back to article PoisonTap fools your PC into thinking the whole internet lives in an rPi

How do you get a sniff of a locked computer? Tell it you're its gateway to the entire Internet IPv4 routing space. That's the basic principle behind a demo from brainiac cracker Samy Kamkar. Plugged into a victim, his Raspberry Pi Zero-based "PoisonTap" isn't just a network sniffer, it's a backdoor-digger. MacOS users can …

Page:

  1. redpawn

    Physical Access...

    ...... nuf said.

    1. Version 1.0 Silver badge

      Re: Physical Access...

      Every time I visit my health provider I am shown to an exam room and asked to wait for the doctor who usually shows up after five minutes. There's always a PC in the office with open USB ports.

      Physical access is so easy.

      1. frank ly

        Re: Physical Access...

        This person who shows up after five minutes; do you ask to see any credentials before you give them physical access?

      2. ElReg!comments!Pierre

        Re: Physical Access...

        If it's similar to the hospital I work in, the machine will be all kind of locked, possibly including a strict "no external network access" policy, so while you could perhaps plug the attack vector, your attack timeframe would be the time you can leave the device attached to the machine without being noticed. I'd say a couple minutes at best. It COULD be enough to get credentials to the internal data management system (holding patients info etc) because almost everyone uses web interfaces for that nowadays, but hopefully you won't be able to log in from outside the local network.

        1. Destroy All Monsters Silver badge

          Re: Physical Access...

          your attack timeframe would be the time you can leave the device attached to the machine without being noticed. I'd say a couple MONTHS at best.

          FTFY

          If you put an official-looking sticker on it saying "do not remove because BLAH", maybe a couple of years.

      3. JeffyPoooh
        Pint

        Re: Physical Access...

        V1 "Physical access is so easy."

        No it's not!

        The IT folks have placed stickers over the USB sockets.

        STICKERS !! YES, STICKERS !!!

        OMG! How the hell can one get past a STICKER?

        They're so, like, sticky...

      4. Halfmad

        Re: Physical Access...

        Unless it's an approved device chances are those ports are blocked.

        Not saying it's fool proof by any means but the NHS tends to do the basics like that fairly well. Doesn't help if it's spoofing itself as an approved device though..

    2. Doctor Syntax Silver badge

      Re: Physical Access...

      Physical access plus social engineering? If you can persuade the user to plug this memory stick into his computer... It's not like it's never happened before.

  2. Anonymous Coward
    Anonymous Coward

    This is exactly how things are designed to work

    I really fail to understand how this is news: this is how things are designed to work, and this is how they have always worked: The moment I can override the local DHCP server (e.g. by winning a race on the network wire, or by inserting myself between the rest of the network and the victim), every computer which blindly trusts a DHCP response is mine. This is exactly how things should work in a low-security environment, where the ease of use is given the priority.

    Every system or network administrator worthy of their Christmas paper hats also knows how to avoid this behavior if it is undesirable.

    Sure, this whole bit of "research" would have been a nifty contribution at a school science fair - after all it does demonstrate the basic understanding of how the things work and some creativity. But being a highlight IT security conference and getting international press coverage? What's next, a discovery that by knowing a magic 32-bit secret code of a computer I can open a remote connection to it from anywhere in the world?

    1. the spectacularly refined chap

      Re: This is exactly how things are designed to work

      I really fail to understand how this is news: this is how things are designed to work, and this is how they have always worked:

      It isn't though. NT would never have been vulnerable. Linux itself (or any other Unix) still isn't, rather it is the desktop cruft too often layered on top that gets caught out. All those things dumbed-down systems do to "help" such as auto-configuring everything in sight, automounting any filesystem you come across and so on - often they are exactly what you want, sometimes they get in the way, and sometimes they increase the attack surface.

      It's the old usability vs convenience thing. Yes, it's that old chestnut.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is exactly how things are designed to work

        Linux itself (or any other Unix) still isn't, rather it is the desktop cruft too often layered on top that gets caught out

        I can't speak about Windows in any of its forms, but regarding Linux you are wrong, wrong and wrong. IP addressing and routing is handled inside of the kernel, the desktop software does not know anything about it unless it explicitly queries it. Certainly IP packets generated by the desktop (or any other service running on a Linux system) are automatically routed by the kernel to the appropriate network interface; what we are seeing here is an example of how it is possible to manipulate the internal routing tables in order to gain unauthorised access to the network packets.

        I agree with other comments however; this is the way that DHCP is designed to work, and any sysadmin worth his salt will know how to eliminate the risk to his key network devices (hint: static IP addresses and high-priority routing table entries).

        1. Bronek Kozicki

          Re: This is exactly how things are designed to work

          @alannorthhants the thing with Linux is that there is plenty of cruft on top of the kernel, which upon appropriate notification from udev will update configuration as they seem fit, not necessarily asking the user for permission. Examples here and here. Yes of course these things only do as much as they are setup to do, but under "wrong" circumstances it can be just enough to e.g. make an ad-hoc USB device a default gateway.

