back to article PoisonTap fools your PC into thinking the whole internet lives in an rPi

How do you get a sniff of a locked computer? Tell it you're its gateway to the entire Internet IPv4 routing space. That's the basic principle behind a demo from brainiac cracker Samy Kamkar. Plugged into a victim, his Raspberry Pi Zero-based "PoisonTap" isn't just a network sniffer, it's a backdoor-digger. MacOS users can …

  1. redpawn

    Physical Access...

    ...... nuf said.

    1. Version 1.0 Silver badge

      Re: Physical Access...

      Every time I visit my health provider I am shown to an exam room and asked to wait for the doctor who usually shows up after five minutes. There's always a PC in the office with open USB ports.

      Physical access is so easy.

      1. frank ly

        Re: Physical Access...

        This person who shows up after five minutes; do you ask to see any credentials before you give them physical access?

      2. ElReg!comments!Pierre

        Re: Physical Access...

        If it's similar to the hospital I work in, the machine will be all kind of locked, possibly including a strict "no external network access" policy, so while you could perhaps plug the attack vector, your attack timeframe would be the time you can leave the device attached to the machine without being noticed. I'd say a couple minutes at best. It COULD be enough to get credentials to the internal data management system (holding patients info etc) because almost everyone uses web interfaces for that nowadays, but hopefully you won't be able to log in from outside the local network.

        1. Destroy All Monsters Silver badge

          Re: Physical Access...

          your attack timeframe would be the time you can leave the device attached to the machine without being noticed. I'd say a couple MONTHS at best.

          FTFY

          If you put an official-looking sticker on it saying "do not remove because BLAH", maybe a couple of years.

      3. JeffyPoooh
        Pint

        Re: Physical Access...

        V1 "Physical access is so easy."

        No it's not!

        The IT folks have placed stickers over the USB sockets.

        STICKERS !! YES, STICKERS !!!

        OMG! How the hell can one get past a STICKER?

        They're so, like, sticky...

      4. Halfmad

        Re: Physical Access...

        Unless it's an approved device chances are those ports are blocked.

        Not saying it's fool proof by any means but the NHS tends to do the basics like that fairly well. Doesn't help if it's spoofing itself as an approved device though..

    2. Doctor Syntax Silver badge

      Re: Physical Access...

      Physical access plus social engineering? If you can persuade the user to plug this memory stick into his computer... It's not like it's never happened before.

  2. Anonymous Coward
    Anonymous Coward

    This is exactly how things are designed to work

    I really fail to understand how this is news: this is how things are designed to work, and this is how they have always worked: The moment I can override the local DHCP server (e.g. by winning a race on the network wire, or by inserting myself between the rest of the network and the victim), every computer which blindly trusts a DHCP response is mine. This is exactly how things should work in a low-security environment, where the ease of use is given the priority.

    Every system or network administrator worthy of their Christmas paper hats also knows how to avoid this behavior if it is undesirable.

    Sure, this whole bit of "research" would have been a nifty contribution at a school science fair - after all it does demonstrate the basic understanding of how the things work and some creativity. But being a highlight IT security conference and getting international press coverage? What's next, a discovery that by knowing a magic 32-bit secret code of a computer I can open a remote connection to it from anywhere in the world?

    1. the spectacularly refined chap

      Re: This is exactly how things are designed to work

      I really fail to understand how this is news: this is how things are designed to work, and this is how they have always worked:

      It isn't though. NT would never have been vulnerable. Linux itself (or any other Unix) still isn't, rather it is the desktop cruft too often layered on top that gets caught out. All those things dumbed-down systems do to "help" such as auto-configuring everything in sight, automounting any filesystem you come across and so on - often they are exactly what you want, sometimes they get in the way, and sometimes they increase the attack surface.

      It's the old usability vs convenience thing. Yes, it's that old chestnut.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is exactly how things are designed to work

        Linux itself (or any other Unix) still isn't, rather it is the desktop cruft too often layered on top that gets caught out

        I can't speak about Windows in any of its forms, but regarding Linux you are wrong, wrong and wrong. IP addressing and routing is handled inside of the kernel, the desktop software does not know anything about it unless it explicitly queries it. Certainly IP packets generated by the desktop (or any other service running on a Linux system) are automatically routed by the kernel to the appropriate network interface; what we are seeing here is an example of how it is possible to manipulate the internal routing tables in order to gain unauthorised access to the network packets.

        I agree with other comments however; this is the way that DHCP is designed to work, and any sysadmin worth his salt will know how to eliminate the risk to his key network devices (hint: static IP addresses and high-priority routing table entries).

