'Poison Tap' USB Device Hijacks User Data From Screen-Locked Macs

[MacRumors]

A developer has created a $5 device that can hack into screen-locked Macs and potentially other computers as long as a web browser is left running on the desktop.

Samy Kamkar made a YouTube video showing what happens when his creation hacks into a target computer. Called a "Poison Tap", the device runs on a Raspberry Pi Zero which plugs into a computer's USB port.

Once attached to the locked and password-protected Mac, it hijacks all web traffic by posing as a standard internet connection, after which it sets about siphoning and storing the user's HTTP cookies.

The attacker can then potentially use the stolen cookie data to access websites the user visited and log-in as them without having to enter username and password information.

Speaking to the BBC, Trend Micro security researcher Rik Ferguson said the device was a plausible threat to users who frequently left their computer unattended.

[In normal circumstances] Even when you are not using a web browser it is still making requests and communicating - due to updates or ads. Once the device is plugged in it exploits that communication and steals session cookies from the top one million websites.

Two-step verification would be susceptible to the same attack, explained Ferguson, because the device is able to intercept the cookies and pretend it is already in an open session. The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS.

Otherwise, the best solution is for users to ensure they close their browser every time they leave their Mac unattended, or else close it down completely.


Article Link: 'Poison Tap' USB Device Hijacks User Data From Screen-Locked Macs

 

[Michaelgtrusa]

Well some one had to tell us.

 

[sully54]

Mac exploits require a certain modicum of stupidity in order to work.

 

[dannys1]

It's ok, costs more that $5 for my computer as he'll need to buy a USB-C cable...

 

[mazz0]

Well, this sounded quite concerning until I got to where it says it doesn't work for https connections. Still somewhat worrying though.

Mac exploits require a certain modicum of stupidity in order to work.

What exactly is stupid about leaving your computer locked with a browser open?

 

[arkitect]

Mac exploits require a certain modicum of stupidity in order to work.

In this case your comment seems misplaced.
What is so stupid about leaving my screen locked Mac unattended?

Not being snarky, but I am curious why you think this.

 

[saudor]

Mac exploits require a certain modicum of stupidity in order to work.

so basically anyone that uses the "sleep" function and not physically power it down.

 

[kstotlani]

Mac exploits require a certain modicum of stupidity in order to work.

Speaking with experience?

 

[The Martian]

So basically this is nothing to worry about unless you have a habit of leaving your Mac unattended in a public area. I don't know about you, but I'm not leaving my MacBook unattended anywhere!

I'm not leaving my MacBook unattended while I go the bathroom at Starbucks or anywhere else!

 

[arkitect]

So basically this is nothing to worry about unless you have a habit of leaving your Mac unattended in a public area. I don't know about you, but I'm not leaving my MacBook unattended anywhere!

I'm not leaving my MacBook unattended while I go the bathroom at Starbucks or anywhere else!

So in a work situation where desktops (Not portables) are left on all night? Sometimes the Mac is busy overnight rendering etc… cleaners come in… The way I see it there is potential for a problem.

 

[cerberusss]

It's quite interesting. That device can be camouflaged as a USB stick. Somehow get it into victim's hands, and it'll start intercepting their traffic.

 

[Pike R. Alpha]

This exploit can also be used without a USB device attached to your computer. Don't forget. Your Mac can get infected in many different ways. Making it much more of an issue. More than what most people expect.

 

[Romy90210]

Mac exploits require a certain modicum of stupidity in order to work.

who leaves their browser open anyways??? Umnnnnnnn.. Just read above lol

 

[maflynn]

Mac exploits require a certain modicum of stupidity in order to work.

The same goes for Windows, though it seems people are targeting OS X more often lately

 

[Romy90210]

So basically this is nothing to worry about unless you have a habit of leaving your Mac unattended in a public area. I don't know about you, but I'm not leaving my MacBook unattended anywhere!

I'm not leaving my MacBook unattended while I go the bathroom at Starbucks or anywhere else!

