PoisonTap was created by Samy Kamkar. He detailed his work in a YouTube video that explains how PoisonTap can gain access to locked computers and then install a back door enabling web connections to be hijacked.
PoisonTap is based on a Raspberry Pi Zero computer. The £4 ($5) device is a palm-sized computer primarily intended to increase coding skills and teach computer science. Because it runs a full Linux distribution, it can run the same breadth of applications as a traditional desktop PC. Kamkar adapted the Pi’s software to turn it into an effective tiny hacking tool.
PoisonTap connects to target computers via their USB ports. It works on Windows, Mac OS X and Linux machines and can bypass typical end-user protections such as locking the screen. Once plugged in, PoisonTap gains control of the target and installs a web backdoor. This monitors network activity and allows the attacker to make remote requests.
PoisonTap works by pretending to be a network-connected device using an Ethernet port. It masquerades as an internet router, convincing the host to send it data that is then hijacked and monitored. The next step is installing a Node.js based server and exposing it to the attacker, providing the backdoor functionality.
PoisonTap can also check for cookies from the top 1,000,000 websites in the world and steal them if they’re present on the machine. These files are used to identify computers to web servers and would allow an attacker to gain access to the user’s session history, giving them control of online accounts.
Once the software has been installed, PoisonTap can be removed from the PC. The backdoor and remote access features will remain accessible by the attacker. A cybercriminal would only require a few minutes of physical access to the machine to compromise it. They could then remove the PoisonTap and walk away from the PC, continuing their activity remotely.
In a detailed article about his device, Kamkar explained how PoisonTap exploits a variety of network trust mechanisms to convince computers it’s a genuine network router. Once it has achieved access, a range of techniques are used to completely compromise the user’s online activities and open backdoors in as many locations as possible.
“PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors,” said Kamkar.
The only viable way of preventing PoisonTap attacks is to only connect to web servers that are using HTTPS. Unfortunately, this won’t be feasible for the vast majority of users. While HTTPS adoption has begun to take off in recent months, it’s still far from being universal across the internet.
In practice, there is little users can do to defend against PoisonTap. Since attackers require physical access to use the device, attempts will be most likely in public locations. Keeping your computer within sight at all times could help lower the risk of being attacked. Kamkar also suggested closing your browser each time you walk away from your machine, although this is also highly impractical.
