A computer engineer has created the PoisonTap security tool which can intercept all unencrypted Web traffic and install a backdoor to any computer with physical access.
PoisonTap can Easily Break Into Your Computer
PoisonTap is a new hacking tool that is based on the 5$ mini computer Raspberry Pi Zero device. The small credit card-sized appliance is plugged into the victim device’s USB port. The built-in configuration options allows the attackers to intercept all unencrypted Web traffic whichh includes all authentication cookies and credentials that are used to log in to sensitive online accounts. The utility has the ability to send the data to remotely controlled servers.
In addition the tool provides the means to install a malicious backdoor to the computer. The consequences of this action renders the victim device exposed and operated remotely by the operators.
The creator of PoisonTap Samy Kamkar has created the utility with the primary motivation of demonstrating that even password-protected computers can be attacked in an easy way. PoisonTap proves that every malicious user with physical access can easily hack a device with a cheap device such as this one.
The full list of features includes the following:
- Emulation of an Ethernet device over the USB connection
- Hijacking of all web traffic from the victim host
- Harvesting the HTTP cookies and active sessions from the browser for the Alexa top 1 000 000 sites
- Exposing the internal network router to the attacker and remotely accesing it via an outbound WebSocker and DNS rebinding techniques
- Installation of a persistent web-based backdoor in the HTTP cache
- PoisonTap allows the attackers to launch remote brute force attacks. This can lure the users into making HTTP request and proxy responses to remote malicious domains
- The tool doesn’t require the computer to be unlocked. It works on password-protected hosts and the backdoor remains persistent on the victim machine after the tool is removed
How does PoisonTap work
Once the PoisonTap device is introduced to the protected computer (at this moment we know that Mac OS X and Windows computer are vulnerable) it starts to “poison” the browse cache with persistent malicious code.
The Raspberry Pi acts as an Ethernet network which acquires its own IP address from the internal router using the DHCP protocol. During the process the device becomes the main gateway for sending and receiving traffic in the internal network. The configuration allows PoisonTap to include the entire Ipv4 address space. In result of these actions the utility can monitor and actively control all unencrypted traffic flow coming from and being sent to the victim machine.
The next step is to search for any installed web browser running in the background. PoisonTap injects specific HTML tags into the page by masquerading as the HTTP server for the affected sites.
This man-in-the-middle attack is also used to introduce a backdoor payload which can be used to allow for a live remote connection by the attackers. The tool uses a DNS rebinding attack to allow the remote access feature.
The developer has published the source code online which makes it trivial for anyone to develop their own PoisonTap devices. The posted information includes some technical details about the utility. Read the blog post for more information.