Attack against locked computers uses USB and emulation of network adapters

[cdev]

Wow, this is pretty scary.

I wonder how well using manual addressing (not DHCP) protects you.

Maybe hardware should not come pre-configured to use DHCP. and to not automatically load drivers and see a network there when presented with a USB NIC's USB ID.

Good luck with that!  Convenience rules these days.

[ataradov]

Any hardware with physical access is vulnerable and basically impossible to protect.

External Firewire devices have (had?) full DMA access to the computer memory. All physical ports can be exploited in one way or the other.

[RGB255_0_0]

If you're working in tech support at all, if DHCP was disabled as standard for USB devices (this can include mini PCIe adapters since they often use USB interface) then you will quit your job and work for McDonald's.

[ataradov]

BTW, I don't see how different this is from connecting a rouge Ethernet device.  The same exact thing will happen.

USB may be a bit more convenient, since it is available on the front panel in many cases, but otherwise, there is no difference at all.

[rob77]

BTW, I don't see how different this is from connecting a rouge Ethernet device.  The same exact thing will happen.

USB may be a bit more convenient, since it is available on the front panel in many cases, but otherwise, there is no difference at all.

agree, once you have physical access you can simply do the same attack via ethernet.

[timb]

 Very misleading article title... It doesn't really "break into" the computer. Basically, all it can do is grab your cookies. Big deal.

Also, there's an easy fix (in OS X at least): Make sure your main network device (Ethernet or Wireless) is dragged to the top of the priority list (this is the default) in your network settings. That way, when this "PosionTap" is plugged in, the system won't try to route internet traffic across it.

The hack is also dependent on you having a website open that's making Ajax requests or refreshing iFrames. On OS X, by default when your system is locked, Safari suspends all web processes, so I'm not even sure this would work... (Now if they attached it and somehow hid the device, it would work as soon as you unlocked the machine.)

This "hack" is dependent on *a lot* of very specific circumstances.

[rrinker]

 With Windows it's not too hard to disable certain USB classes of devices as well, so the machine won't even accept the plugged in device. This is all centrally managed with Group Policy.
 Really dumb mistakes? Leaving unused Ethernet ports connected and live, or having ones in public areas like waiting rooms part of the general internal VLAN.

[rob77]

This "hack" is dependent on *a lot* of very specific circumstances.

agree, just a big noise for nothing but usually that's the case with most of the discovered vulnerabilities.

[Halcyon]

Really dumb mistakes? Leaving unused Ethernet ports connected and live

I don't have that problem on my desktop machine anymore. Lightning took out one of them. 

[rrinker]

 

I meant wall jacks though. My company has a security team that will do pen tests and the link for clients, one time they walked in to the place, told the receptionist they were there so see so and so, whom they knew would not be available for some time, receptionist showed him to a waiting/conference area off to the side. He saw some network jacks, plugged in, and lo and behold had access to not only the workstation vlan for the company, but the server vlan as well. He then proceeded to generate spoofed emails to the CIO and other tech people saying "I'm in your building. Try to find me"

Of course a while back we hired one of those companies that does a fake phishing attack as a test of your employee awareness - despite being a technical company with PLENTY of awareness on this sort of thing, we failed miserably. Every one of us on the technical services side questioned the suspicious emails and no one clicked on them, unfortunately we have a large cadre of sales and marketing types also....

[SeanB]

Time to do a group policy change that locks out local admin on those machines then. Needs a hard hand from the CTO to ensure that any relaxation will only be done to a specific request, and will be reinstated on next boot.

[julian1]

Basically, all it can do is grab your cookies.

Stealing session cookies to a users banking sites, email etc, is a big deal. But it is not possible in this scenario when all of the cookie exchange is done over ssl/https and is not exposed in the network traffic.  Otherwise anyone with access to the network switches and routers could also sniff them.

Sniffing ssl traffic can be done - but requires inserting compromised browser keys on the user's OS. It may  happen when the organization wishing to snoop on an employees' traffic is also responsible for preparing the corporate OS images.

The most obvious compromise when there is physical control over a machine, is usually to pull the hard-drive out and make a copy off of it. Unless the user is using drive encryption (luks), then everything is up for grabs (including site session cookies).

[cdev]

This is a rogue USB device that pretends to be the net by pretending to be a network device and thats how it grabs your cookies (it is alleged to grab the cookies from the top 1 million alexa sites) ...even if you think your machine is locked. 

There are companies that sell devices that completely compromise all SSL traffic.

[TheDane]

YouTube has a channel called 'Hak5' that has quite a lot on the issue, both the exploit side and how to protect yourself. Check it out if you're into (or really hate) this thing.
https://www.youtube.com/results?search_query=hak5
https://www.youtube.com/user/Hak5Darren

Quite recommended, a great show too with lots of other fun stuff (Drones, Electronics in general, Software, etc).
Their sister channel 'TekThing' features a lot of new stuff on the market, so get your technolust flowing