Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does the PoisonTap exploit bypass password locks on computers?

The PoisonTap exploit can bypass password locks on computers, enabling an attacker to remotely control systems. Expert Nick Lewis explains how the attack works.

PoisonTap, a new exploit tool developed by Samy Kamkar, has the ability to quickly install a backdoor onto computers,...

even if they have been locked with a strong password. The tool allows attackers to remotely control the computer user's web browser and network, as well as intercept the user's web traffic and authentication cookies. How does PoisonTap work, and why can't devices prevent it from bypassing the password locks?

Windows 95 introduced many advances for PCs -- one of them being the inclusion of Plug and Play (PnP) functionality for hardware device drivers and other platforms.

Prior to this, it was fairly difficult to install new hardware into a PC, and it required configuration. PnP automated this process and made it significantly easier, but many people were uneasy with automatic driver installation, and were concerned that it could become a security issue.

Windows has functionality for only installing drivers signed by developers to reduce the chance a malicious driver will be installed.

When a network driver is installed, it is often automatically configured via the Dynamic Host Configuration Protocol (DHCP) to make it easier for the user to configure the network settings. DHCP has also concerned some because its settings may be set by a malicious DHCP server.

The PoisonTap development from Samy Kamkar may make some enterprises reassess keeping PnP enabled. The attack works by plugging in a malicious USB device and using PnP to install a malicious driver for a network connection where the settings have been changed so that internet traffic passes through the USB device. All of this happens on the operating system automatically behind the scenes. This allows PoisonTap to set up a man-in-the-middle (MitM) attack.

PoisonTap can steal passwords, cookies and more if a user is logged in and has a web browser open. The attack works even if the user has the screen locked, as programs would keep running. While bypassing password locks is a serious threat, attackers in this case must have physical access to a computer to deliver PoisonTap, which lessens the danger.

Kamkar has several recommendations for how enterprises can secure their systems against PoisonTap. For the server side, always using HTTPS could provide some protection, but the MitM attack could also be extended to HTTPS connections.

On the endpoint, USB could be disabled, or a USB firewall could be used to provide protection against USB attacks. Enterprises could also disable PnP to prevent this attack, but this step would need to be tested, and the impact evaluated. 

Next Steps

Learn how to differentiate a security backdoor from a vulnerability

Find out how an Android backdoor was created with the Pork Explosion flaw

Read about the challenges faced with remote desktop USB redirection

This was last published in April 2017

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise secure its systems from USB attacks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close