A proof of concept from security researcher and software developer Samy Kamkar shows that macOS, Windows, and Linux computers can have any previously active Web logins hijacked merely by plugging in a tiny Unix device via USB or Thunderbolt, even if the computer is locked and password protected, and possibly even when it seems to be asleep. It can also hijack many router brands on the same network.
PoisonTap exploits several interlocked network and browser design features, rather than relying on an operating system, hardware, or browser flaw. This will make it harder to root out and resolve. Kamkar said in an interview, “The interesting attacks to me are by design: how do you exploit the protocol rather than a single buffer overflow that gets patched the next day.”
Kamkar debated how to release news of this flaw, but it’s such a long-standing problem in plain view, that he believes it’s likely been found quietly before. There was no one company or product affected, but effectively all of them. “This is a continuous problem we’ve had for years and years and years,” he said. “I just had to release it.”
The good news, however? Someone needs physical access to your machine, although only for 30 to 60 seconds. And quitting your browser before walking away from your computer mitigates the attack entirely.
Operating system makers and router makers will be able to release broader mitigations too, if they decide they care about it.
When you attach a device that offers a network interface, like a USB-to-ethernet adapter, all major modern desktop operating systems discover it when it’s plugged in, and immediately add it to your list of network connections. This also works over Thunderbolt on a Mac and some other systems with Thunderbolt support. (You can install third-party software on some platforms that blocks new networks, but this attack might bypass those because of how it works.)
The PoisonTap proof of concept relies on the Raspberry Pi Zero platform, a tiny $5 computer that runs Linux and has various interfaces. When a PoisonTap device is plugged in via USB or Thunderbolt, it boots in about 30 to 60 seconds and identifies itself as a network adapter.
With a normal network adapter connected to a normal network that uses automatic assignment (via DHCP), the operating system tries to assign an address by asking for one over the adapter. A networked DHCP server hears the request and responds with an offer of an IP (Internet Protocol) address on the local area network (LAN), the LAN’s address range for other local devices, and the address of the gateway or router.
A computer doesn’t have to be awake and unlocked. USB and Thunderbolt network adapter recognition happens automatically whenever the OS is active. Even if the OS is seemingly asleep, it may accept and manage USB and Thunderbolt connections in its low-function level.
PoisonTap acts as both adapter and fake network, and responds with a network range that encompasses all Internet address. On a Mac, automatically added networks are dropped to the bottom of the list in the Network pane of System Preferences, which gives them a lower priority, meaning they should be ignored for most purposes unless the higher-ranked network connections (like Wi-Fi or ethernet) are unavailable.
But by assigning the entire Internet as the network range, Kamkar bypasses this restriction, and can respond effectively to any request.
The PoisonTap device now waits for any unencrypted Web connection. If you have any tab open in a browser, even on what seems to be an encrypted (https) page, your browser is probably sending out background requests to ad networks to refresh ads, to beacons that monitor your time on a page, and to any number of other status updates and page-element refreshes. “Everyone I know and work with and myself—I have 20 to 30 tabs open and a couple of windows,” Kamkar said.
As soon as one of those requests is made, PoisonTap leaps into action. It hijacks the request and replies with a page that loads the top million sites ranked by Alexa—yes, a million—background connections that are invisible when viewing the Web browser. Kamkar says he uses a technique that causes a page to be retrieved without rendering it in the browser, even invisibly, which allows what should be a crippling set of operations to happen.
The goal is to grab Web session tokens stored as browser cookies and then ship them back to the attacker through a connection that’s also created in the browser. Opening a session from a browser that has previously logged in causes the browser to issue a request that contains a stored cookie, which often allows a session to continue without re-entering a user name and password. The PoisonTap device intercepts those connections and grabs the cookie as well as any other information.
While those cookies should be sent over https connections, which are increasingly used by default or preferentially by major sites of all kinds, Kamkar said several weakness let PoisonTap work around this. Not all servers mark cookies as “secure only,” which allows PoisonTap to send an http (unencrypted) request and have the browser send a cookie that it previously only relayed securely.
And only some servers use a configuration technique that forces a capable browser to always use https. If that’s not in place, and it’s not yet heavily used, PoisonTap can create the plain http connection.
The attack takes just seconds after the PoisonTap hardware boots, at which point the actual device can be unplugged. All the pages remain silent, cached indefinitely, and active as secret backdoors.
Once in place in a browser, PoisonTap code can access secure local corporate networks through browser requests, and send data off through its remote connection.
If that’s not enough, PoisonTap also runs software that lets it test for routers on the local network, and then use a default administrative password to access and reconfigure them. This works even if a router can’t be reached remotely over the Internet, as long as the password hasn’t been changed, or if the current browser has connected and stored the router’s password.
“If you can get into the router, you can change DNS for everyone on the network,” Kamkar said. By changing the DNS server values on a local router to a malicious remote location, PoisonTap can hijack the entire network’s unencrypted traffic, or potentially install malicious router firmware that’s far worse, turning it into part of the growing Internet of Things botnet problem.
Mitigating a gaping hole
This may sound pretty hideous and, yes, indeed, it is. But because of the physical proximity requirement, you may not be vulnerable unless your computer is ever unattended in a place that other people have access to. This can include work, if you have a desktop machine you leave running overnight or while away, and another employee or contractor (or even maintenance staff) can gain brief access.
If you’re concerned about others having access to your machine while it’s locked but not powered down, you can quit any running browsers, and PoisonTap has no effect unless someone left it plugged in, which is very risky for this kind of physical-access attack. You can also shut your computer down.
As more sites use encrypted connections preferentially and configure their servers to always force a browser that can make an https connection to do so, this problem starts to leak away, but will remain for any sites that don’t.
Operating system makers could prevent most USB and Thunderbolt attachments while a device is locked. This seems obvious, except perhaps for a keyboard or mouse. OSes could also alert users about newly discovered networks and require approval. And they could block attempts to define a network as big as the whole Internet. Nearly all networks that people routinely use are scoped to a very narrow range, typically a couple hundred addresses with the same first numbers (like 192.168.0.1 to 192.168.0.200). Anything beyond a couple of orders of magnitude used for a corporate or large public network should be blocked and an alert shown.
Browser makers could also prevent certain actions from happening on a massive scale. The kind of technique that Kamkar uses has little rational purpose, and might be possible to monitor for among other malicious behavior. A user could be alerted, much like some browsers warn and then block excessive modal dialog alert boxes from appearing in a browser tab—the ones you have to click to dismiss.
Finally, router makers are way, way, way behind the curve already, and this is yet another way in which weak security practices allow ease of access. Routers can be preconfigured with certificates that create secure connections over a local network, preventing malicious software of this kind or elsewhere on a network from sniffing and gaining access.
It may seem depressing to hear about an ostensibly easy-to-implement, irritating-to-block security hole that makes you want to pour glue into your computer ports. (That’s one solution, and used in some secure settings.) But vigilance remains the watchword, coupled with giving feedback to the companies that make the products we use to keep upping the security they use and monitoring more heavily for automated behavior that couldn’t possibly be beneficial to a user.