X and Windows auto-mount anything inserted into their slots is just pissing me off. I think some "user-friendly" Linux distributions are also doing that. It's too hard to click an "allow" button anymore, not to mention using the terminal to type mount commands.

A much bigger problem is that device manufacturers typically don't care about security, allowing anyone to update their firmware with unsigned and potentially malicious code. It's not only important to always protect your computer from physical access: any time you plug-in a USB device that was left unattended, you are at risk of running malware.

The news is

[terminal.dk]

No news. But it is selling the weakness of non-https as something new. This is so old school.
But hopefully somebody cn get the budget to implement HTTPS or whatever the purpose was.

Or you know, tap into the wan..

[Tyr07]

Right and if you plug in a device straight into their ethernet port that snoops the line..

Anyway..OH MY GOSH NEWS NEVER KNEW!?!?!

MITM novel?

> Man in the middle attack

> Novel attack

Sounds pretty contradictory to me.

Title and summary are complete bullshit

This attack can in no way determine operating system passwords. It cannot "hack your locked computer".

Now if they had described powering off the computer and then booting it from external media running something like l0phtcrack, then they would be actually "hacking your (no longer) locked computer" - that's only if you do not have a bios power-on password set.

Hey, if I have physical access why not just remove the hard-disk(s) and put it in another system?

And neither of these approaches would be news.

This is fucking retarded bullshit clickbait. There is no story.

Re:What the fuck?

Is this seriously a story? You don't even need a device to plug in to do this. Why would there need to be a browser open in the background? What the fuck is "Motherboard"? Fucking hipsters.

This is a valid attack that could be executed on just about any corporate desktop sitting idle and locked, since most corporate desktops still run Windows and users still maintain elevated rights to support antiquated corporate software.

You might realize this if you were in charge of more than your porn server in your mothers basement.

Re:What the fuck?

c'mon, "however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap’s local network" eg telling a pc that the entire ip4 space is LAN to gain priority over installed adapters is frigging genious,

Dupe

[drinkypoo]

We discussed this previously. Too lazy to find the conversation, but then, so are the Slashdot "editors". This is actually a non-problem in a Windows corporate environment because if you have not already prevented users from installing hardware via group policy, you have already failed as a Windows admin.

It's not terribly difficult to prevent hardware hotplugging on Linux.

Couldn't tell you about Mac, don't care.

Wank wank, flonk flonk.

Setec Astronomy

[zifn4b]

Too Many Secrets: https://www.youtube.com/watch?...

As long as they are not using HTTPS....

[Lumpy]

So that means it's pretty ineffective. everything that is important to me is HTTPS, even my routers config pages.

I have yet to see any important site not force HTTPS. Will this see that I log into "fluffybunnypodcast.com" with the username bunnyman42 and the password 12345? yep. but I fully expect that the chinese hackers already have this as I really dont care if they get free copies of the latest free fluffybunny broadcast.

Re:This means nothing

[rgbatduke]

....and, good luck reading my fully encrypted hard drive when you get it home. For that, you might need the $5 billion NSA complex. Or (as noted above) a $5 wrench and physical access to my person.

Which would work, very quickly actually. I don't keep anything on a computer drive, encrypted or not, that I wouldn't want my mother to read. Or the Feeb. Or Soviet Russia, where your disk reads you! Because seriously, if somebody REALLY REALLY wants to get into your disk, and you're not dead, they probably can. With 4096 bit encryption and a nice long pseudorandom key, maybe not. But only MAYBE, and over time, it is even probable that they will eventually be able to do so. I remember a time when 6 digit passwords were relatively safe. Then 7. At this point 8 in lower case ASCII is easily searchable by the NSA or anyone with teraflop resources, and teraflop resources aren't even that expensive, petaflops are out there. If one assumes 64 characters, it is still only order of 10^15 permutations, so a petaflop cluster could do it in minutes, a teraflop cluster in days, and that's if one chooses a GOOD password that is essentially random. At this point, I'm not sure that a 12 character password is secure against NSA-level exhaustive attacks, although with 10^22 possibilities it would start to take a while even with a petaflop -- say a couple or three years. Again, unless you use a truly random 12 character string, they can probably cut this down to months just by searching on the most probable strings first.

But if I were alive, and (say) my hard drive had the coordinates of a nuclear bomb planted somewhere in Manhattan, I'm guessing that they'd opt for the drugs and the wrench and a bit of electricity applied to the testicles to see if they couldn't get the key in minutes instead of weeks or months. Cheaper, faster, and who takes the Constitution seriously any more anyway?

rgb

This hack is not dangerous at all

[Yvan256]

According to people right here on Slashdot, you can't find the Raspberry Pi Zero anywhere.

So where can we buy one?

[JustAnotherOldGuy]

As above, where can we buy one?

Re:So where can we buy one?

[pem]

Those $5 computers are easy to buy if you're willing to spend $50.

Why not just use a regular usb stick?

[slapout]

Sound like a hardware version of a proxy

Positioning

[phorm]

It also depends on where the computer is positioned. If it's under the desk with rear USB ports available it's going to be fairly trivial to hide such a device (possibly a bit harder to get at surreptitiously, but just wear a badge that says "IT Dept" for that).

In certain more high security environments I've seen them do things like glue the keyboard/mouse into the computer and use a special cover (or just hot glue in some cases) to block out any unused ports. Makes it a big PITA when you actually need to use those ports.

Here's your attack scenario

[Opportunist]

Coworker goes to lunch and locks his PC, you go and steal his cookies and mess with his project files while making it look like it's him.

Many fat client applications have been replaced by REST apps and web based approaches, and many companies do not use HTTPS for servers that can only be accessed internally. Yes, even companies that should be security conscious. The attack scenario is not webservers out on the internet but company-internal servers. Once I was even told by a client that this actually increases their security because port 80 is never accessible from the outside, so it's safer (I still have the bite marks on my tongue, I think).

And locking USB ports isn't always an option.

Though I have to say, I'm very glad this happened, for it will certainly support my case for more encryption even for servers that have no business communicating to the outside world.

apk you are forgiven

[lucm]

APK, you asked for forgiveness, and I forgive you.

https://hardware.slashdot.org/...

Maybe it's time to move on with your life.