Security researcher Samy Kamkar rolled out a new hacking tool dubbed PoisonTap that can crack into a locked computer fully exposing the device to a myriad of potential hacking problems.
The PoisonTap device is built on a $5 (£4) Raspberry Pi Zero motherboard and initially has to be connected to the targeted computer, Windows or Mac, through its USB port, Kamkar said in a blog post. PoisonTap is described as a combination of different software types that reside on the computer. Once plugged in it spoofs the computer into believing the device is actually an Ethernet connection, creating for itself a “man-in-the-middle position” and at that point the target device is laid open to the attacker.
“When plugged into a locked or password protected computer it takes over all the internet traffic momentarily,” Kamkar said in the video below, adding, “PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.”
After grabbing the web traffic the tool siphons and stores HTTP cookies for the Alexa 1 million websites, exposes the internal router to the attacker, which then makes it accessible remotely and installs a persistent web-based backdoor. This means even after the tool is disconnected the computer can be remotely accessed and controlled.
PoisonTap convinces the targeted computer to give it access by responding “to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 - 255.255.255.255) is part of the PoisonTap's local network, rather than a small subnet (eg 192.168.0.0 - 192.168.0.255),” Kamkar wrote.
"The brilliance of the attack is actually in its simplicity: the most complex code in PoisonTap is the beautiful HTML5 canvas animation by Ara. On a $5 Raspberry Pi, Samy pulled together several clever attacks that add up to something really masterful," Craig Smith, research director transportation security for Rapid7, told SC Media in an email.