        1. Bronek Kozicki

          Re: This is exactly how things are designed to work

          @alannorthhants the thing with Linux is that there is plenty of cruft on top of the kernel, which upon appropriate notification from udev will update configuration as they seem fit, not necessarily asking the user for permission. Examples here and here. Yes of course these things only do as much as they are setup to do, but under "wrong" circumstances it can be just enough to e.g. make an ad-hoc USB device a default gateway.

        2. Doctor Syntax Silver badge

          Re: This is exactly how things are designed to work

          "regarding Linux you are wrong, wrong and wrong"

          Only up to a point. As you say it's DHCP rather than the desktop cruft but the final point of convenience vs security is the significant one. Ignore at least one of those wrongs.

          1. the spectacularly refined chap

            Re: This is exactly how things are designed to work

            "regarding Linux you are wrong, wrong and wrong"

            Only up to a point. As you say it's DHCP rather than the desktop cruft but the final point of convenience vs security is the significant one. Ignore at least one of those wrongs.

            I stand by every word of what I wrote. The kernel itself will enumerate the device and generate a notification. It will not activate the interface by itself and won't spawn DHCP requests.

            If you have userland code running with admin privileges that does that and malconfigures the system for you automatically that is where the problem lies: this stuff doesn't happen by magic, and yes those notifications are generally intercepted by the desktop environment in the name of convenience.

            1. h4rm0ny

              Re: This is exactly how things are designed to work

              >>"If you have userland code running with admin privileges that does that and malconfigures the system for you automatically that is where the problem lies"

              Well, out of the box GNU/Linux systems normally would. That's the thing. Configure GNU/Linux to not accept any old DHCP server and it wont be vulnerable. But the same is true of Windows. If the criticism is that default settings are not adequate, then that applies to most GNU/Linux distros just as much as Windows. If the defence is that you can configure it more securely so this isn't an issue, then that too applies to Windows.

    2. Destroy All Monsters Silver badge

      Re: This is exactly how things are designed to work

      I really fail to understand how this is news: this is how things are designed to work

      Yeah, well maybe they should stop working that way, mon.

      "We have always been falling downstairs around here, what's to change?"

      1. Charles 9

        Re: This is exactly how things are designed to work

        "Yeah, well maybe they should stop working that way, mon."

        Except that if you don't do thing THAT way, things BREAK, and most users will simply respond, "The Internet is broke now! Put it back!"

  3. Anonymous Coward
    Anonymous Coward

    Thunderbird port. That's a new one :-)

    1. m0rt

      Na - not new:

      http://vignette3.wikia.nocookie.net/thunderbirds/images/c/cc/Tracey_Island_01.jpg

    2. Doctor Syntax Silver badge

      "Thunderbird port."

      Only handles mail protocols.

    3. unitron
      Pint

      My Thunderbird port...

      ...is the same as my Ripple port, my Boone's Farm port...

  4. allthecoolshortnamesweretaken

    "... Kamkar's previous exploits ..."

    Worth a look. This guy is good.

    1. Black Rat
      Devil

      It's a nice twist on an old trick to be sure but for a masterclass in cache poisoning seek out the crazy Spaniard Chema Alonso with his DEFCON20 presentation: "Owning "bad" guys {and mafia} with Javascript botnets",

  5. Paul Kinsler

    Hmm...

    Presumably there's some way of configuring dhclient so that it only tries known/pre-specified interfaces?

    I can see from the man page how to set options for specified interfaces, but not how to ignore others which might appear (with potentially unexpected names or numberings).

    1. Ken Hagan Gold badge

      Re: Hmm...

      I think you are going about it backwards. dhclient is only in the picture if your ethernet interfaces are marked as auto or hotplug or some such. For a fixed link, you might prefer to manually configure things and fall back to "not connected" if you find yourself at one end of an unfamiliar network. But now we are back to the choice between secure and convenient.

      Likewise, in the Windows world I believe that a domain-joined machine can be made to only trust the DHCP servers of that domain, but most home users don't have a DC and MS make it even harder by disabling the facility entirely in some editions of the OS.

      Afterthought: quite a lot of security problems would be solved if someone produced an ADSL router that had a Joe-User-friendly firewall to protect Joe's IoT devices, some sort of net nanny or danse guardian to keep the politicians out of the loop on content filtering, and enough domain controller software to let Joe manage all his Windows clients, which themselves would have to have the domain-disabling disabled so that they weren't recklessly insecure.

      Maybe if the next Raspberry Pi has an ADSL modem onboard, it could actually happen?

      1. Infernoz Bronze badge
        Facepalm

        Re: Hmm...

