Beyond Bad USB: Poisontap takes over your sleeping computer with a $5 USB stick

Prolific and dramatic security researcher Samy Kamkar (previously) has unveiled a terrifying device that reveals the devastating vulnerabilities of computers, even when in sleep mode.


The new device, Poisontap, is a $5 Raspberry Pi controller with a USB plug that impersonates an Ethernet connection when it is inserted into a computer. During the network setup process, Poisontap tricks the computer into preferring it for internet connections, then it waits for one of the open tabs in the user's browser to make a web connection (something that many websites do routinely — to fetch updated content, to get new ads, or for other purposes).

Poisontap contains fake versions of the one million highest-ranked websites on Alexa. If the target's computer requests data from any of these sites, Poisontap serves back the fake, capturing the target's cookies (and login credentials) in the process. Because he controls the target's network interface, Kamkar is able to bypass the normal security measures that sites take to prevent this, such as using X-Frame-Options to prevent iframes from being embedded in sensitive sites. Capturing the cookies also lets Kamkar bypass any two-factor authentication. He can also bypass some HTTPS-based protections and bypass DNS pinning (by exhausting the the DNS pinning table).

When Poisontap serves back its fake site, it also serves thousands of invisible, undetectable iframes, which are all HTML/Javascript-based backdoors that the target's browser will cache indefinitely. These iframes all open a connection to Kamkar's computer, using Websockets, through which Kamkar can launch more attacks against the target computer and its network. Poisontap uses its compromised systems to help Kamkar bypass routers with network address translation, allowing him to reach through these routers to get at compromised systems, and also potentially reprogram these routers to attack all the computers on the network (for example, by serving fake DNS entries that direct computers to attack sites).

There's more — to be honest, the number of ways in which Poisontap can attack your computer and your sensitive internal networks is limited only by your imagination (Kamkar has a fiendishly good imagination).

There are two main lines of defense against these attacks: first, serve all sites, including internal ones, over HTTPS. Second, configure your computer so that it doesn't automatically recognize new Ethernet interfaces (this is how recent versions of Ubuntu work — when I tether to my phone as an Ethernet interface, I have to manually select the phone before it starts working, every time).


PoisonTap’s cached browser backdoors can allow a hacker to pull off either of two attacks, Kamkar says: He or she can connect via the browser to the victim’s router, cycling through IP addresses to find the device, and then either break in with one of the common exploits affecting routers that are frequently unpatched and out-of-date, or try the default username and password that many still use. That can allow the hacker to eavesdrop on virtually all unencrypted traffic that passes over the victim’s network.


Or if the hacker knows the address of a company’s corporate intranet website—and the site doesn’t use HTTPS, as is often the case for sites restricted to local access—PoisonTap can give the hacker an invisible foothold on the local network to connect to the intranet site and siphon data to a remote server. “If I tell the browser to look up some customer’s data, I can have it sent back to me,” Kamkar says. “That might not have been accessible remotely, but I have a local backdoor.”

Poisontap [Samy Kamkar]

Wickedly Clever USB Stick Installs a Backdoor on Locked PCs [Andy Greenberg/Wired]