How a $5 Raspberry Pi Zero can hack your locked laptop

Do you really want to let your laptop out of your sight? Samy Kamkar’s latest “applied hack” will make you queasy about what can be done to you and your laptop even if you password-protect it when you leave for lunch.

You might remember Kamkar from our coverage of his 2015 garage door hack using a Mattel Radica Girltech IM-ME texting toy, or his DIY combination lock-picking robot, printable on your 3D printer. Or, back in the day, from his MySpace worm that grabbed 1 million friends, a felony conviction, 90 days of community service and three years’ probation.

For many, though, his latest hack might be the most troubling of all: it shows just how much havoc can be wrought with physical access to a USB port. All it takes, Kamkar demonstrates, is a $5 (£4) Raspberry Pi Zero board running Linux and his own freely available software.

Kamkar’s “PoisonTap” hack is as elegant as it’s frightening. As Wired puts it:

Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.

You can walk through the attack yourself with Kamkar’s niftily produced YouTube video, but here’s a quick overview. Plug the board into a USB port via a Micro-USB cable, and it tells your computer it’s an Ethernet device running over USB. Windows and OSX happily load it and send it a DHCP request.

PoisonTap answers with a DHCP response “crafted to tell the machine that the entire IPv4 space (0.0.0.0 – 255.255.255.255) is part of PoisonTap’s local network”. Your computer thinks it’s dealing with local LAN traffic – which it automatically prioritizes over internet traffic. The result: in moments, you’ve given PoisonTap temporary control over all internet traffic to and from your computer.

Now, says Kamkar, “it siphons and stores all HTTP cookies for the top 1 million websites… exposes the internal router to the attacker, making it accessible remotely… [and] installs a web-based backdoor in HTTP cache for hundreds of thousands of domains”.

As TechCrunch points out, while you’re outside downing your Starbucks latte, “pre-loaded items like analytics and ads will [still] be active, and as soon as one of them sends an HTTP request – BAM, PoisonTap responds with a barrage of data-caching malicious iframes for the top million Alexa sites”.

Now, it also starts exfiltrating your cookies. But all this is just the beginning of PoisonTap’s mischief. It cache-poisons the domains it connects with, and force-caches a websocket-based backdoor to the attacker’s command-and-control server. Of course, attackers can now execute their own JavaScript code through your browser.

By now, you’re well and truly pwned. Kamkar’s device uses malicious iframes to earn same-origin rights on domains of interest. Now it can use your own cookies to make requests, and view the responses. It then performs a persistent DNS rebinding attack to create another backdoor into your router, compromising your network.

All this typically happens in a minute or less. The attacker can then grab his five-dollar PoisonTap and wander away. With the device no longer present, malicious IP addresses are automatically redirected to the attacker’s remote server of choice.

So, what can you do about all this? If you’re running a webserver, Kamkar says, protect your users by requiring HTTPS and using the Secure flag on all cookies, so they can’t leak into insecure HTTP traffic.

If you’re running a client, and you’re not ready to cement your USB ports shut? Closing browsers will help; so too, using your laptop’s hibernation or sleep function. Best of all: take your laptop with you, or lock it in a drawer. Yeah, that’s what the world is coming to.