        2. Doctor Syntax Silver badge

          Re: This is exactly how things are designed to work

          "regarding Linux you are wrong, wrong and wrong"

          Only up to a point. As you say it's DHCP rather than the desktop cruft but the final point of convenience vs security is the significant one. Ignore at least one of those wrongs.

          1. the spectacularly refined chap

            Re: This is exactly how things are designed to work

            "regarding Linux you are wrong, wrong and wrong"

            Only up to a point. As you say it's DHCP rather than the desktop cruft but the final point of convenience vs security is the significant one. Ignore at least one of those wrongs.

            I stand by every word of what I wrote. The kernel itself will enumerate the device and generate a notification. It will not activate the interface by itself and won't spawn DHCP requests.

            If you have userland code running with admin privileges that does that and malconfigures the system for you automatically that is where the problem lies: this stuff doesn't happen by magic, and yes those notifications are generally intercepted by the desktop environment in the name of convenience.

            1. h4rm0ny

              Re: This is exactly how things are designed to work

              >>"If you have userland code running with admin privileges that does that and malconfigures the system for you automatically that is where the problem lies"

              Well, out of the box GNU/Linux systems normally would. That's the thing. Configure GNU/Linux to not accept any old DHCP server and it wont be vulnerable. But the same is true of Windows. If the criticism is that default settings are not adequate, then that applies to most GNU/Linux distros just as much as Windows. If the defence is that you can configure it more securely so this isn't an issue, then that too applies to Windows.

    2. Destroy All Monsters Silver badge

      Re: This is exactly how things are designed to work

      I really fail to understand how this is news: this is how things are designed to work

      Yeah, well maybe they should stop working that way, mon.

      "We have always been falling downstairs around here, what's to change?"

      1. Charles 9

        Re: This is exactly how things are designed to work

        "Yeah, well maybe they should stop working that way, mon."

        Except that if you don't do thing THAT way, things BREAK, and most users will simply respond, "The Internet is broke now! Put it back!"

  3. Anonymous Coward
    Anonymous Coward

    Thunderbird port. That's a new one :-)

    1. m0rt

      Na - not new:

      http://vignette3.wikia.nocookie.net/thunderbirds/images/c/cc/Tracey_Island_01.jpg

    2. Doctor Syntax Silver badge

      "Thunderbird port."

      Only handles mail protocols.

    3. unitron
      Pint

      My Thunderbird port...

      ...is the same as my Ripple port, my Boone's Farm port...

  4. allthecoolshortnamesweretaken

    "... Kamkar's previous exploits ..."

    Worth a look. This guy is good.

    1. Black Rat
      Devil

      It's a nice twist on an old trick to be sure but for a masterclass in cache poisoning seek out the crazy Spaniard Chema Alonso with his DEFCON20 presentation: "Owning "bad" guys {and mafia} with Javascript botnets",

  5. Paul Kinsler

    Hmm...

    Presumably there's some way of configuring dhclient so that it only tries known/pre-specified interfaces?

    I can see from the man page how to set options for specified interfaces, but not how to ignore others which might appear (with potentially unexpected names or numberings).

    1. Ken Hagan Gold badge

      Re: Hmm...

      I think you are going about it backwards. dhclient is only in the picture if your ethernet interfaces are marked as auto or hotplug or some such. For a fixed link, you might prefer to manually configure things and fall back to "not connected" if you find yourself at one end of an unfamiliar network. But now we are back to the choice between secure and convenient.

      Likewise, in the Windows world I believe that a domain-joined machine can be made to only trust the DHCP servers of that domain, but most home users don't have a DC and MS make it even harder by disabling the facility entirely in some editions of the OS.

      Afterthought: quite a lot of security problems would be solved if someone produced an ADSL router that had a Joe-User-friendly firewall to protect Joe's IoT devices, some sort of net nanny or danse guardian to keep the politicians out of the loop on content filtering, and enough domain controller software to let Joe manage all his Windows clients, which themselves would have to have the domain-disabling disabled so that they weren't recklessly insecure.

      Maybe if the next Raspberry Pi has an ADSL modem onboard, it could actually happen?

      1. Infernoz Bronze badge
        Facepalm

        Re: Hmm...

        Talking about ADSL is like talking about obsolete tech. like ancient phone modems, CDs and even BluRay; 21st century broadband should now be at least FttC or better FttP, and 21st century media should be on Flash and/or Cloud, it is tragic that anyone still has to make do with flaky ADSL now!

        A broadband connection should be handled by a dedicated router with proper security (NAT, firewall, DoS protection), something a Raspberry Pi can't do, especially with only one /slow/ Ethernet port, so can't act as an Ethernet filter!

  6. Voland's right hand Silver badge

    Mac can be pawned too.

    This is the old DSL Nation modem fugly DHCP hack - in its native form it does not work on Mac.

    What the guy missed is that USB is actually "shared" media - you can present TWO usb interfaces to the host. 0.0.0.1/1 and 128.0.0.1/1.

    Bingo. Mac joins the other ones as pawned too. The guy should have thought a bit more in depth on what is happening instead of blindly repeating the old DSL Nation madness.

