The sad thing for me is that for years on "spy" movies and action movies the hero (or villan) would go into an office or a house or something, plug in a USB device and "boom!" own the machine. I took some comfort that this wasn't really possible, and then this happens.
Wow! I'm super impressed by what Samy Kamkar managed to pull off.
Let's discuss mitigation on Linux because I don't want to cement the USB ports on my shiny new laptop just yet.<p>Some suggestions:<p>* When the GUI is locked, activating new USB devices or even activating a connection via a cable to the ethernet port should be delayed until it is unlocked and (optionally) the user confirms that it's ok.<p>* New unknown network devices should require confirmation<p>* A network interface that announces a subnet larger than /24 or /16 (for IPv4) should require a confirmation by the user.<p>What scripts and hooks are being called whenever there is a change to USB and networking? That would be the place to start. Can there be a /etc/udev/rules.d/ rule that matches all devices?
If you put it into a smaller form factor such as USB sticks and drop them in the parking, you'll have a decent chance of getting inside that company. If you could make it very small then it could hide inside a iphone charging cable for example which looks completely harmless from outside.
The crazy thing is I knew about all of these technologies separately, but never would have guessed that this was possible. I knew my laptop prefers Ethernet. I knew an Ethernet-connected device could serve DHCP. I knew DHCP could provide DNS servers, and that the DNS servers could resolve to whatever they want. I knew if you could pwn DNS you could pretend to be another website, and sideload whatever other sites you want. I knew you could tell a browser via HTTP cache headers to cache something forever.<p>None of these technologies are remotely new. This has been sitting under everyone's noses for a long, long time. I wonder how long this basic idea has existed in secret.
There are better details on this web page for the vulnerability, apparently it affects Mac, Windows, Linux computers with default configs:<p><a href="https://samy.pl/poisontap/" rel="nofollow">https://samy.pl/poisontap/</a>
Mainstream OSes and desktop environments (and not just Qubes an people with extra software installed) should <i>really</i> adopt the ask-before-using-USB-devices policy.<p>If you connected this to a Qubes computer nothing would happen, except a popup behind the lock screen asking for permission. But you could also generally forbid USB network controllers, for example.
This is interesting, though, looks a bit like "attacker might replace explorer.exe" type of vulnerability: if you can physically access a device, you're already in; just like you need to be admin or root to replace system binaries, meaning pwnage long before executables are replaced.
This seems like it would be noticed quickly if access to the internet stops working.
Can it proxy intercepted traffic to the real internet?
Does the raspberry pi need its own internet connection in order to act as a proxy, or can it get a real internet connection via the host device somehow?
You could accomplish the same thing by plugging in an Ethernet cable that ran traffic through a malicious reverse proxy. The difference here is that the USB device presents itself as an Ethernet device.
I'm staring at my MAC now and wondering if my Little Snitch will prevent this type of hijacking. I expect the firewall to ask me how to treat a new interface before sending packets there.