Too bad Ars Technica redirects https to http while preaching anyone should use https.
Anyway: OS device driver install and network configuration should probably be less automatic than it is now.
All the more reason to go fully https (hello LetsEncrypt, goodbye Embarcadero).
A video showing how it works is below.
The clever device emulates a USB ethernet adapter (that virtually every operating system has default drivers for) then fakes being 1.0.0.1 handing out DHCP address 1.0.0.10 with a netmask of 128.0.0.1 thereby routing almost all network traffic over it.
It makes a tiny peace of the internet unreachable (like 1.0.0.1 itself in Brisbane Australia).
More details on how it works at [WayBack] Samy Kamkar: PoisonTap – exploiting locked computers over USB.
Lets not leave this out:
Securing Against PoisonTap
Server-Side Security
If you are running a web server, securing against PoisonTap is simple:
- Use HTTPS exclusively, at the very least for authentication and authenticated content
- Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
- Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
- When loading remote Javascript resources, use the Subresource Integrity script tag attribute
- Use HSTS to prevent HTTPS downgrade attacks
Desktop Security
- Adding cement to your USB and Thunderbolt ports can be effective
- Closing your browser every time you walk away from your machine can work, but is entirely impractical
- Disabling USB ports is also effective, though also impractical
- Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up
–jeroen
The Wiert Corner - irregular stream of stuff 