+dadautube Can they access your bluetooth when they can't get past the lock screen of your computer or access to ports? I don't use bluetooth much at all, but it always requires approval from both systems, right?
The cement link on the description killed me hahaha Great video mate, very nice idea! Maybe you could step it up a notch and perform a full own of the victim box using a set of predefined exploits and automated attacks?
Good question. Many wireless cameras are IP based and provide web interfaces with default credentials...maybe I'll see if I can find a fun bypass to one of them.
I love how this would work on any OS. Though I'm not so sure you're going to be session jacking any major sites with this tool since they undoubtedly use secure cookies. Though I could be wrong I've never checked.
Samy Kamkar yes haha. I've just a problem with the PoisonTap. I put it in the pc like usb (when it's locked) with a http website. After when I try to see the informations, I type cat cookies.log and the command answer : "listening"
"by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it" Debian Linux doesn't do that (unless you configure it to do so). The ethernet device would not even be activated automatically. I guess it would only work with a few highly pre-configured Linux distributions (like Ubuntu). For the dozens of others, I guess that nothing would happen by default. Or did I miss something?
that's the thing with MacBook pro at least the 2016 one all its ports are only chargers and all of them process information too you can probably program it to disable transferring information tho
Interesting. Really though, if someone has unobserved physical access to your hardware there's nothing you can do to stop an intrusion short of destroying the computer.
This is getting harder and harder as we see more trusted hardware and good crypto built into devices, eg iPhone's Secure Enclave (which is in new MacBook Pors)
Reminds me of the cold war between the Dish Network guys, and the pirate viewers. The smart card com path was exploitable on many levels, they went back and forth with many exploits and fixes until the hackers started glitching the VCC to the card to make the program counter brown out and jump to exploitable locations. Dish responded by emebbing smoothing caps in the card. the hackers emulated the hardware and software of the cards in their own hardware. Disk blacklisted the older (emulated) cards and firmware... back and forth , back and forth until what is now a pretty secure and un-exploited solution.
This was an amazing representation of the back end of Poison Tap and the data it mines. How long does the Pi need to be connected in order for the backdoors and remote access to be installed or do you leave it connected? (hopefully you can rename the LAN.. lol) Also what does the front end interface to access this data look like? Is there a web server that you can connect to or is it command line with ssh/telnet? Very cool and incredibly innovative.
Haha, very nice. Machines so blindly trust whatever random hardware is plugged in. Going to change in the future, unfortunately probably the change will be commercially driven instead of security driven.
Samy Kamkar I see, wasn't aware of how secure cookies worked. Still amazing that it automatically bypasses websites without the secure flag. Great work!
So there are the preventative measures mentioned, but what about fixing it? Other than updating any critical passwords on a non-infected system that were leaked, how would you remove the back door?
As far as I understand, the backdoor persists in the browser cache, so you should be able to remove it by clearing (or disabling) your browser cache. Enabling "private browsing" on current browsers should remove the backdoor as soon as you close the browser, as it basically clears things such as cache, history and cookies when the browser is closed. The attack won't evade the browser's JavaScript sandbox so its effects will be confined to the browser(s) that was/were running when the system was attacked and not spread to other browsers or the file system or anything like that. So the harm is limited, but it's an interesting attack nonetheless since it uses a pretty uncommon attack vector.
You didn't mention ways to secure your machine for Linux users. Is NetworkManager vulnerable to this too? What if you have a custom static-configured resolv.conf and no DHCP DNS support? Edit: what about people who use uMatrix (a resource blocking browser extension) that's configured to also automatically blocks s? Edit 2: or, even simply, what if you just disabled all USB network device drivers? I have a similar security precaution on my machines already. It's also advisable to disable USB keyboards at the kernel level. If you need to recover your machine, you can still use USB keyboards from the BIOS level and from stuff you boot over USB, of course. Edit 3: I've blacklisted usbnet on my machines. But are there any other common drivers I'm missing?
If you don't want the ugliness of cement, open the computer and disconnect the ports. If they can't be unplugged, snip the connections. With power off. I wonder if there is a way to physically jumper them to reversibly disable them.
I dont know if you read these at all. But i got a question. Is it possible to catch the camera feed from a drone fly close enough to my labtop? Second would be, can i "by force" take control of flight??
especially good if ran on an rooted android most phones already have tether capabilities so it doesn't seem suspicious if I just want to "charge my phone for a bit, I forgot my wall adapter, sorry"
why not? You added an execution of a session meterpreter reverse in case the browser was not in execution? It was not very difficult to include part of the code of your usbdriveby video
Wow... that is scary! Instead of emulating an Internet over USB device, would it be possible to do a similar attack over WiFi? Emulating a common access point name such as "Netgear" and accepting whatever password the PC submits.