        Talking about ADSL is like talking about obsolete tech. like ancient phone modems, CDs and even BluRay; 21st century broadband should now be at least FttC or better FttP, and 21st century media should be on Flash and/or Cloud, it is tragic that anyone still has to make do with flaky ADSL now!

        A broadband connection should be handled by a dedicated router with proper security (NAT, firewall, DoS protection), something a Raspberry Pi can't do, especially with only one /slow/ Ethernet port, so can't act as an Ethernet filter!

  6. Voland's right hand Silver badge

    Mac can be pawned too.

    This is the old DSL Nation modem fugly DHCP hack - in its native form it does not work on Mac.

    What the guy missed is that USB is actually "shared" media - you can present TWO usb interfaces to the host. 0.0.0.1/1 and 128.0.0.1/1.

    Bingo. Mac joins the other ones as pawned too. The guy should have thought a bit more in depth on what is happening instead of blindly repeating the old DSL Nation madness.

    Fairly trivial to defend against too on Linux - you can (and should) configure it to reject anything larger than class A. This is a 3 liner in /etc/dhcp/dhclient-enter-hooks.d/

    1. Voland's right hand Silver badge

      Re: Mac can be pawned too.

      By the way, if memory serves me right DSL Nation had the 0.0.0.0/0 DHCP + reply to all arps with itself madness patented. So this guy may end up receiving a patent lawyer nastygram shortly.

    2. hplasm
      Paris Hilton

      Re: Mac can be pawned too.

      According to the article- it's mac and windows computers that are vulnerable...

      1. This post has been deleted by its author

        1. Craigie

          Re: Mac can be pawned too.

          And yet the author recommends using FileVault2 to mitigate against it, which from what I can see is for MacOS.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Mac can be pawned too.

        According to the article- it's mac and windows computers that are vulnerable...

        Yup, via the age-old "let's make it easy to set up a new interface" - good reminder to find out how I can lock down access to USB ports for anything but authorised devices on my Mac. Not that I'm much at risk, but because I can. And thus should :).

    3. Anonymous Coward
      Anonymous Coward

      Re: defend against on Linux ... a 3 liner in /etc/dhcp/dhclient-enter-hooks.d

      But what are the three lines?

      nb: not all linuxes have a /etc/dhcp/dhclient-enter-hooks.d

    4. Cody

      Re: Mac can be pawned too.

      Do you mean add to resolvconf? If so, what three lines?

    5. PeeKay

      Re: Mac can be pawned too.

      "MacOS users can breathe a sigh of relief: Kamkar's attack currently only works on Windows and Linux boxen."

      Not entirely correct - Sammy demonstrates the attack (on a Mac) here: https://www.youtube.com/watch?v=Aatp5gCskvk

    6. joed

      Re: Mac can be pawned too.

      I can't be sure but the the FileVault2 reference would led me to believe that the issue can affect Macs or there's some inconsistency in the article.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mac can be pawned too.

        From what I understand, a Mac with FileVault enabled will not be that keen to mount any external device when it's asleep - apparently that's part of the extra security measures you trigger when installing FileVault.

        That said, when it wakes up it still may do it when you log in, so you'd have to be careful that nothing extra is plugged in when doing so but if you're already using FileVault and a boot password I suspect you're not the average, not terribly cautious end user anyway.

        But it's a risk, and ought to be managed. Apple should ensure a machine can only add a device when the user is logged in and the machine is not on screen saver lock or in sleep mode - at that point the user only has to make sure the machine goes to its logon screen when leaving it and that can either be done manually or via, for instance, a Bluetooth lock (no, I don't like the Apple Watch thing - I just have a small app that detects how far away my phone is, and that require manual unlocking with a password - just how I like it).

  7. Anonymous Coward
    Anonymous Coward

    Easy to fix - disable plug&play USB when screen is locked

    And require Admin password to install USB hardware.

    This obviously makes it more steps for the user, so vendors compromised security for ease of use.

    1. Adam 52 Silver badge

      Re: Easy to fix - disable plug&play USB when screen is locked

      Hmm. How are you going to unlock to install that USB keyboard?

      1. DaLo

        Re: Easy to fix - disable plug&play USB when screen is locked

        Well you could allow and disallow USB from a central management console as many business AV/Threat management systems do, or you could just allow HID devices which are generally allowed anyway at a lower level.

        However the ol' HID keylogger trick is still at risk for that one.

  8. Anonymous Coward
    Anonymous Coward

    Revelation 22:13

    I am the Alpha and the Omega, the First and the Last, 0.0.0.0-255.255.255.255.

    1. Anonymous Coward
      Joke

      Re: Revelation 22:13

      Your also only IPv4. Try again with IPv6.

