Researcher intercepts unencrypted internet traffic from locked PC
Security researcher Samy Kamkar has developed a tool called “PoisonTap” that allows him to steal unencrypted web traffic from a locked computer. This is possible by attaching a Raspberry Pi that pretends to be an Ethernet network to the PC.
In this way, an attacker is able to steal authentication cookies, for example, Kamkar writes on his website. With this, a malicious person can then log into the victim’s accounts. Kamkar developed PoisonTap for a Raspberry Pi Zero, but it also works with a LAN Turtle or USB Armory. The software causes the device to pretend to be an Ethernet network when it is connected to a computer. This also works with computers that are locked.
Via a dhcp response, the device then informs the computer that the entire ipv4 space is part of its network. This gives the malicious network priority over other network connections. As long as the locked computer has a web browser running with an open window sending an http request, the PoisonTap device can redirect the request to its own node.js web server. Using hidden iframes, PoisonTap connects to the million most popular pages in the Alexa list.
In addition, the malicious web server can choose which headers it sends, according to Kamkar. The device is able to steal all cookies that are sent over an http connection. It is also possible to intercept cookies on an https connection, as long as they do not use a secure flag. In addition, the iframes act as html and javascript backdoors that are cached with no time limit. As a result, they remain in memory even if the PoisonTap device is disconnected.
By creating a WebSocket, the attacker can reconnect to the victim’s computer at a later time and perform other attacks. The backdoors also allow remote access to the victim’s router. In this way it is possible to get to the administrator settings, for example because the victim uses default logins.
The bottom line is that an attacker must have physical access to a computer to perform this attack. Kamkar reports that it is possible to protect against this attack by using only encrypted https connections in combination with secure cookies. Closing the browser each time you leave the computer and switching off USB and Thunderbolt ports is also possible.
In a similar attack, security researcher Rob Fuller recently demonstrated how he could steal credentials from a locked Mac or Windows computer using a USB Ethernet adapter. Kamkar previously developed other attacks, including a device that eavesdrops on keystrokes and children’s toys that allowed him to open garage doors.
Demonstration of the attack