Not just that but you have to leave your browser open and running....

 

[netwalker]

So, OS X (and other platforms) use an USB Wifi dongle/adapter automatically without user interaction [yes]? Sounds strange, but I've never used one of those. Still, the computer is not hacked or infected. It intercepts network traffic and if that is not encrypted, then it might be able to collect sensitive information or manipulate data being transfered. At least that's how I understand it based on the limited information provided. So, similar to using a free but unsafe wirefless network (e.g. at the airport, a hotel or cafe) without VPN.

Update: More details on https://samy.pl/poisontap/

by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device

Should be easy to fix then. OS X should not automatically start using ethernet over USB device. Why not simply ask the user for confirmation.

Without USB, the same would be possible by just plugging such a network proxy into an ethernet port if the computer still has one.

 

[OldSchoolMacGuy]

Back in 2008 we began selling law enforcement a flash drive that will pull all kinds of fun information from Mac, Windows, and Linux systems. Things like all the passwords from your Keychain, web browsing history, mail history, message history, call history, location history, network history, and much more.

Funny how people get up in arms about stories like this when this tech has been available and used by law enforcement for many years. Ignorance is bliss.

 

[ladeer]

Everything is https now

 

[nwcs]

The problem is that many companies (even those producing smartphone apps) have little knowledge of the OWASP Top 10. If they did then these hacks wouldn't ever work. HTTPS is not a guard against anything unless it's TLS 1.2 or more and even then it's subject to proxy based man in the middle attacks. This particular attack vector is interesting but hardly unique.

 

[oneMadRssn]

How great is it that there is literally no way to charge the new MacBooks without the use of a USB cable?

 

[Zedcars]

I wonder...I just took delivery of a Powerline Wi-Fi extender which sends the data through the powerlines within the house. Now that USB-C combines data and charging capabilities, I wonder if it would be possible to hack into a charging Mac through the power cable?

Anyone know?

 

[maflynn]

How great is it that there is literally no way to charge the new MacBooks without the use of a USB cable?

Yup, the risks of these sort of hacks is only going to increase

 

[freediverx]

"Two-step verification would be susceptible to the same attack, explained Ferguson, because the device is able to intercept the cookies and pretend it is already in an open session. The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS."

I'm confused. Wouldn't any two-step verification use encryption, as well as any website dealing in sensitive info like banks?

 

[iKrivetko]

>The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS

So what's the big deal then? Pretty much all websites that can have sensitive data are encrypted.

 

[freediverx]

Mac exploits require a certain modicum of stupidity in order to work.

Leaving your browser running on a screen-locked Mac is stupidity?
[doublepost=1479739488][/doublepost]

In this case your comment seems misplaced.
What is so stupid about leaving my screen locked Mac unattended?

Not being snarky, but I am curious why you think this.

I also take issue with his labeling this as "stupidity". Having said that, though, many (most?) users are unaware that a Mac with FileVault enabled is somewhat vulnerable while in screen-locked mode, especially if the guest account is enabled. For those with heightened security requirements, there are many hoops to jump through that are neither obvious nor intuitive.
[doublepost=1479739616][/doublepost]

So basically this is nothing to worry about unless you have a habit of leaving your Mac unattended in a public area. I don't know about you, but I'm not leaving my MacBook unattended anywhere!

I'm not leaving my MacBook unattended while I go the bathroom at Starbucks or anywhere else!

What about leaving a screen-locked Mac momentarily unattended at work or at a client's office?
[doublepost=1479739780][/doublepost]

Back in 2008 we began selling law enforcement a flash drive that will pull all kinds of fun information from Mac, Windows, and Linux systems. Things like all the passwords from your Keychain, web browsing history, mail history, message history, call history, location history, network history, and much more.

Funny how people get up in arms about stories like this when this tech has been available and used by law enforcement for many years. Ignorance is bliss.

Will that work on a powered-down Mac with FileVault enabled?