      1. Magani
        Headmaster

        Re: Revelation 22:13

        100 lines if you please:-

        "Your != you're"

        1. Anonymous Coward
          Anonymous Coward

          Re: Revelation 22:13

          100 lines if you please:-

          "Your != you're"

          Seriously? In the age of cut & paste?

          :)

          1. Richard 12 Silver badge

            Re: Revelation 22:13

            Put away your keyboard, you'll be using a very special quill of mine.

            And no, you won't need any ink...

      2. h4rm0ny

        Re: Revelation 22:13

        IpV666?

  9. Anonymous Coward
    Anonymous Coward

    At last, the great vision of the IT crowd can be realised

    Everyone knows you can use a raspberry pi to turn on an LED, so we can put one in a black box, mount an LED on it and voila, the internet in a box....

    Now all we need is a few orders of magnitude increase in the amount of data we can squeeze onto a micro SD card...

    1. Dan 55 Silver badge

      Re: At last, the great vision of the IT crowd can be realised

      Just fill an SD card with cat videos and fake biased news stories and nobody will be able to tell the difference.

    2. M7S

      Re: At last, the great vision of the IT crowd can be realised

      Dang, beat me to it

      https://www.youtube.com/watch?v=iDbyYGrswtg

  10. Alan J. Wylie

    To lock a Linux system down

    Adding

    echo 1 > /proc/sys/kernel/modules_disabled

    to a local boot script will stop any more modules being loaded. Unless the driver for the USB is the same as one used by the system (unlikely) nothing will happen when it's plugged in.

    https://www.kernel.org/doc/Documentation/sysctl/kernel.txt

    1. Anonymous Coward
      Anonymous Coward

      Re: To lock a Linux system down

      But doing that also disables using USB peripherals IINM, meaning you've disabled ALL the USB ports, which is impractical for, say, a laptop, where things are expected to be connected.

      1. Doctor Syntax Silver badge

        Re: To lock a Linux system down

        "disabled ALL the USB ports, which is impractical for, say, a laptop, where things are expected to be connected."

        And eve more so desktops. These days mice and keyboards are expected to be USB.

      2. Alan J. Wylie

        Re: To lock a Linux system down

        It only stops *new* modules being loaded. Load any required kernel modules (e.g. usb-storage) first , then lock down.

        Perhaps not the right answer for a developer's system, but very useful for e.g. a system in a doctor's surgery, as was mentioned earlier, or a system in a PCI DSS scope.

        1. Charles 9

          Re: To lock a Linux system down

          But you're inserting it in a BOOT script. If that command gets triggered before the USB root hub is awakened, you probably can't modprobe the hub driver, which means the keyboard and mouse don't awaken, either.

          And that's why many people hate SysV. There's no real dependency system in it: just timings which can go wrong.

    2. Gotno iShit Wantno iShit
      Thumb Up

      Re: To lock a Linux system down

      Disabling installation of drivers on windows through group policy is exactly the same - works so long as the attacking device is not the same as one already installed.

  11. Christian Berger

    Actually you don't need to trust DHCP...

    There is no reason why you should run an DHCP client and believing its claim for a default gateway for network interfaces suddenly appearing.

    I mean I can see a point for USB devices posing as a NIC in order to provide some user interface, but for gods sake, ask the user before you accept a new default gateway, particularly if you already have one. (ask if this new device provides Internet or something) Or better yet, don't automatically run DHCP clients on interfaces that are not configured.

  12. Anonymous Coward
    FAIL

    Can we start a petition on the government website?

    Please ban The Register from making comments such as

    "Protection? If you're running a server, use HTTPS – at the very least for authentication and authenticated content"

    Until they themselves implement such a basic feature.

    1. Ken Hagan Gold badge

      Re: Can we start a petition on the government website?

      How do you know that they haven't already done so, and you've spent the last few years whining about this issue to a bunch of black hats who have poisoned your DNS?

  13. just another employee

    Two words

    End-point Security

    Ok - 2.5 words.

    Physical access is always a major step in hacking in. Install USB/FW/HDMI/eSATA port security then.

  14. Doctor_Wibble
    Trollface

    Use of the word 'boxen'

    You know the drill - out of the door, line on the left, one cross each.

  15. Scoured Frisbee

    Something missing...

    I get the DHCP part, but how do you get the legitimate site data to display while the box is plugged in? Or is it just that you spawn the magic web frame and then pull the fake interface, so normal routing can resume? If someone hops on the computer with an extra USB dongle and no functional networking they are sure to notice...

  16. unitron

    If they can physically access the computer...

    ...in the first place...