    Fairly trivial to defend against too on Linux - you can (and should) configure it to reject anything larger than class A. This is a 3 liner in /etc/dhcp/dhclient-enter-hooks.d/

    1. Voland's right hand Silver badge

      Re: Mac can be pawned too.

      By the way, if memory serves me right DSL Nation had the 0.0.0.0/0 DHCP + reply to all arps with itself madness patented. So this guy may end up receiving a patent lawyer nastygram shortly.

    2. hplasm
      Paris Hilton

      Re: Mac can be pawned too.

      According to the article- it's mac and windows computers that are vulnerable...

      1. This post has been deleted by its author

        1. Craigie

          Re: Mac can be pawned too.

          And yet the author recommends using FileVault2 to mitigate against it, which from what I can see is for MacOS.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Mac can be pawned too.

        According to the article- it's mac and windows computers that are vulnerable...

        Yup, via the age-old "let's make it easy to set up a new interface" - good reminder to find out how I can lock down access to USB ports for anything but authorised devices on my Mac. Not that I'm much at risk, but because I can. And thus should :).

    3. Anonymous Coward
      Anonymous Coward

      Re: defend against on Linux ... a 3 liner in /etc/dhcp/dhclient-enter-hooks.d

      But what are the three lines?

      nb: not all linuxes have a /etc/dhcp/dhclient-enter-hooks.d

    4. Cody

      Re: Mac can be pawned too.

      Do you mean add to resolvconf? If so, what three lines?

    5. PeeKay

      Re: Mac can be pawned too.

      "MacOS users can breathe a sigh of relief: Kamkar's attack currently only works on Windows and Linux boxen."

      Not entirely correct - Sammy demonstrates the attack (on a Mac) here: https://www.youtube.com/watch?v=Aatp5gCskvk

    6. joed

      Re: Mac can be pawned too.

      I can't be sure but the the FileVault2 reference would led me to believe that the issue can affect Macs or there's some inconsistency in the article.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mac can be pawned too.

        From what I understand, a Mac with FileVault enabled will not be that keen to mount any external device when it's asleep - apparently that's part of the extra security measures you trigger when installing FileVault.

        That said, when it wakes up it still may do it when you log in, so you'd have to be careful that nothing extra is plugged in when doing so but if you're already using FileVault and a boot password I suspect you're not the average, not terribly cautious end user anyway.

        But it's a risk, and ought to be managed. Apple should ensure a machine can only add a device when the user is logged in and the machine is not on screen saver lock or in sleep mode - at that point the user only has to make sure the machine goes to its logon screen when leaving it and that can either be done manually or via, for instance, a Bluetooth lock (no, I don't like the Apple Watch thing - I just have a small app that detects how far away my phone is, and that require manual unlocking with a password - just how I like it).

  7. Anonymous Coward
    Anonymous Coward

    Easy to fix - disable plug&play USB when screen is locked

    And require Admin password to install USB hardware.

    This obviously makes it more steps for the user, so vendors compromised security for ease of use.

    1. Adam 52 Silver badge

      Re: Easy to fix - disable plug&play USB when screen is locked

      Hmm. How are you going to unlock to install that USB keyboard?

      1. DaLo

        Re: Easy to fix - disable plug&play USB when screen is locked

        Well you could allow and disallow USB from a central management console as many business AV/Threat management systems do, or you could just allow HID devices which are generally allowed anyway at a lower level.

        However the ol' HID keylogger trick is still at risk for that one.

  8. Anonymous Coward
    Anonymous Coward

    Revelation 22:13

    I am the Alpha and the Omega, the First and the Last, 0.0.0.0-255.255.255.255.

    1. Anonymous Coward
      Joke

      Re: Revelation 22:13

      Your also only IPv4. Try again with IPv6.

      1. Magani
        Headmaster

        Re: Revelation 22:13

        100 lines if you please:-

        "Your != you're"

        1. Anonymous Coward
          Anonymous Coward

          Re: Revelation 22:13

          100 lines if you please:-

          "Your != you're"

          Seriously? In the age of cut & paste?

          :)

          1. Richard 12 Silver badge

            Re: Revelation 22:13

            Put away your keyboard, you'll be using a very special quill of mine.

            And no, you won't need any ink...

      2. h4rm0ny

        Re: Revelation 22:13

        IpV666?

  9. Anonymous Coward
    Anonymous Coward

    At last, the great vision of the IT crowd can be realised

    Everyone knows you can use a raspberry pi to turn on an LED, so we can put one in a black box, mount an LED on it and voila, the internet in a box....

    Now all we need is a few orders of magnitude increase in the amount of data we can squeeze onto a micro SD card...

    1. Dan 55 Silver badge

      Re: At last, the great vision of the IT crowd can be realised

      Just fill an SD card with cat videos and fake biased news stories and nobody will be able to tell the difference.

    2. M7S

      Re: At last, the great vision of the IT crowd can be realised

      Dang, beat me to it

      https://www.youtube.com/watch?v=iDbyYGrswtg

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like