Yup, you could set up a rogue AP, deauth users from their normal APs, and then get them to jump onto yours and perform a similar attack. This wifi attack is actually pretty common (though won't work in a number of cases) -- this essentially extends the attack to times that machines won't jump on rogue wifi or are hardwired (as in corporate settings).
Interesting, and clever. Good to see you back making videos.
Hi LPL 👋🏼
hold up
So you're telling me, THE LockPickingLawyer has an interest in ethical hacking too? how cool can one man possibly be?!?
Hello there
Get the hell outta here LPL and stick to locks not computers
Instructions too clear, cement stuck in usb ports.
Happens to all of us
Samy Kamkar btw, how long does it take on average to install the back door?
Samy Kamkar What is cement, link?
Knife Boss literally cement
xxXSalty_Viper420Xxx Oh lol
Rad. Definitely prime for the Mr. Robot Season 3 arsenal. These are the uploads Kor Adana lives for.
I feel scared just watching your videos in case you're exploiting through TH-cam LOL. Thanks for your videos, you inspire me to learn more
Like I would visit your website after this video. LOL
Time to smash my MacBook and move to a log cabin in the woods
lol xD because it's funny. I understand the sentiment
Instead of just chaining your laptop to the desk, we need another lock panel to cover its USP ports while gone. Easy. Easier then woods
good idea, but such a device can work via the Bluetooth too and if your laptop's Bt is already on and active then it's still vulnerable!
Nah, just don't leave the house and sleep on top of it.
+dadautube
Can they access your bluetooth when they can't get past the lock screen of your computer or access to ports? I don't use bluetooth much at all, but it always requires approval from both systems, right?
Your videos are always amazing and a source of inspiration, thanks a lot
Thanks, happy to share them!
By inspiration I think he means illegal things
The cement link on the description killed me hahaha
Great video mate, very nice idea! Maybe you could step it up a notch and perform a full own of the victim box using a set of predefined exploits and automated attacks?
4:35 "to protect the client machine. I suggest adding cement to all your USB ports " LOL
Samy's like an eclipse, he doesn't show too often, but when he do....IT'S EPIC!
He's alive! :D
I have no idea what any of this means but it sounds cool as hell.
Fantastic project! Now we only need to get one of the super rare raspberry pi zeros.
Got mine a few weeks ago. $.99 haha $1.05 after tax.
Joshua Golembiewski Did you also buy a GTX1080 for $9.99?
No, but from the same place I got a GTX 970 for 310 like a year ago :p
Microcenter?
Yup, Microcenter haha
Thumbs up for not only showing and explaining the exploit, but also explaining how to defend against it.
YESS I KNEW THE SILENCE MEANT SOMETHING AMAZING WAS COMING!!! Samy, is this your job? If not how do you have the time/money for this?
Woot! Not my job, I just enjoy security so spend a lot of time learning and trying things.
Samy Kamkar Ah ok. You are very inspirational! Makes me want to tinker with stuff.
wow, browsers still make http request when you're locked.
of course. How would a browser know that the computer is locked. If it did know that i'd be far more concerned as that'd be very bad design
Z3rd4, System Power Management Events? That for battery levels or change in power source, wrong link perhaps?
Does it still work?
dude I had no clue you were the myspace guy this is awesome
Woot
don't cement your usb ports buy the newest macbook
Chamaloche Hahahahhaaha :D
Nice try, Apple.
Next time people complain about the newest Macbook, show them this video..
USB-C still works for this
Even iPhone can be accessed, when the screen is locked, a similar exploit.
"I filled every orifice of my body with wacky glue" -Carl
Very good content, I'm actually impressed of an actual channel that deeply covers these subjects. Subbed
99,999 subscribers? I've been waiting my whole life for this...
*subscribe*
Damn very impressive. He also has a write up in the description, which is useful because the video is a little dense.
That animation for the poisontap page is incredible
this video was worth the wait
are there more coming?
Going to try to come up with some new stuff...any ideas?
is it possible to tap into wireless cameras or SSTV
Good question. Many wireless cameras are IP based and provide web interfaces with default credentials...maybe I'll see if I can find a fun bypass to one of them.
you should also try out SSTV all you need is a radio and a computer you can get a USB radio now these days
but I'm talking about doing it for yourself
I wanted to protect my PC from such an attack so I stuck Sugru to all USB ports, now I can't plug my keyboard and mouse back in. Help!
LOL you're screwed
Captain Chicken nah. break out the soldering wick and remove the old ports. then put in new ones. easy peasy...
Ross Potts But I need my keyboard to import soldering header files and declare the USBport.change() function. I'm doomed!
Atristiel ?
+Ross Potts it's a joke.
