Low-cost PoisonTap tool can compromise locked computers

A new attack tool devised by security researcher Samy Kamkar will leave you wishing you could take your computer with you everywhere you go.

Dubbed PoisonTap, the tool consists of a Raspberry Pi Zero controller with a USB or Thunderbolt plug, loaded with open source software. All in all, this setup can be achieved by anyone who has $5 to spare.

What is PoisonTap capable of, you ask?

Plugged into a locked/password protected computer, it can hijack all Internet traffic from the machine, open the internal router to the attacker, collect HTTP cookies and sessions from web browsers, install a web-based backdoor in HTTP cache for hundreds of thousands of domains, install a backdoor into the machine that does not depend on the device being plugged in, and more. It is capable of compromising Macs and PCs running Windows.

Kamkar demonstrated how PoisonTap works in this video:

Preventing a PoisonTap attack is more or less easy – keep you computer with you at all times, find a way to prevent anything to be inserted in its USB and Thunderbolt ports while you’re not using the machine, close your browser each time you walk away from the computer, or power down the computer. There is also the option of configuring the machine not to automatically recognize new Ethernet devices, as PoisonTap emulates an Ethernet interface.

“Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up,” Kamkar explained.

Web server admins can also do their part by using HTTPS exclusively, using HSTS to prevent HTTPS downgrade attacks, and enabling the Secure flag on cookies (to prevent HTTPS cookies from leaking over HTTP).