PoisonTap Steals Cookies, Drops Backdoors on Password-Protected Computers

Samy Kamkar’s latest hacking device, PoisonTap, can steal HTTP cookies from millions of websites and install persistent web-based backdoors.

Even locked, password-protected computers are no rival for Samy Kamkar and his seemingly endless parade of gadgets.

His latest, PoisonTap, is a $5 Raspberry Pi Zero device running Node.js that’s retrofitted to emulate an Ethernet device over USB. Assuming a victim has left their web browser open, once plugged in to a machine, the device can quietly fetch HTTP cookies and sessions from millions of websites, even if the computer is locked.

If that alone doesn’t sound like Mr. Robot season three fodder, the device can also expose the machine’s internal router and install persistent backdoors, guaranteeing an attacker access long after they’ve removed the device from a USB slot.

“[The device] produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors,” Kamkar said Wednesday in a writeup of PoisonTap.

According to Kamkar, who released an “Applied Hacking” video in tandem with the writeup, Windows and OS X machines recognize his device and load it as a low-priority network device. The device engages with DHCP requests, gives the machine an IP address, and allows the machine to re-route all internet traffic through PoisonTap.

“As long as a browser is running on the machine and an HTTP request is made automatically – such as through an ad, AJAX request, or other dynamic web content, which happens on most sites, even when the browser is entirely in the background, PoisonTap intercepts the request and responds with attack code that’s interpreted by the browser,” Kamkar says in the video.

In addition to being able to siphon up internet traffic, PoisonTap installs a remotely accessible web-based backdoor in the HTTP cache of many domains. It only takes a few seconds for PoisonTap to do its job; the Websocket-based backdoors linger after the attacker has removed the device, allowing attackers with a command and control server an easy way into the machine after the initial hack.

“Whenever the websocket is open, the attacker can remotely send commands to the victim and force their browser to execute JavaScript code,” Kamkar says.

The contraption also exposes victims’ routers, making it so the attacker can remotely force HTTP requests and proxy back responses using the victim’s cookies on backdoored sites without the user being any the wiser.

“Because a backdoor is left on each domain, this allows the attacker to remotely force the backdoored browser to perform same-origin requests (AJAX GET/POSTs) on virtually any major domain, even if the victim does not currently have any open windows to that domain,” Kamkar wrote.

Because PoisonTap exposes the router – something the attacker may not have even had access to in the first place – it can lead to a wave of secondary attacks.

If it was running default admin credentials, the attacker could use it to overwrite DNS servers, or expose additional authentication vulnerabilities, he warns.

In addition to bypassing password protected lock screens, the device breaks a handful of mechanisms designed to safeguard browsers, including same origin policy, cross-origin resource sharing (CORS) and DNS pinning, to name a few.

As Kamkar does for most of his research, he’s published the PoisonTap source code for free on Github.

Web servers looking to thwart PoisonTap attacks should use HTTPS exclusively, in addition to HSTS to prevent any HTTPS downgrade attacks, according to Kamkar.

Kamkar said users looking to preventing a PoisonTap attack can do away with USB and Thunderbolt ports all together; adding cement to the ports “can be effective,” he writes.

A less drastic move – making sure users close their browser before walking away from their machines – can be effective as well, Kamkar says, but impractical.

Kamkar told Threatpost he was sleep deprived on a plane one morning when he came up with the idea for the device.

“Was sleep deprived on a plane one morning and considered that maybe you can gain network access on a locked machine… tested it, it worked,” Kamkar said, adding that from there he “just started building automated network attacks together for a while until it seemed to be an effect demonstration of why a locked computer is not actually secure.

The device is the latest in a long line of nifty Kamkar devices over the last several years, including OpenSesame, which opened garage doors with a $12 child’s toy, KeySweeper, which allowed Kamkar to passively sniff, decrypt, and record keystrokes on Microsoft wireless keyboards, and OwnStar, a device that allowed him to intercept traffic from phones to vehicles running OnStar.

The Raspberry Pi, a credit card-sized single-board computer, has figured into several of those devices. With PoisonTap, Kamkar only added a micro-USB cable and microSD card to the existing 65 mm x 30 mm base.

Suggested articles