Sergey Nivens - Fotolia
PoisonTap, a new exploit tool developed by Samy Kamkar, has the ability to quickly install a backdoor onto computers, even if they have been locked with a strong password. The tool allows attackers to remotely control the computer user's web browser and network, as well as intercept the user's web traffic and authentication cookies. How does PoisonTap work, and why can't devices prevent it from bypassing the password locks?
Prior to this, it was fairly difficult to install new hardware into a PC, and it required configuration. PnP automated this process and made it significantly easier, but many people were uneasy with automatic driver installation, and were concerned that it could become a security issue.
Windows has functionality for only installing drivers signed by developers to reduce the chance a malicious driver will be installed.
When a network driver is installed, it is often automatically configured via the Dynamic Host Configuration Protocol (DHCP) to make it easier for the user to configure the network settings. DHCP has also concerned some because its settings may be set by a malicious DHCP server.
The PoisonTap development from Samy Kamkar may make some enterprises reassess keeping PnP enabled. The attack works by plugging in a malicious USB device and using PnP to install a malicious driver for a network connection where the settings have been changed so that internet traffic passes through the USB device. All of this happens on the operating system automatically behind the scenes. This allows PoisonTap to set up a man-in-the-middle (MitM) attack.
PoisonTap can steal passwords, cookies and more if a user is logged in and has a web browser open. The attack works even if the user has the screen locked, as programs would keep running. While bypassing password locks is a serious threat, attackers in this case must have physical access to a computer to deliver PoisonTap, which lessens the danger.
Kamkar has several recommendations for how enterprises can secure their systems against PoisonTap. For the server side, always using HTTPS could provide some protection, but the MitM attack could also be extended to HTTPS connections.
On the endpoint, USB could be disabled, or a USB firewall could be used to provide protection against USB attacks. Enterprises could also disable PnP to prevent this attack, but this step would need to be tested, and the impact evaluated.
Learn how to differentiate a security backdoor from a vulnerability
Find out how an Android backdoor was created with the Pork Explosion flaw
Read about the challenges faced with remote desktop USB redirection
Dig Deeper on Network Intrusion Prevention (IPS)
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading