Xann Posted November 17, 2016 Share Posted November 17, 2016 (edited) Quote Samy Kamar just released his latest hacking creation, and it is terrifying. Dubbed “Poison Tap,” Kamar’s new home brew device allows someone to plant a backdoor on a computer in just one minute, even when the device is locked. Kamar’s method for installing the backdoor is unconventional and totally ingenious. Poison Tap targets the victim’s browser cache and injects the malicious code there. Traditionally, attacks would attempt to install malware onto the computer, but by instead going after the browser cache, Poison Tap can bypass some security measures and anti-virus software. Gizmodo I know that most VTers are sat alone in coffee shops busily writing novellas, comic operas and such. Can you really trust the barista with your laptop when you pop to the bog now? Edited November 17, 2016 by Xann Link to comment Share on other sites More sharing options...
The_Rev Posted November 18, 2016 Share Posted November 18, 2016 I suspect the main browsers will be looking to patch that even as we speak. Until they manage it then probably better off taking your laptop with you when you go for a piss at Starbucks. Link to comment Share on other sites More sharing options...
Tegis Posted November 18, 2016 VT Supporter Share Posted November 18, 2016 Problem number one here is letting someone have physical access to your device. That renders any security pretty obsolete. 3 Link to comment Share on other sites More sharing options...
MakemineVanilla Posted November 18, 2016 Share Posted November 18, 2016 12 hours ago, Xann said: Gizmodo I know that most VTers are sat alone in coffee shops busily writing novellas, comic operas and such. Can you really trust the barista with your laptop when you pop to the bog now? Question is, if you are using Linux and it needs a password to mount the USB port, will it still work? Link to comment Share on other sites More sharing options...
limpid Posted November 18, 2016 Administrator Share Posted November 18, 2016 1 minute ago, MakemineVanilla said: Question is, if you are using Linux and it needs a password to mount the USB port, will it still work? Presumably this is exploiting "auto-run" when mounting a device as it runs its payload as the logged in user and has access to that user's files, including the browser cache. The exploit will be defeated by the browser encrypting or even just checksumming it's cache. I don't think there is a standard mechanism for auto-run on mount for Linux. I think all distributions ask for your permission first (at least by default). 2 Link to comment Share on other sites More sharing options...
Daweii Posted November 18, 2016 Share Posted November 18, 2016 See this sounds scary but it just isn't. The logistics of such a device make it incredibly limited. I mean this isn't a USB stick so you can't really perform a USB drop attack with it meaning physical access to a device is required. Now that brings up the issue of how do you use this? In public just sitting down at a random Laptop that isn't yours may work, but likely isn't going to work most of the time. Is this more of a business attacking device? Perhaps, but you would have to choose your target wisely as most places network security would foil such an attack, provided that business even allows their employees to use USB drives so the ports could be inactive. The form factor stops this being effective. Now this tech condensed into a USB stick could be concerning as then hackers could start mass producing these drives and dropping them all over the place. Though even then there are devices like USB Kill which fries the motherboard upon insertion, but no one uses them in a USB drop attack or in coffee shops either so I'm just not sure the threat is there with this tech. It would be more effective as a USB stick in a standard USB stick sized format as there are still people that will plug in lost and found USB sticks, less people I hope would plug in a weird looking credit card with a wire coming out of it. Link to comment Share on other sites More sharing options...
blandy Posted November 18, 2016 Moderator Share Posted November 18, 2016 4 hours ago, MakemineVanilla said: Question is, if you are using Linux and it needs a password to mount the USB port, will it still work? Yes https, secure flag enabled on cookies and strict transport security protects websites against it says the man who made it. Link to comment Share on other sites More sharing options...
The_Rev Posted November 21, 2016 Share Posted November 21, 2016 I guess this explains why Apple keep removing ports from their devices then. Can't have you getting a virus now, can we? Link to comment Share on other sites More sharing options...
Recommended Posts