A USB dongle can hijack all your Web accounts and router in 30 seconds, even if your computer is locked

Security researcher and software developer Sami proof MacOS concept of Kamkar, Windows, and Linux computers through a USB or Thunderbolt kidnapped by plugging in a small Unix device before any active Weblog off the computer by and password, even if it can be demonstrated that is safe, and potentially even when they do have it. Also, a lot of router brands can hijack network.

PoisonTap but exploiting an operating system, hardware, instead of relying on the browser flaw, many connected to the network and browser design features. This will make it harder to root out and solve. Kamkar said in an interview, "attacks designed by exciting for me. How buffer overflow exploits a single protocol that gets the contract the next day."

No one company or products affected, but not all of them effectively. "This is a constant problem we've had for years and years and years," he said. "I just had to release him."

The good news, though? Although only a 30 to 60 seconds, you need physical access to your machine. And mitigates attacks completely walk away from your computer before you quit your browser.

Router operating system makers and decision-makers do not care about that, I will be able to release larger mitigations.

Background injections

You add a device to a USB-to-Ethernet adapter to a network when connected that provides the interface is plugged in, discover all the latest desktop operating system and instant network connection to your list . It also does more work on the Thunderbolt Mac and other systems with Thunderbolt support. (You can have a platform that blocks can install third-party software on the new network, but it works because the attack is ignoring them.)

Proof of Concept PoisonTap Zero Raspberry PI platform relies on a small $ 5 computer runs Linux and various interfaces. PoisonTap a device is plugged in via USB or Thunderbolt, this is about shoes and identifies itself as a network adapter in 30 to 60 seconds.

A network DHCP server offers an IP to hear the application (Internet Protocol) address of the local area network (LAN) respond with the address, LAN address range for other local devices, gateway or router.

A computer is not required to be open and awake. As well as USB and Thunderbolt network adapter is recognized automatically when the OS is active. Even if the OS is apparently asleep, can accept and manage USB and Thunderbolt connections in the low-level function.

PoisonTap adapter and works as both fake network, and responded with a network range that encompasses all Internet addresses. On a Mac, automatically add networks means that high-ranking network connection until the most goals (Wi-like look-Fi should be ignored, System Preferences Network, which gives a low priority in in the framework of the pan are dropped to the bottom of the list or Ethernet) are not available.

But by assigning network across the Internet as a network range, Kamkar brother have this restriction, and can respond effectively to any application.

PoisonTap device is now waiting for any unencrypted web connection. If you do not open any tab in a browser over an encrypted (https) is seems to be a page, are, your browser probably out background requests to refresh ad networks, to one page any number of beacons that send to monitor time, and to the latest status updates and page element. "I know and work with a couple of 20 and 30 tabs and windows open in yourself," said Kamkar.
As soon as one of these applications, PoisonTap leaps into action. It hijacks application rate and by the millions of sites that load a page I Alexa- responded with yes, a million background connection is hidden when viewing web browser. Kamkar says it uses one page of the invisible, due to be achieved without rendering it in the browser, which allows it to be a serious set of technologies to be operated .

Secure web session tokens over as the browser cookies and then back to the attacker through a connection that is created in the browser to their ship. A stored cookie in a request to open a session with a browser that is logged in the past, which often continue on allowing a meeting to continue without re-entering a username and password to causes the browser. PoisonTap device grabs hold any other information with their connections and cookie.

The cookies should be sent to HTTPS connection, increasingly used by default or by the preferred sites of all kinds, Kamkar the weakness of the PoisonTap to work around it. is ", just mark the" cookie secure always use https. Is not in place, and if it is not used much yet, PoisonTap can create simple HTTP connection.

The attack takes only a few seconds after which point shoes PoisonTap hardware, the device may Unplugged. All pages remain silent, temporary indefinitely, and active as secret backdoors.

Once in a browser, PoisonTap code secure corporate network access via browser requests and send the data via a remote connection.

If this is not enough, PoisonTap is software that shows that access to the test for routers on the local network, and it allows them to use a default administrative password reconfigure. It works as long as the password as the password has not been changed, grown up on the Internet, even if it can not be, or have been connected to the current browser and router password protected a router .

"You can get into the router, you can change the DNS on the network," said Kamkar. Changing the DNS server values ​​to a local router to the remote location malicious, PoisonTap the network unencrypted traffic hijacking, or even potentially turn into a part of the growing Internet botnet problem things worse, the router can install the malicious firmware.

A gaping hole mitigation

It looks pretty hideous and, yes, indeed, it is. This work can you can get a desktop machine you leave, and another employee or contractor (or even maintenance staff from) Short access running overnight or while away so.

While it is closed but not power down if you are concerned about having access to your machine to others, you can leave the browser to a walk, and PoisonTap unless, the plug body in any effect which triggers access is very dangerous for this category. You can also shut down your computer.

Most sites use special encrypted connection we can for these servers configured to always do an HTTPS connection as to force a browser, the issue is far starting to leak, but it we will continue to sites.

While most USB and Thunderbolt attachments may prevent the operating system of a device is locked. It seems clear, except for a keyboard or mouse. About OSes newly discovered networks can alert customers need and approval. They can block attempts to describe the internet as big a network. Those are a couple of addresses of the scope of a very narrow range, with virtually all networks using routine first numbers (like 192.168.0.1 to 192.168.0.200) General. A corporate or big anything beyond a couple of orders of magnitude using the public network should be blocked and a warning displayed.

Browser makers may prevent some measures have also become widespread. Kamkar is the type of technology uses a rational purpose, and may be possible to monitor for, among other malicious behavior. A user could be alerted to, warn some browsers and then you have to click to fire like a modal dialog box to block excessive alerts that appear in the browser tab.

Finally, router manufacturers way, way, way behind the curve already, and now we have to allow easy access to a weak security practices and procedures. Sniffing that routers and access to this type of malicious software or stop anywhere on a network, you can create a certificate to establish a secure connection to a local network.

It may seem depressing to hear about a seemingly easy implementation bother to block security holes that wants to put glue in the ports of your computer. (That is one solution, and used in a secure environment.) But caution we can do the security of the products we use to heavy surveillance for extended use and automated treatment the companies have been suggested, with a view to potentially be beneficial for a user.

This story, "A USB dongle can hijack all your web accounts and router in 30 seconds, your computer is turned off even if" was originally published by Macworld.