He's back! Great video once again Samy! This is so cool! Definitely going to get my hands on a Pi Zero to try this out.
I've been waiting forever.... Finally!
so the discussion here is all about construction worker skills :p
great work Samy
Yo Samy, great to see that you're making videos again, man.
Welcome back Sammy ;) it was getting quiet with you gone for so long
Thanks!
Finally you are back!! Welcome back, great video!
Thanks!!
You're unironically my hero.
FINALLY i have been waiting far too long for another amazing video of yours!
This dude is dangerous! I respect that you got the balls to put this type of stuff on youtube.
I love how this would work on any OS. Though I'm not so sure you're going to be session jacking any major sites with this tool since they undoubtedly use secure cookies. Though I could be wrong I've never checked.
Samy is my hero. In all seriousness I'm loving the content, keep it up!
Woot! Thanks!
Very interesting, and powerful. But also the poisontap animation is really nice
Thanks, Samy! It's been a while since your last video 😀
Hello Samy, i have been waiting for you!
And I have been saving myself for you
The details on github are great. I'll test it tomorrow and give you some feedback. Thanks.
eh ha he
I see the PoisonTap in a French mag. Amazing. Thank u !!
Awesome!
Samy Kamkar yes haha. I've just a problem with the PoisonTap. I put it in the pc like usb (when it's locked) with a http website. After when I try to see the informations, I type cat cookies.log and the command answer : "listening"
Video description: "buy cement for your USB ports here" ... he actually linked to a bucket of cement xD
+Samy Kamkar .. Awesome work again ... already awaiting your next video ..
This is MAGNIFICENT!
Thank you for sharing sir!
"Buy cement for your USB ports here" lol
you're genuine dude, consider being a inventor
Just finished cementing my usb ports. Thanks Samy. B)
This guy is a legend
please upload more videos
PLS make more Videos! You are so good at what you are doing!
Thanks!
Samy as always is good to see you here again thanks for all this information
Thanks for posting and keeping it real, Samy!!! :-)
Now I finally have something to use my Pi0 for! Strictly for experimentation that is.
Well that is fairly terrifying. Good work!!
Welcome back, Samy.
Thanks!
Good to see you again Samy!
"by default, Windows, OS X and Linux recognize an ethernet device, automatically loading it as a low-priority network device and performing a DHCP request across it"
Debian Linux doesn't do that (unless you configure it to do so). The ethernet device would not even be activated automatically. I guess it would only work with a few highly pre-configured Linux distributions (like Ubuntu). For the dozens of others, I guess that nothing would happen by default. Or did I miss something?
Kali Linux -> Working, Windows 7,8,8.1,10 not working.
Windows Device-Manager shows only RNDIS/Ethernet Gadget......
Can someone help me?
MORE! I've missed seeing your stuff!
This comment still holds true.
that's the thing with MacBook pro at least the 2016 one all its ports are only chargers and all of them process information too you can probably program it to disable transferring information tho
Interesting. Really though, if someone has unobserved physical access to your hardware there's nothing you can do to stop an intrusion short of destroying the computer.
This is getting harder and harder as we see more trusted hardware and good crypto built into devices, eg iPhone's Secure Enclave (which is in new MacBook Pors)
Reminds me of the cold war between the Dish Network guys, and the pirate viewers. The smart card com path was exploitable on many levels, they went back and forth with many exploits and fixes until the hackers started glitching the VCC to the card to make the program counter brown out and jump to exploitable locations. Dish responded by emebbing smoothing caps in the card. the hackers emulated the hardware and software of the cards in their own hardware. Disk blacklisted the older (emulated) cards and firmware... back and forth , back and forth until what is now a pretty secure and un-exploited solution.
now we wait for the news websites to eat this up, btw awesome job samy i have been waiting for a new project to work on
well done, dude!
Hope you are safe and well out there Sammy ✌
What's the name of the song in the intro? I can't find it on the "Epoch Rises" soundcloud.
Also want the name
its so good to see another upload
very great project Sams. Good idea and perfect to use a RasPi. Thanks for sharing.
Thanks, I got 2 pots of cement with your link
Incredible. According to your site.. this works on all operating systems correct? Windows/Linux/OS X
Correct!
THE KING IS BACK!!!! YEAHS!!!
Hahah so my professor used your video on "hacking" a lock, and showed it on my university
very interesting idea. thanks for publishing. good it's not utilizing any RCE vulnerabilities to act remotely... yet.
2:32 Redtube YAS
Samy is still my hero!
Finally someone has done this and I been asking Hak5 to do this for a long time.
I love you Samy!!
