Sergey Nivens - Fotolia

How does the PoisonTap exploit bypass password locks on computers?

The PoisonTap exploit can bypass password locks on computers, enabling an attacker to remotely control systems. Expert Nick Lewis explains how the attack works.

PoisonTap, a new exploit tool developed by Samy Kamkar, has the ability to quickly install a backdoor onto computers, even if they have been locked with a strong password. The tool allows attackers to remotely control the computer user's web browser and network, as well as intercept the user's web traffic and authentication cookies. How does PoisonTap work, and why can't devices prevent it from bypassing the password locks?

Windows 95 introduced many advances for PCs -- one of them being the inclusion of Plug and Play (PnP) functionality for hardware device drivers and other platforms.

Prior to this, it was fairly difficult to install new hardware into a PC, and it required configuration. PnP automated this process and made it significantly easier, but many people were uneasy with automatic driver installation, and were concerned that it could become a security issue.

Windows has functionality for only installing drivers signed by developers to reduce the chance a malicious driver will be installed.

When a network driver is installed, it is often automatically configured via the Dynamic Host Configuration Protocol (DHCP) to make it easier for the user to configure the network settings. DHCP has also concerned some because its settings may be set by a malicious DHCP server.

The PoisonTap development from Samy Kamkar may make some enterprises reassess keeping PnP enabled. The attack works by plugging in a malicious USB device and using PnP to install a malicious driver for a network connection where the settings have been changed so that internet traffic passes through the USB device. All of this happens on the operating system automatically behind the scenes. This allows PoisonTap to set up a man-in-the-middle (MitM) attack.

PoisonTap can steal passwords, cookies and more if a user is logged in and has a web browser open. The attack works even if the user has the screen locked, as programs would keep running. While bypassing password locks is a serious threat, attackers in this case must have physical access to a computer to deliver PoisonTap, which lessens the danger.

Kamkar has several recommendations for how enterprises can secure their systems against PoisonTap. For the server side, always using HTTPS could provide some protection, but the MitM attack could also be extended to HTTPS connections.

On the endpoint, USB could be disabled, or a USB firewall could be used to provide protection against USB attacks. Enterprises could also disable PnP to prevent this attack, but this step would need to be tested, and the impact evaluated. 

Next Steps

Learn how to differentiate a security backdoor from a vulnerability

Find out how an Android backdoor was created with the Pork Explosion flaw

Read about the challenges faced with remote desktop USB redirection

Dig Deeper on Threat detection and response