Well-known hardware hacker Samy Kamkar has once again devised a cheap exploit tool, this time that takes just 30 seconds to install a privacy-invading backdoor into your computer, even if it is locked with a strong password.
Dubbed PoisonTap, the new exploit tool runs freely available software on a tiny $5/£4 Raspberry Pi Zero microcomputer, which is attached to a USB adapter.
The attack works even if the targeted computer is password-protected if a browser is left open in the computer's background.
All an attacker need is to plug the nasty device in the target computer and wait.
Here's How PoisonTap works:
Once plugged into a Windows or Mac computer via USB port, the tiny device starts impersonating a new ethernet connection.
Even if the victim's device is connected to a WiFi network, PoisonTap is programmed in such a way that tricks the computer into prioritizing its network connection to PoisonTap over the victim's WiFi network.
With that man-in-the-middle position, PoisonTap intercepts all unencrypted all Web traffic and steals any HTTP authentication cookies used to log into private accounts as well as sessions for the Alexa top 1 Million sites from the victim's browser.
PoisonTap then sends that data to a server controlled by the attacker.
Kamkar said that cookie stealing is possible as long as a web browser application is running in the background, even if the application is not actively used.
So even if you are away from your machine, there are always chances that at least one tab in your browser is open, which still periodically loads new bits of HTTP data such as ads or news updates, which do not use HTTPS web encryption.
The Hacking Tool Allows Attacker to Remotely Control your Computer
Here's the kick: The hacking tool also allows an attacker to install persistent web-based backdoors in HTTP cache for hundreds of thousands of domains, making the victim's Web browser as well as local network remotely controllable by the attacker.
The attack also allows "an attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user's cookies on any backdoored domain," Kamkar said.
Even after PoisonTap is unplugged from the targeted computer, the backdoors still remain, and the hacker will still be able to remotely gain control of the target device at a later time.
What's more? Since the hacking tool siphons cookies and not credentials, the hacker can also hijack the target user's online accounts even if the victim has two-factor authentication (2FA) enabled.
Kamkar points out that his tool can also bypass several other security mechanisms, such as same-origin policy (SOP), X-Frame-Options HTTP response headers, HttpOnly cookies, DNS pinning, as well as cross-origin resource sharing (CORS).
Watch the Video Demonstration
You can also watch the given video published by Kamkar, explaining how the easily the attack can be carried out.
How you can Protect Yourself from such Attacks
Kamkar says there is no easy fix for users, though you can avoid such attack by always:
- Setting your computers to hibernate rather than sleep that suspends all processes on the computer.
- Closing all web browsers every time you walk away from your computer.
- Patiently clearing browser's cache.
- Using full-disk encryption applications (for e.g. FileVault 2) in combination with "deep sleep" mode.
- Or, simply disabling your USB port.
In addition, Web server operators can protect their customers by properly implementing HTTPS and using HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
Samy Kamkar is the engineer behind a long list of low-cost hacks, including MagSpoof that can guess and steal next Credit Card Number before you've received it; RollJam that can unlock almost every car or garage door; Combo Breaker that can crack Master Lock combination padlocks in less than 30 seconds; and KeySweeper — a password-pilfering keylogger disguised as a USB charger.
Kamkar has released the PoisonTap's code as well as a detailed blog post, so you can head on to them for the detailed explanation.