Just came here cause I saw you on Wired and they did u a disservice
Not gonna lie I clicked the "buy cement" link xD. Took me a second
This was an amazing representation of the back end of Poison Tap and the data it mines. How long does the Pi need to be connected in order for the backdoors and remote access to be installed or do you leave it connected? (hopefully you can rename the LAN.. lol) Also what does the front end interface to access this data look like? Is there a web server that you can connect to or is it command line with ssh/telnet? Very cool and incredibly innovative.
30-60 seconds, once you've left the attack location, you can plug it into your own machine and ssh in to obtain the cookies.
When you do that, aren't you then infecting your own machine?
Yeah, kill your browser when doing it
Finally a new video :)
i waited soooo long for this
Great video fam ...Thanks so much I really want to learn how to initiate an attack like this
Haha, very nice. Machines so blindly trust whatever random hardware is plugged in. Going to change in the future, unfortunately probably the change will be commercially driven instead of security driven.
Wow nice job! I can't wait to try this out for pen testing!
Just got my raspberry pi zero today, Can't wait to try it next week lol.... I hate studying for finals my god :/ Got no time to hack shit :/
Finally you are back! Quick question, would it be possible to do sslstrip with PoisonTap to bypass https?
It actually bypasses HTTPS for sites that *do* use HTTPS but do *not* set the Secure flag on cookies.
Samy Kamkar I see, wasn't aware of how secure cookies worked. Still amazing that it automatically bypasses websites without the secure flag. Great work!
Also, how did you make the amazing animations? They look absolutely sick!
So there are the preventative measures mentioned, but what about fixing it? Other than updating any critical passwords on a non-infected system that were leaked, how would you remove the back door?
As far as I understand, the backdoor persists in the browser cache, so you should be able to remove it by clearing (or disabling) your browser cache. Enabling "private browsing" on current browsers should remove the backdoor as soon as you close the browser, as it basically clears things such as cache, history and cookies when the browser is closed. The attack won't evade the browser's JavaScript sandbox so its effects will be confined to the browser(s) that was/were running when the system was attacked and not spread to other browsers or the file system or anything like that. So the harm is limited, but it's an interesting attack nonetheless since it uses a pretty uncommon attack vector.
So basically this attack can be removed with Ccleaner.
LMAO.
your on the news bro!!
You didn't mention ways to secure your machine for Linux users. Is NetworkManager vulnerable to this too? What if you have a custom static-configured resolv.conf and no DHCP DNS support?
Edit: what about people who use uMatrix (a resource blocking browser extension) that's configured to also automatically blocks s?
Edit 2: or, even simply, what if you just disabled all USB network device drivers? I have a similar security precaution on my machines already. It's also advisable to disable USB keyboards at the kernel level. If you need to recover your machine, you can still use USB keyboards from the BIOS level and from stuff you boot over USB, of course.
Edit 3: I've blacklisted usbnet on my machines. But are there any other common drivers I'm missing?
Cool video Samy! How did you create that animation of PoisonTap?
Just got my pi zero in the mail, now i know what to use it for :D
I'm always happy to see a new video of you :)
If you don't want the ugliness of cement, open the computer and disconnect the ports. If they can't be unplugged, snip the connections. With power off. I wonder if there is a way to physically jumper them to reversibly disable them.
thx for exposing this dangerous flaw
I dont know if you read these at all. But i got a question. Is it possible to catch the camera feed from a drone fly close enough to my labtop? Second would be, can i "by force" take control of flight??
interesting video. Going to look into this poison tap.
especially good if ran on an rooted android
most phones already have tether capabilities so it doesn't seem suspicious if I just want to "charge my phone for a bit, I forgot my wall adapter, sorry"
Samy, and others, which programming language do you recommend to learn for hardware stuff like this as a first?
why not? You added an execution of a session meterpreter reverse in case the browser was not in execution? It was not very difficult to include part of the code of your usbdriveby video
202 comment! You are finally back! Awesome! Ur vids are so cool!
I'm on the mailing list but never get mail. I would love to stay up to date on your projects as they are always really educational.
Sorry, I've been pretty lazy about the list...also MailChimp charges a ton to email out so need to find a less expensive alternative soon!
Surely almost all sites are using HTTPS now and most are on the HSTS preload list so I don't think this would be too effective for those sites
Wow... that is scary! Instead of emulating an Internet over USB device, would it be possible to do a similar attack over WiFi? Emulating a common access point name such as "Netgear" and accepting whatever password the PC submits.
Yup, you could set up a rogue AP, deauth users from their normal APs, and then get them to jump onto yours and perform a similar attack. This wifi attack is actually pretty common (though won't work in a number of cases) -- this essentially extends the attack to times that machines won't jump on rogue wifi or are hardwired (as in corporate settings).
Love the videos. Idea for new video "Exploiting Smart-homes".