If you lock your computer and walk away, it takes only 30 seconds for a hacker armed with a small $5 Raspberry Pi Zero, which is loaded with devious code, to completely pwn your password-protected computer and install remotely accessible backdoors.
PoisonTap, the latest creation of hacker and developer Samy Kamkar, has a long list of wicked slick capabilities, including the fact that after an attacker removes the device from a USB port, a backdoor and remote access will persist on both your computer and your router.
When inserted into a USB port, PoisonTap tricks a computer into believing it was just plugged into a new Ethernet connection that takes over all internet traffic.
Even if you locked your computer, be that a Mac or PC, but leave an HTTP-based site open in a browser window, then the site continues to run HTTP requests in the background. PoisonTap intercepts all unencrypted web traffic and sends the data to an attacker-controlled server. By capturing non-encrypted authentication cookies, an attacker could access a user’s personal accounts.
Kamkar explained that PoisonTap siphons and stores all HTTP cookies; it produces and inserts hidden iframe tags for the Alexa-ranked top one million websites. By intercepting cookies and taking advantage of already logged-in sessions, an attacker can bypass two-factor authentication; an attacker could simply access a user's session to get into 2FA-protected accounts.
If a site is HTTPS, but the “secure” flag on the site wasn’t correctly set up, then the device can snarf those cookies as well and give a hacker access a user’s personal accounts.
PoisonTap “installs a web-based backdoor in HTTP cache for hundreds of thousands of domains and it works even when a computer is password-protected,” Kamkar said. The cache will remain poisoned even after PoisonTap is removed, giving an attacker access to any domain infected with the code. Although the code used is malicious, since it’s not malware then anti-malware solutions won’t save the day.
Kamkar said PoisonTap “produces a persistent WebSocket to an attacker’s web server;” it stays open, “allowing the attacker to, at any point in the future, connect back to the backdoored machine and perform requests” as long as it is to any of the one million top Alexa-ranked sites that has the backdoor implemented.
Additionally, Kamkar said a hacker can remotely force a user’s “backdoored browser to perform same-origin requests on virtually any major domain, even if the victim does not currently have any open windows to that domain.” He added, “If the backdoor is opened on one site (e.g., nfl.com), but the user [hacker] wishes to attack a different domain (e.g., pinterest.com), the attacker can load an iframe on nfl.com to the pinterest.com backdoor.”
Since the request “will hit the cache that PoisonTap left rather than the true domain,” then “X-Frame-Options, Cross-Origin Resource Sharing, and Same-Origin Policy security on the domain is entirely bypassed.”
PoisonTap also gives a hacker remote access to an internal router; it “force-caches a backdoor” and produces “a persistent DNS rebinding attack.” With remote access to control the router, Kamkar said a hacker can also potentially gain access to default admin credentials or other authentication vulnerabilities.
Just locking a computer with a password won’t cut it; short of filling your USB ports with silicon or cement, Kamkar suggested closing your browser every time you walk away from your computer. He said Mac users should enable FileVault2 and put your Mac to sleep before walking away from it.
He also made suggestions, such as using HSTS or ensuring Secure flag is properly enabled, for people running web servers. You can check out all the details about PoisonTap on Kamkar’s site or on GitHub.