Recently the Samy Kamkar has come out with a device called a PoisonTap, a few months before that Mubix was talking about getting credentials from a locked computer with the LAN Turtle.
Both these attacks exploit the same underlying issue which is that most operating systems (Windows, Linux1 and OSX) will automatically trust a USB network when it's attached and start sending data over it.
I've been thinking a lot about how we as the IT Security Community can defend against these sorts of attacks.
The most obvious idea that springs to mind is to issue the user with some sort of popup "New network detected, do you want to connect?" but there are a few issues with that.
The first is that it's a horrible user experience (UX) because 99.9% of the time the answer will be "Yes" ... "Why do you think I plugged in my usb 4g dongle if I didn't want to use it!?".
The second is that sometimes you need the network to start working before you can login. A few years ago I worked at a high school we used RADIUS to secure our WiFi. Students could connect with their domain credentials. We had shared laptops in the school library but the laptops couldn't authenticate with the RADIUS server until students had logged in, but students couldn't login to the laptops without network. This will likely only get worse, with devices like Chromebooks and Windows 10 pushing Microsoft accounts pretty hard.
The defences that PoisonTap jokingly suggest for desktop security are funny but impractical such as
Adding cement to your USB and Thunderbolt ports can be effective
In the end I don't really think there is any good client side defence for these sorts of attacks. Instead I think it needs to be at the protocol level, we need to bake security in by default. Things saying browsers vendors saying we will only support HTTP/2 if it's encrypted.
We should demand encryption in any new protocol and systems susceptible to passive monitoring should be treated as a vulnerable and rejected. It might be a long an painful journey but I can imagine an internet where all communications are secure by default.
I always though it was disappointing that IPv6 didn't make encryption mandatory it would have been great to have security built right in at the Internet layer.
-
There are hundreds of distributions but, when I say "Linux" I mean mainstream distributions like Debian / Ubuntu / Red Hat / Fedora with their default settings. ↩