PoisonTap: The Tiny Internet-Hijacking, Cookie-Stealing, Backdoor-on-a-Board

A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.
Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background. The entire attack takes no more than a minute, Kamkar said.
Once plugged in to a target computer, the PoisonTap will emulate a USB Ethernet device and Windows and OS X both will recognize it as a low-priority network device. The operating system will then send a DHCP request to the device.
“PoisonTap responds to the DHCP request and provides the machine with an IP address, however the DHCP response is crafted to tell the machine that the entire IPv4 space (0.0.0.0 – 255.255.255.255) is part of the PoisonTap’s local network, rather than a small subnet (eg 192.168.0.0 – 192.168.0.255),” Kamkar said in a post explaining PoisonTap’s functionality.
“Normally it would be irrelevant if a secondary network device connects to a machine as it will be given lower priority than the existing (trusted) network device and won’t supersede the gateway for Internet traffic, but…Any routing table / gateway priority / network interface service order security is bypassed due to the priority of ‘LAN traffic’ over ‘Internet traffic.’ PoisonTap exploits this network access, even as a low priority network device, because the subnet of a low priority network device is given higher priority than the gateway (default route) of the highest priority network device. This means if traffic is destined to 1.2.3.4, while normally this traffic would hit the default route/gateway of the primary (non-PoisonTap) network device, PoisonTap actually gets the traffic because the PoisonTap ‘local’ network/subnet supposedly contains 1.2.3.4, and every other IP address in existence.”

What that means is that PoisonTap will get all of the Internet traffic from the infected machine, despite the presence of other network devices. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.
Kamkar is well-known in the security community for producing innovative devices along these lines. In addition to PoisonTap, he’s released KeySweeper, a remote key logger disguised as a USB phone charger, SkyJack, a drone that can hack other drones, and MagSpoof, a small device that can emulate any credit or debit card.
Along with its cookie-siphoning and traffic-hijacking capabilities, PoisonTap also installs a persistent backdoor that an attacker could reach via the web. During the cookie-siphoning operation, PoisonTap produces iframes for thousands of domains, which then serve as backdoors.
“While PoisonTap was producing thousands of iframes, forcing the browser to load each one, these iframes are not just blank pages at all, but rather HTML+Javascript backdoors that are cached indefinitely. Because PoisonTap force-caches these backdoors on each domain, the backdoor is tied to that domain, enabling the attacker to use the domain’s cookies and launch same-origin requests in the future, even if the user is currently not logged in,” Kamkar said.
The code for PoisonTap is available on GitHub. Kamkar said OS vendors can protect against this kind of attack by being stricter about the way they recognize USB devices.
“I would suggest OS’s to not load USB devices (other than mouse/keyboard) while the machines are password protected. Also, asking the user to load new USB devices such as network devices while unlocked would also be beneficial,” he said via email.
Image: Lucas Dumrauf, public domain.