PoisonTap, a new exploit tool developed by Samy Kamkar, has the ability to quickly install a backdoor onto computers,...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
even if they have been locked with a strong password. The tool allows attackers to remotely control the computer user's web browser and network, as well as intercept the user's web traffic and authentication cookies. How does PoisonTap work, and why can't devices prevent it from bypassing the password locks?
Prior to this, it was fairly difficult to install new hardware into a PC, and it required configuration. PnP automated this process and made it significantly easier, but many people were uneasy with automatic driver installation, and were concerned that it could become a security issue.
Windows has functionality for only installing drivers signed by developers to reduce the chance a malicious driver will be installed.
When a network driver is installed, it is often automatically configured via the Dynamic Host Configuration Protocol (DHCP) to make it easier for the user to configure the network settings. DHCP has also concerned some because its settings may be set by a malicious DHCP server.
The PoisonTap development from Samy Kamkar may make some enterprises reassess keeping PnP enabled. The attack works by plugging in a malicious USB device and using PnP to install a malicious driver for a network connection where the settings have been changed so that internet traffic passes through the USB device. All of this happens on the operating system automatically behind the scenes. This allows PoisonTap to set up a man-in-the-middle (MitM) attack.
PoisonTap can steal passwords, cookies and more if a user is logged in and has a web browser open. The attack works even if the user has the screen locked, as programs would keep running. While bypassing password locks is a serious threat, attackers in this case must have physical access to a computer to deliver PoisonTap, which lessens the danger.
Kamkar has several recommendations for how enterprises can secure their systems against PoisonTap. For the server side, always using HTTPS could provide some protection, but the MitM attack could also be extended to HTTPS connections.
On the endpoint, USB could be disabled, or a USB firewall could be used to provide protection against USB attacks. Enterprises could also disable PnP to prevent this attack, but this step would need to be tested, and the impact evaluated.
Learn how to differentiate a security backdoor from a vulnerability
Find out how an Android backdoor was created with the Pork Explosion flaw
Read about the challenges faced with remote desktop USB redirection
Dig Deeper on Network Intrusion Prevention (IPS)
Related Q&A from Nick Lewis
An Apache Struts vulnerability is still being exploited, even though it has already been patched. Expert Nick Lewis explains why the Struts platform ...continue reading
A revamped Poison Ivy RAT campaign has been using new evasion and distribution techniques. Expert Nick Lewis explains the new attack methods that ...continue reading
Fileless malware hidden in server memory led to attacks on many companies worldwide. Expert Nick Lewis explains how these attacks fit in with the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.