    But anyway, if the computer is already running and logged onto the LAN (via a fixed IP address), why would the sudden presence of this device on the USB bus cause it to get all promiscuous and have to have a DHCP address assigned from it?

    There doesn't seem to be an icon suitable for my level of lack of knowledge and confusion on this topic.

    1. Anonymous Coward
      Anonymous Coward

      Re: If they can physically access the computer...

      1) New device plugged in

      2) "What are you"

      3) I'm an Ethernet network device

      4) "Oh, pleased to meet you. You seem to not have an IP address, I will request one via your link, if you please"

      5) Sure go ahead

      6) "Oh, here it is. You seem to be doing quite a bit of routing, too"

      7) Yes, my parents always told me I was a bit of an Attila

      8) "Ha, ha, you seem to be of the funny kind. All right, here is some traffic for you..."

    2. Ken Hagan Gold badge

      Re: If they can physically access the computer...

      The scenario isn't that far removed from a legitimate one: that of a VPN. That too is a new interface that appears after existing connections have been established, and that too is an interface that could reasonably be given priority for packets routed to a subset of addresses.

  17. Anonymous Coward
    Anonymous Coward

    Why USB?

    It's not clear to me why the vector even needs to be USB (aside from the convenience of power). Why not use the existing ethernet port on the device? Takes away any of the problems of requiring any drivers to be installed.

    You'd need a USB->Ethernet dongle for the Pi to give it two sockets, but would surely be a much neater man-in-the-middle attack and could achieve all of the same exploits.

    1. Frumious Bandersnatch

      Re: Why USB?

      I suppose it's just a case of "because I/we can".

      ARP spoofing is still a thing. If you can connect to the same network segment, you can craft packets that make other machines on the segment associate your network MAC address with the IP of the real DHCP server. From there, you just run a DHCP server giving bogus IP addresses and routing information so that you can "man in the middle" machines the next time they renew their DHCP lease.

      I suppose that a USB-based attack is probably going to be quicker. If it auto-configures, then there's no waiting around for existing DHCP leases to expire. As an attacker, you still have the problem of needing to connect to the local net segment and doing traffic forwarding (masquerading as the target machine) so that the user (and any running applications) doesn't notice any discontinuity.

      Given that both methods need physical access to the LAN, I think that a Breaking Bad style device (that Walter White plugged into his DEA brother-in-law's PC Ethernet port) is probably the best approach, though I'm sure that it will need some sort of power supply.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why USB?

        Unplugging and replugging the LAN cable (to insert the Pi) would normally have it renew a DHCP lease anyway. And connecting to the local net segment would be simple enough - the 'other end' of the Pi would be plugged into the office LAN cable.

        Even more handily, you can stick a wireless card in the Pi and have it connect to van outside the office window, should it be in a locked down corporate network to offload any data you manage to nick.

  18. candyman76

    USB Ethernet Gadget Driver

    I have been playing with the hack that snags user information along with the password hash using the pi zero on a locked machine and the main issue I have is the driver is usually not available by default on the pc. So a PC that has already been setup and can see the pi as a USB Ethernet gadget could have this work but I don't see it hitting a lot of machines. Get a LAN turtle and have a lot more success with man in the middle attack like it will allow. :)

    1. Saltee

      Re: USB Ethernet Gadget Driver

      Yup, similar attack was done by room362 and demonstrated on Hak5 back in September using a Turtle. Guess Kamkar just took it in another direction.

      https://room362.com/post/2016/snagging-creds-from-locked-machines/

  19. AceRimmer1980

    Whole Internet in a small box.

    and I bet it doesn't weigh anything. And it's wireless.

    1. Destroy All Monsters Silver badge

      Re: Whole Internet in a small box.

      "Bigger on the Inside"

      The Box of Leaves.

    2. Anonymous Coward
      Anonymous Coward

      Re: Whole Internet in a small box.

      No, this needs to go straight back to Big Ben.

  20. Paul 129
    Mushroom

    Wall Wart form factor

    Cool!

    So if I can find an enclosure that looks like a power charger, and can mangle a pi zero into it, I can own the bastard who keeps taking my phone chargers!

    Thanks to USB-C being used to charge everything new, its only going to get easier.

    What could go wrong?

  21. a_yank_lurker

    Other Issues

    Any exploit that requires physical access or using an USB connection is a lower priority problem compared to phishing, macros, malware ads, etc. which only require the user to make a mistake once. Also, an exploit requiring physical access is not one that will be used against random users; it is more likely to be used against specific targets.

    1. Charles 9

      Re: Other Issues

      Are you sure? What about highly-public places like airports where distractions are easy as is disappearing into the crowd?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like