Source code: https://github.com/samyk/poisontap
When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:
- emulates an Ethernet device over USB (or Thunderbolt)
- hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
- siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
- exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
- installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
- allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
- does not require the machine to be unlocked
- backdoors and remote access persist even after device is removed and attacker sashays away
Live demonstration and more details available in the video:
PoisonTap evades the following security mechanisms:
- Password Protected Lock Screens
- Routing Table priority and network interface Service Order
- Same-Origin Policy
- X-Frame-Options
- HttpOnly Cookies
- SameSite cookie attribute
- Two-Factor/Multi-Factor Authentication (2FA/MFA)
- DNS Pinning
- Cross-Origin Resource Sharing (CORS)
- HTTPS cookie protection when Secure cookie flag & HSTS not enabled
PoisonTap
PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, but can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.
(incredible HTML5 canvas animation by Ara)
Video Demo: https://youtu.be/Aatp5gCskvk
Point of Contact: @SamyKamkar // https://samy.pl
Released: November 16, 2016
Source code and download: https://github.com/samyk/poisontap
No comments:
Post a Comment