Re: Poisontap security issue of NetworkManager?

["D.S. Ljungmark" <spider aanstoot se>]

On 21/11/16 13:07, Lubomir Rintel wrote:
> Hello Claudius,
>
> On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:
> > Hi!
> >
> > While reading about the poisontap hack by Samy Kamkar
> > (https://samy.pl/poisontap/), I thought about ideas to prevent that.
>
> Too much drama there. Hijacking the internet connection of a box you
> have physical access to is hardly a security issue.
>
> > I think the main issue is, that the network device is automatically
> > setup via dhcp by tools like NetworkManager & co.
>
> That is a feature. You generally want network connectivity when you
> plugin a network adapter with a cable in it.
>
> > So my question is: Is that more of a system configuration issue or
> > can
> > NetworkManager itself do something to prevent this scenario (e.g. not
> > starting dhcpcd on new interfaces generally or only while system is
> > locked)?
>
> Yes, the feature can be turned off. Check out no-auto-default=* in
> NetworkManager.conf(5) manual. In Fedora it's sufficient to install
> NetworkManager-config-server package.
>
> However, if you don't trust your USB ports, you may want to set the
> sysfs attribute "authorized" to false by default on USB devices.
> Perhaps with a udev rule or something.


I think it would be a good thing to tie this to the state of the screen
lock.
When the screen is locked or the session is logged out (gdm), do not
establish new connections automatically, but postpone until there has
been authentication of the user.

If the screen is unlocked, session active, then it's fine to simply
respond to user interaction of a USB connection automatically.


The trick is to prevent a brief lapse from user ( locked screen & afk )
from being a security issue.

//D.S.