Re: Poisontap security issue of NetworkManager?





On 21/11/16 13:07, Lubomir Rintel wrote:
Hello Claudius,

On Thu, 2016-11-17 at 12:10 +0100, Claudius Heine wrote:
Hi!

While reading about the poisontap hack by Samy Kamkar
(https://samy.pl/poisontap/), I thought about ideas to prevent that.

Too much drama there. Hijacking the internet connection of a box you
have physical access to is hardly a security issue.

I think the main issue is, that the network device is automatically
setup via dhcp by tools like NetworkManager & co.

That is a feature. You generally want network connectivity when you
plugin a network adapter with a cable in it.

So my question is: Is that more of a system configuration issue or
can
NetworkManager itself do something to prevent this scenario (e.g. not
starting dhcpcd on new interfaces generally or only while system is
locked)?

Yes, the feature can be turned off. Check out no-auto-default=* in
NetworkManager.conf(5) manual. In Fedora it's sufficient to install
NetworkManager-config-server package.

However, if you don't trust your USB ports, you may want to set the
sysfs attribute "authorized" to false by default on USB devices.
Perhaps with a udev rule or something.



I think it would be a good thing to tie this to the state of the screen
lock.
When the screen is locked or the session is logged out (gdm), do not
establish new connections automatically, but postpone until there has
been authentication of the user.

If the screen is unlocked, session active, then it's fine to simply
respond to user interaction of a USB connection automatically.


The trick is to prevent a brief lapse from user ( locked screen & afk )
from being a security issue.

//D.S.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]