November 17, 2016
Wickedly Clever USB Stick Installs A Backdoor On Locked Personal Computers (PC)/Laptops; USB Dongle Takes Advantage Of Design Flaws Present In Virtually Every PC Operating System & Web Browser
Andy Greenberg had an article in the November 16, 2016 edition of WIRED.com, with the title above. Mr Greenberg began his article, with this analogy: “You probably know by now that plugging a random USB into your computer/laptop is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But, serial hacker Samy Kamkar’s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities — ones that open up your network to any hacker who can get momentary access to them, even when your computer is locked.”
Mr. Greenberg was part of an audience this week that gathered to see Mr. Kamkar demonstrate how a device he calls, PoisonTap, can infiltrate/breach security firewalls and compromise just about any locked, or unlocked personal computer (PC). The PoisonTap is “a tiny USB dongle, that — whether plugged into a locked, or unlocked PC, installs a set of web-based back doors — that in many cases, allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router,” Mr. Greenberg wrote. “Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.”
“In a lot of corporate offices, it’s pretty easy [to pull off this hack]. You walk around, find a computer, plug in a Poison Tap for a minute; and, then unplug it,” Mr. Kamkar said. “The computer may be locked; but, PoisonTap is still able to takeover network traffic and plant the back door.”
“Rather than installing malware, which can often be easily detected, Poison Tap creates its backdoor access by hiding malicious code in the victim’s browser cache,” Mr. Greenberg wrote. “This is going to be really hard to detect,” said Jeremiah Grossman, a web security researcher, and Chief of Security Strategy at the firm Sentinel One. “Provided you have physical access, I think it is the most cleverly designed and effective backdoor I have seen.”
A Long Chain Of Weak Links
Mr. Greenberg says that “Kamkar’s [digital] trick works, by chaining together a long, complex series of seemingy innocuous software security oversights, that only together – add up to a full-blown threat. When Poison Tap, a tiny $5 Raspberry Pi microcomputer loaded with Kamkar’s code and attached to a USB adapter — is plugged into a computer’s USB drive, it starts impersonating a new Ethernet connection. Even if the [targeted] computer is already connected to WiFi, PoisonTap is programmed to tell the victim’s computer that any IP address accessed through that connection, is actually on the computer’s local network — rather than the Internet — fooling the machine into prioritizing its network connection to PoisonTap, over that of the WiFi network”
Once the interception point is established [the point of entry], “the malicious USB device waits for any request from the user’s browser for new web content; if you leave your browser open when you walk away from your machine, chances are there’s at least one tab in your browser that’s still periodically loading new bits of HTTP data like ads, or news updates. When PoisonTap sees that request, it spoofs a response, and feeds your browser its own payload: a page that contains a collection of iframes — a technique for invisibly loading content from one website inside another — that consist of carefully crafted versions of virtually every popular website address on the Internet,” Mr. Greenberg wrote.
“As it loads that long list of site addresses, PoisonTap tricks your browser into sharing any cookies it’s stored from visiting them; and, writes all of that cookie data to a text file on the USB stick,” Mr. Greenberg wrote. “Sites use cookies to check if a visitor has recently logged into the page, allowing visitors to avoid doing so repeatedly.. So that list of cookies allows any hacker who walks away with the PoisonTap and its stored text file to access the user’s account on those sites.”
Poisoned Caches
“PoisonTap’s initial attack isn’t as serious as it may sound,” Mr. Greenberg writes. “It only works on sites that use HTTP, rather than the far more secure HTTPS protocol, which signals the browser to only share cookie data with a verified site. But stealing cookies,” he writes, “is merely the first in a series of techniques. As the little USB stick loads the collection of site addresses in the user’s browser, it also tricks the browser, it also tricks the browser into storing its own, carefully manipulated version of those sites in its cache — the feature of browsers that maintains pieces of websites on your computer, rather than loading them from the web again, and again. That’s called cache poisoning, and it means that even after PoisonTap, is unplugged, the browser will still continue to load the corrupted version of the sites it planted in the browser’s cache,” he wrote.
“Each of the manipulated versions of the sites PoisonTap tucks into the browser’s cache includes a kind of persistent communications channel — what’s known as a websocket — that connects the site back to a server controlled by the hacker. Through hidden iframes, the hacker can make HTTP requests through the cached site backdoors, and receive responses, continuing to exploit the victim’s browser without detection — long after the hacker has pulled out PoisonTap, and walked away,” Mr. Greenberg warned. “Their browser basically acts as a tunnel into their local area network,” Mr, Kamkar said.
