You probably know by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar‘s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities—ones that open your network to any hacker who can get momentary access to them, even when your computer is locked.
Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.
“In a lot of corporate offices, it’s pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it,” Kamkar says. The computer may be locked, he says, but PoisonTap “is still able to take over network traffic and plant the backdoor.”
Rather than installing malware, which can often be easily detected, PoisonTap creates its backdoor access by hiding malicious code in the victim’s browser cache. “This is going to be really hard to detect,” says Jeremiah Grossman, a web security researcher and chief of security strategy at the firm SentinelOne. “Provided you have physical access, I think it’s actually the most cleverly designed and effective backdoor tool that I’ve seen.”
A Long Chain of Weak Links
Kamkar’s trick works by chaining together a long, complex series of seemingly innocuous software security oversights that only together add up to a full-blown threat. When PoisonTap—a tiny $5 Raspberry Pi microcomputer loaded with Kamkar’s code and attached to a USB adapter—is plugged into a computer’s USB drive, it starts impersonating a new ethernet connection. Even if the computer is already connected to Wifi, PoisonTap is programmed to tell the victim’s computer that any IP address accessed through that connection is actually on the computer’s local network rather than the internet, fooling the machine into prioritizing its network connection to PoisonTap over that of the Wifi network.
With that interception point established, the malicious USB device waits for any request from the user’s browser for new web content; if you leave your browser open when you walk away from your machine, chances are there’s at least one tab in your browser that’s still periodically loading new bits of HTTP data like ads or news updates. When PoisonTap sees that request, it spoofs a response and feeds your browser its own payload: a page that contains a collection of iframes—a technique for invisibly loading content from one website inside another—that consist of carefully crafted versions of virtually every popular website address on the internet. (Kamkar pulled his list from web-popularity ranking service Alexa‘s top one million sites.)
PoisonTap’s initial attack isn’t as serious as it may sound: It only works on sites that use HTTP rather than the far more secure HTTPS protocol, which signals to a browser to only share cookie data with a verified site. But stealing cookies is merely the first in a series of techniques. As the little USB stick loads the collection of site addresses in the user’s browser, it also tricks the browser into storing its own, carefully manipulated version of those sites in its cache—the feature of browsers that maintains pieces of websites on your computer rather than loading them from the web again and again. That’s called cache poisoning, and it means that even after PoisonTap is unplugged, the browser will still continue to load the corrupted version of the sites it planted in the browser’s cache.
Each of the manipulated versions of the sites PoisonTap tucks into the browser’s cache includes a kind of persistent communications channel—what’s known as a websocket—that connects the site back to a server controlled by the hacker. Through hidden iframes, the hacker can make HTTP requests through the cached site backdoors and receive responses, continuing to exploit the victim’s browser without detection long after the hacker has pulled out PoisonTap and walked away. “Their browser basically acts as a tunnel into their local area network,” Kamkar says.
PoisonTap’s cached browser backdoors can allow a hacker to pull off either of two attacks, Kamkar says: He or she can connect via the browser to the victim’s router, cycling through IP addresses to find the device, and then either break in with one of the common exploits affecting routers that are frequently unpatched and out-of-date, or try the default username and password that many still use. That can allow the hacker to eavesdrop on virtually all unencrypted traffic that passes over the victim’s network.
Or if the hacker knows the address of a company’s corporate intranet website—and the site doesn’t use HTTPS, as is often the case for sites restricted to local access—PoisonTap can give the hacker an invisible foothold on the local network to connect to the intranet site and siphon data to a remote server. “If I tell the browser to look up some customer’s data, I can have it sent back to me,” Kamkar says. “That might not have been accessible remotely, but I have a local backdoor.”
No Clear Bug, No Clear Fix
Kamkar’s intention with PoisonTap isn’t to make it easier for stealthy intruders to install backdoors on corporate networks. Instead, he says, he wants to show that even locked computers are more vulnerable than security-conscious users might think. “People feel secure leaving their laptops on their desk at lunch or when they leave the office with a password on the screensaver,” Kamkar says. “That’s clearly not secure.”
One solution, Kamkar proposes, would be for operating systems to ask permission before they connect to a new network device like PoisonTap instead of silently switching over from trusted Wifi. Apple didn’t responded to a request for comment. But a Microsoft spokesperson wrote to WIRED in an email that for PoisonTap to work, “physical access to a machine is required. So, the best defense is to avoid leaving laptops and computers unattended and to keep your software up to date.”
For the time being Kamkar says there’s no easy fix for users. To avoid an attack, he suggests someone would need to set their computer to hibernate rather than sleep, a setting that suspends all processes on the computer and causes it to wake up far more slowly. Or they can close their browser every time they step away from their computer, assiduously clear its cache, or even take the more drastic measure of filling their USB ports with glue. “I personally haven’t found a good, convenient way to solve this on my own computer,” Kamkar says.
The clearest and most troubling lesson, perhaps, is to beware who gets physical access to your PC. With a tool like PoisonTap in hand, a hacker walking unattended around your office may soon be moving freely around your corporate network, too.