Meet PoisonTap, the $5 tool that ransacks password-protected computers | Ars Technica
Posted by jpluimers on 2016/11/23
Too bad Ars Technica redirects https to http while preaching anyone should use https.
Anyway: OS device driver install and network configuration should probably be less automatic than it is now.
All the more reason to go fully https (hello LetsEncrypt, goodbye Embarcadero).
A video showing how it works is below.
The clever device emulates a USB ethernet adapter (that virtually every operating system has default drivers for) then fakes being 188.8.131.52 handing out DHCP address 184.108.40.206 with a netmask of 220.127.116.11 thereby routing almost all network traffic over it.
It makes a tiny peace of the internet unreachable (like 18.104.22.168 itself in Brisbane Australia).
More details on how it works at [WayBack] Samy Kamkar: PoisonTap – exploiting locked computers over USB.
Lets not leave this out:
Securing Against PoisonTap
If you are running a web server, securing against PoisonTap is simple:
- Use HTTPS exclusively, at the very least for authentication and authenticated content
- Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
- Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
- Use HSTS to prevent HTTPS downgrade attacks
- Adding cement to your USB and Thunderbolt ports can be effective
- Closing your browser every time you walk away from your machine can work, but is entirely impractical
- Disabling USB ports is also effective, though also impractical
- Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up