“PoisonTap’s cached browser backdoors can allow a hacker to pull off either of two attacks,” Kamkar said: “He, or she can connect via the browser, to the victim’s router, cycling through IP addresses to find the device, and then either break in with one of the common exploits affecting routers that are frequently unpatched, and out of date, or try the default username and password/s that many still use. That can allow the hacker to eavesdrop on virtually all unencrypted traffic that passes over the victim’s network.”
“Or, if the hacker knows the addresses of a company’s corporate intranet website — and the site doesn’t user HTTPS, as is often the case for sites restricted to local access — PoisonTap can give the hacker an invisible foothold on the local network to connect to the intranet site; and, siphon data to a remote server,” Mr. Greenberg wrote. “If I tell the browser to look up some customer’s data, I can have it sent back to me,” Kamkar said. “That might not have been accessible remotely, but I have a local backdoor,” he added.
No Clear Bug, No Clear Fix
“Kamkar’s intention with PoisonTap isn’t to make it easier for stealthy intruders to install backdoors on corporate networks,” Mr. Greenberg notes. “Instead,” he says, “he wants to show that even locked computers are more vulnerable than security-conscious users might think.” “People feel secure leaving their laptops on their desk at lunch, or when they leave the office with a password on screensaver,” Kamkar says. “That’s clearly not secure.”
“One solution, Kamkar proposes, would be for operating systems to ask permission before they connect to a new network device like PoisonTap — instead of silently switching over from trusted WiFi. Apple didn’t respond to a request for comment,” Mr. Greenberg wrote. “But, a Microsoft spokesperson wrote to WIRED in an email that for PoisonTap to work, “physical access to a machine is required. So, the best defense is to avoid leaving laptops and computers unattended; and, to keep your software up to date.”
“For the time being,” Mr. Kamkar told WIRED “there’s easy fix for users. To avoid an attack, he suggests someone would need to set their computer to hibernate, rather than sleep, a setting that suspends all processes on the computer, and causes it to wake up far more slowly. Or, they can close thejr browser every time the step away from their computer, assiduously clear its cache, or even take the more drastic measure of filling their USB ports with glue.” “I personally haven’t found a good, convenient way to solve this on my own computer,” Mr. Kamkar said.
“The clearest, and most troubling lesson, perhaps, is to beware who gets physical access to your PC,” Mr. Greenberg recommends. “With a tool like PoisonTap in hand, a hacker walking unattended around your office may soon be moving freely around your corporate network to.”
Some Parting Thoughts
This kind of attack is very worrisome, as a $5 device; and, only momentary access to a PC is needed to successfully pull off this kind of hacking/breach. Once PoisonTap has been successfully inserted, it then masquerades as an Ethernet device, which triggers the network enterprise/PC to upload it — and bring it into the network. The fact that this technique is successful — even on a locked PC, is really troubling — especially since an individual that locks their computer when not in use, is still vulnerable to this technique. The good news is, one still needs physical access to the targeted device — although fleeting — to successfully pull off this kind of hacking attack.
What I wonder is — is their any digital trace left behind that would in any way, inform you that your system had been breached’; and, where did the digital hackers spend most of their time — once they got access to the PC and/or enterprise? Is their any digital evidence as to how much, and what they took? Can this method of breach, allow the hackers to download and exfiltrate the purloined data in a secure, and stealthy manner? Or, is their a way to know what they took, even if they tried to cover their digital tracks? Perhaps even more worrisome — can the hackers insert bad data, that looks authentic, into the corporate data — in such a manner as to be difficult to highlight — before such bad information is acted upon, and perhaps causes a catastrophic meltdown, or worse? How do you know your system/enterprise is clean; and, there are no stay-behinds, or Trojan Horses that are the gifts that keep on giving, for an extended period of time? Is there a way to set a digital trap for anyone/entity that uses this technique — so that when the hacker removes the USB dongle device, the dongle device is infected — allowing the victimized person, or entity to follow the digital trail back to the perpetrator; and, perhaps even get inside their PC, or network enterprise, and cause a little havoc of your own? V/R, RCP
No comments:
Post a Comment