Re: Poisontap security issue of NetworkManager?

From: Claudius Heine <ch denx de>
To: Lubomir Rintel <lrintel redhat com>, networkmanager-list gnome org
Subject: Re: Poisontap security issue of NetworkManager?
Date: Mon, 21 Nov 2016 14:30:01 +0100

Hi Lubo,

On 21.11.2016 13:07, Lubomir Rintel wrote:

On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:

I think the main issue is, that the network device is automatically
setup via dhcp by tools like NetworkManager & co.


That is a feature. You generally want network connectivity when you
plugin a network adapter with a cable in it.


Yes. And a nice one ;)

So my question is: Is that more of a system configuration issue or
can
NetworkManager itself do something to prevent this scenario (e.g. not
starting dhcpcd on new interfaces generally or only while system is
locked)?


Yes, the feature can be turned off. Check out no-auto-default=* in
NetworkManager.conf(5) manual. In Fedora it's sufficient to install
NetworkManager-config-server package.

However, if you don't trust your USB ports, you may want to set the
sysfs attribute "authorized" to false by default on USB devices.
Perhaps with a udev rule or something.


I think you could replicate this scenario with your existing ethernet
interface directly. And if the NetworkManager has a default dhcp profile
for this ethernet interface already configured, disabling the creation
of them with "no-auto-defaults" wouldn't help.

While reading about the poisontap hack by Samy Kamkar
(https://samy.pl/poisontap/), I thought about ideas to prevent that.


Too much drama there. Hijacking the internet connection of a box you
have physical access to is hardly a security issue.


Maybe not, but I guess that having a screen lock, that doesn't prevent
others from manipulating the current user session that runs in the
background is at least annoying. And some kind of lockdown-mode, that
disables automatic configuration, would be a nice feature.

Cheers,
Claudius

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch denx de

Follow-Ups:
- Re: Poisontap security issue of NetworkManager?
  - From: Stuart D. Gathman

References:
- Poisontap security issue of NetworkManager?
  - From: Claudius Heine
- Re: Poisontap security issue of NetworkManager?
  - From: Lubomir Rintel

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]