Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

“PoisonTap” Device Can Hack Password-Protected Computers

A researcher has created a hacking device that allows attackers to easily gain access to a password-protected computer, hijack all its Internet traffic, and install backdoors.

A researcher has created a hacking device that allows attackers to easily gain access to a password-protected computer, hijack all its Internet traffic, and install backdoors.

The device, dubbed PoisonTap, is Samy Kamkar’s latest creation. The security expert has developed dozens of tools over the past years, including ones that could be used to hack phones, computers, payment card readers, garage doors, locks, drones, doorbells and cars.

PoisonTap is a $5 Raspberry Pi Zero device running some Node.js code that has been made publicly available by the researcher. Once it’s connected to a Windows or Mac computer via USB, the device starts loading the exploits needed to compromise the machine. The attack works even if the targeted computer is locked.

After it boots up, the hacking tool emulates an Ethernet device over USB. When the operating system recognizes this Ethernet device, it loads it as a low-priority network device and sends it a DHCP request. The response sent to this request tells the system that the entire IPv4 address space is part of PoisonTap’s local network.

By claiming the entire IPv4 space, traffic going to any IP passes through PoisonTap before reaching the legitimate gateway to the Internet. Once it hijacks all Internet traffic, the hacking tool can steal HTTP cookies and sessions for the Alexa top 1 million websites from the victim’s browser.

The expert pointed out that cookie siphoning is possible even if the web browser is not actively used. As long as the application is running in the background, it’s likely that at least one of the open webpages is making HTTP requests.

An attacker can also use the device to install persistent web-based backdoors for hundreds of thousands of domains, and open a remote access channel to the victim’s router.

Since PoisonTap steals cookies and not credentials, the attacker can hijack the victim’s online accounts even if they have two-factor authentication (2FA) enabled. Furthermore, HTTPS protection is bypassed if the “secure” cookie flag and HSTS are not enabled. Kamkar says PoisonTap can also bypass several other security mechanisms, including same-origin policy (SOP), HttpOnly cookies, X-Frame-Options HTTP response headers, DNS pinning and cross-origin resource sharing (CORS).

Even after the hacking tool is unplugged from the targeted device, the backdoors remain and the attacker will be able to remotely gain access at a later time.

Kamkar has published a video explaining how these attacks work and how easily they can be carried out:

There are several measures that can be taken both on the server side and the client side to prevent such attacks. Web server operators can protect their users by properly implementing HTTPS and using HSTS to prevent downgrade attacks.

The list of security measures for users includes closing the web browser when the computer is not supervised, disabling USB ports, and using full-disk encryption applications (e.g. FileVault 2) in combination with “deep sleep” mode.

Related Reading: Attackers Increasingly Abuse Open Source Security Tools

Related Reading: Hackers Use Basic Tools After Breaching Your Network

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Endpoint Security

The Zero Day Dilemma

Application Security

After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple...