2016-11-19

PoisonTap FUD

UPDATE 2016-11-20 16:30 UTC: 
There's been a bunch of discussion on Twitter -- enough to make me re-evaluate my testing environment, and as Samy himself pointed out, reports through the GitHub project that it's working as expected for some people. I really wanted to see this work, and I still do. I'll post a separate follow-up and link to it at the end of this post when I get time to work out all the kinks.

Everyone freaked out this week when Samy released PoisonTap, a set of scripts that weaponizes a Raspberry Pi Zero to act like a network interface. It's loaded with a few javascript bits to become the default route and DNS server, then serve up cache-poisoned versions of websites in the background. It's billed as being able to hijack computers even if they're locked, as long as a browser is running in the background and has one of many targeted websites open.

My first thought? "This is completely unfair and evil. I LOVE IT!" Last night, I started the process of laying a fresh Raspbian Jessie Lite image out for my Raspberry Pi Zero. This morning, play-time begun.



The first victim, was, of course, OpenBSD. I happen to know that OpenBSD won't simply get a DHCP address and start using any random USB network interface you plug into it. You'd have to at least manually run dhclient first. OpenBSD is not vulnerable. The interface doesn't get an address, so it can't hijack our network traffic.



Certainly, Ubuntu would be vulnerable though, what with all its systemd and NetworkManager user-convenience-uber-alles, right? As expected, NetworkManager displays a notification for a few seconds, and voila, we have an IP address from DHCP for what appears to be a new wired ethernet interface. Certainly Ubuntu will prefer this wired hard-line over the wireless I'm using in this laptop.

Nope. It doesn't hijack anything, but it's got some potential.


What about Windows? It's a non-starter. It can't even find a working driver.

A lot of the screen shots from the PoisonTap page seem to be from Mac OS X. So let's try it with my personal (still admin-capable) user account on my work laptop running OS X Sierra.

I'm sensing a pattern here.

I also tried on a few other systems I had kicking around at home, such as Arch Linux on my Raspberry Pi Zero Lapdock. The results were the same across the board: By default, very few systems even ask PoisonTap for a DHCP address without any user interaction, and none of them choose it as the default route or DNS server.

There may be certain configurations or cases where PoisonTap works like magic, but I couldn't find any solid examples in my lab at home. Most people shouldn't be scared of PoisonTap.

I'm calling FUD

blog comments powered by Disqus