Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

'Poison Tap' USB Device Hijacks User Data From Screen-Locked Macs

MacRumors said:
The only way to guard against such an attack would be for websites to use an encrypted connection such as HTTPS.
Click to expand...

So... Gmail, Outlook, PayPal, Amazon, iTunes/Apple Pay, Facebook, etc. is out.

Who cares?

You shouldn't type any password, any personal information or your credit card account over HTTP, full stop.

This is a complete non issue, and sites like MacRumors should follow their recommendation and use HTTPS.
[doublepost=1479741422][/doublepost]
Zedcars said:
I wonder...I just took delivery of a Powerline Wi-Fi extender which sends the data through the powerlines within the house. Now that USB-C combines data and charging capabilities, I wonder if it would be possible to hack into a charging Mac through the power cable?

Anyone know?
Click to expand...

There's no power cable.

If you see a strange network adapter, then don't be stupid.
 
Zirel said:
So... Gmail, Outlook, PayPal, Amazon, iTunes/Apple Pay, Facebook, etc. is out.
Click to expand...


Desktop Security
  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB/Thunderbolt ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

https://samy.pl/poisontap/

Regardless, I believe the only way to truly secure your FileVault-eneabled Mac is to power it down.
 
Last edited:
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
freediverx said:
Desktop Security
  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB/Thunderbolt ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

https://samy.pl/poisontap/

Regardless, I believe the only way to truly secure your FileVault-eneabled Mac is to power it down.
Click to expand...


Or...

Don't be a dumbass and don't plug stupid things to your computer you don't know what they are.
 
As an Amazon Associate, MacRumors earns a commission from qualifying purchases made through links in this post.
ladeer said:
Everything is https now
Click to expand...

IMG_0327.PNG
 
  • Like
Reactions: adaeon and rhoydotp
So this doesn't mention FileVault, should I assume this has any affect? Because resetting and bypassing a non-FileVault admin password in OS X to get full access is trivial in the first place.
 
Even if you patch this, someone could just as easily make an "Ethernet tap" (also known as a hub or a managed switch with port mirroring enabled) that they plug into the Ethernet cable your computer is using to connect to he internet... (the one connected to your wifi access point or directly to your mac).

Or if it is an open wifi network (or one with weak encryption), you can just connect, arp spoof the gateway, and get the unencrypted traffic in much the same way...
 
CarlJ said:
Uh, no. You don't report a release of Photoshop as "Adobe has created a $2000 device for editing pictures," so why do you say this? The $5 Raspberry Pi Zero is an existing (and rather ingenious) $5 Linux-based computer. To which the developer has attached a USB cable and written some software.
Click to expand...

So it is what is becoming a typical story on here.
 
Why would data be sent over this poison trap if the network service order prioritized existing connections? Even if it pretends to be a legitimate network connection, why would the OS switch to using it over an existing connection? This sounds like one of those narrowly applicable exploits.
 
freediverx said:
Will that work on a powered-down Mac with FileVault enabled?
Click to expand...

Nope. For that we go another route and break FileVault in a couple hours max. But really, in this day there's no need for that as we can just get your info or login elsewhere.
[doublepost=1479782928][/doublepost]
AngryCrossMonkey said:
Too bad we can't get something like Disk Arbitrator (https://github.com/aburgh/Disk-Arbitrator) for all USB devices. Even more amazing would be a function that turns it on automatically when the mac sleeps.
Click to expand...

Why is there any need for this software? Disk Arbitration is a function core to OS X. Simply disabling it will write block without the need for this software (just don't restart without re-enabling it or you'll have fun issues).

I'd go with one of the approved forensic methods rather than this random Github project if I were trying to keep things forensically sound.
 
freediverx said:
Leaving your browser running on a screen-locked Mac is stupidity?
[doublepost=1479739488][/doublepost]

I also take issue with his labeling this as "stupidity". Having said that, though, many (most?) users are unaware that a Mac with FileVault enabled is somewhat vulnerable while in screen-locked mode, especially if the guest account is enabled. For those with heightened security requirements, there are many hoops to jump through that are neither obvious nor intuitive.
[doublepost=1479739616][/doublepost]

What about leaving a screen-locked Mac momentarily unattended at work or at a client's office?
[doublepost=1479739780][/doublepost]

Will that work on a powered-down Mac with FileVault enabled?
Click to expand...
[doublepost=1479784848][/doublepost]Easily avoided.
Turn on FileVault.
Close the lid of your laptop when you walk away from your desk.
Your machine will go into encrypted sleep mode, where a key is required to decrypt memory.
Until you enter the password your browser will not make requests, even if someone raises the lid.

This protective measure is mentioned on the page describing the device. https://samy.pl/poisontap/
 
garotemonkey said:
[doublepost=1479784848][/doublepost]Easily avoided.
Turn on FileVault.
Close the lid of your laptop when you walk away from your desk.
Your machine will go into encrypted sleep mode, where a key is required to decrypt memory.
Until you enter the password your browser will not make requests, even if someone raises the lid.

This protective measure is mentioned on the page describing the device. https://samy.pl/poisontap/
Click to expand...
That is not a 100% effective counter measurement. Yes. It won't do anything when the computer is left unattended, but as soon as you type your password and launch your browser... it can act in the background. Like I said. This issue can go further, do more harm, than what most people here seem to believe.
 
Last edited:
This is the same risk that you're getting when you're connecting through questionable Wi-Fi hotspots. Or even wiretapping by your ISP for that matter.

TL;DR: Nothing new.

mazz0 said:
Well, this sounded quite concerning until I got to where it says it doesn't work for https connections. Still somewhat worrying though.


What exactly is stupid about leaving your computer locked with a browser open?
Click to expand...
 
  • Like
Reactions: mazz0
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back