PoisonTap Hijacker

hack hacker hacked

If you lock your computer and walk away, it takes only 30 seconds for a hacker armed with a small $5 Raspberry Pi Zero, which is loaded with devious code, to completely pwn your password-protected computer and install remotely accessible backdoors.

PoisonTap, the latest creation of hacker and developer Samy Kamkar, has a long list of wicked slick capabilities, including the fact that after an attacker removes the device from a USB port, a backdoor and remote access will persist on both your computer and your router.

When inserted into a USB port, PoisonTap tricks a computer into believing it was just plugged into a new Ethernet connection that takes over all internet traffic.

Even if you locked your computer, be that a Mac or PC, but leave an HTTP-based site open in a browser window, then the site continues to run HTTP requests in the background. PoisonTap intercepts all unencrypted web traffic and sends the data to an attacker-controlled server. By capturing non-encrypted authentication cookies, an attacker could access a user’s personal accounts.

Here’s a review of all of PoisonTap’s capabilities:

  • Emulates an Ethernet device over USB
  • Hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
  • Siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
  • Exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding
  • Installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
  • Allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
  • Does not require the machine to be unlocked
  • Backdoors and remote access persist even after device is removed and attacker sashays away

Security recommendations, for both server administrators and device owners.

  • First and foremost, all websites should run via HTTPS
  • HSTS should be used together with HTTPS
  • Secure flag must be used with cookies at all time, to prevent websites from sending cookies accidentally via HTTP
  • Servers should use Subresource Integrity (SRI) for delivering JavaScript files
  • Blocking access to USB and Thunderbolt ports (Kamkar recommends using cement, as a joke)
  • Closing browsers when walking away from a PC
  • Putting the PC in sleep mode when walking away



Originally Alameda Typewriter, ABM COMPUTERS has served the entire San Francisco Bay Area with professional, first-rate IT support and computer sales from the same location since 1939. Building on decades of experience, along with a dedicated team, we continue to provide in-shop and on-site standout, services and comprehensive, affordable solutions for all your computing needs.

Posted on November 21, 2016, in Computer Advice. Bookmark the permalink. Leave a comment.

Comments are closed.

%d bloggers like this: