PoisonTap : Can Hijack Web Traffic and Install Backdoors on Password-Protected PCs
Hardware hacker Samy Kamkar has released a
new tool called PoisonTap that is capable of a plethora of malicious actions,
all of which work even against password-protected computers on which an
attacker can't access the desktop.
PoisonTap
is a small device built on top of a Raspberry Pi Zero $5 board, which runs
custom software and a Node.js server.
An attacker can connect PoisonTap to any
computer via its USB ports. There is no interaction needed, and PoisonTap will
carry out the attacks automatically after a few seconds.
PoisonTap disguises itself as an Ethernet interface
PoisonTap works by spoofing an over-USB
Ethernet adapter, which sets up as the primary source of Internet traffic for
all IPv4 addresses.
Windows and OS X will automatically
recognize and install the fake Ethernet adapter, even when the machine is
locked. This tricks the computer in sending all web traffic to PoisonTap.
PoisonTap steals browser cookies
In case the user has left a browser running
on his PC, PoisonTap will wait for at least one tab to make an HTTP request,
and then spoof the response, sending it to the victim's browser. This fake
response tells the browser to open hidden iframes for the top one million
websites.
This action forces the browser to authenticate by sending cookies holding
sensitive information to each of the one million websites, which PoisonTap will
happily record.
Browsers and websites use cookies to store
information on authenticated sessions and various user preferences.
Kamkar says that this attack only works on
websites that send their cookies via HTTP and don't use the "secure"
flag.
PoisonTap poisons local web caches
Besides stealing cookies, PoisonTap can also
alter the user's local browser cache, which is a collection of files that store
local versions of various websites that the user recently accessed, kept on the
computer to speed up future page load times.
PoisonTap allows an attacker to save
malicious versions of certain websites, such as Gmail, Facebook, banking
portals, and more, and carry out attacks at later points.
PoisonTap installs permanent remotely accessible backdoors
As Kamkar explains, those initial iframes
that accessed the top websites also loaded malicious HTML and JavaScript code
that is cached indefinitely and works as a backdoor to the user's browser.
An attacker can use this backdoors to force
the user's browser to make calls to malicious servers and continue to deliver
new attack code to the user's computer, long after the attacker has unplugged
PoisonTap.
PoisonTap exposes the internal router
Kamkar's novel device is also able to make
requests to the user's local router. PoisonTap installs a backdoor and makes
the router accessible from the Internet using DNS rebinding.
The attacker can access a special URL that
grants him access the user's router interface, allowing the attacker to sniff
the local network's unencrypted traffic or alter router settings.
Kamkar says that PoisonTap attacks can bypass
a slew of security measures such as password-protected computers, Same-Origin
Policy (SOP), Cross-Origin Resource Sharing (CORS), X-Frame-Options, SameSite
cookie attribute, HttpOnly Cookies, DNS pinning, sites that use 2FA and 2SV
mechanism, and even the special case when a website is using HTTPS cookie
protection with Secure cookie flag but without using HSTS (HTTP Strict
Transport Security).
Here's a review of all of PoisonTap's
capabilities:
- Emulates an Ethernet device over USB
- Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
- Siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
- Exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding
- Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
- Allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
- Does not require the machine to be unlocked
- Backdoors and remote access persist even after device is removed and attacker sashays away
Kamkar has a series of security
recommendations, for both server administrators and device owners.
- First and foremost, all websites should run via HTTPS
- HSTS should be used together with HTTPS
- Secure flag must be used with cookies at all time, to prevent websites from sending cookies accidentally via HTTP
- Servers should use Subresource Integrity (SRI) for delivering JavaScript files
- Blocking access to USB and Thunderbolt ports (Kamkar recommends using cement, as a joke)
- Closing browsers when walking away from a PC
- Putting the PC in sleep mode when walking away
Kamkar has open-sourced the code behind
PoisonTap on GitHub.
Regards
Pralhad
Jadhav
Senior
Manager @ Library
Khaitan & Co
No comments:
Post a Comment