PoisonTap Tool Lets Hackers Take Over Locked Computers With USB Stick

If you step away from your computer, an attacker could quickly insert a USB stick and take control using a series of vulnerabilities. The device costs only $5.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

PoisonTap Hack

While most people know not to leave their computer alone in a public space, locking the system with a password gives many users a feeling of security.

A new hacking tool released this week has shown how illusory that feeling is, demonstrating the danger of leaving any system unsupervised. The tool, known as PoisonTap, can be loaded onto a $5 Raspberry Pi barebones computer and will take over the internet connection of any system to which it is connected. Once plugged in, the program will steal the victim’s cookies for the top 1 million Web sites, expose internal routers to the Internet, and allow remote access to the system.

The hacker behind the program, Samy Kamkar, a security researcher best known for creating the MySpace worm in 2005, announced the tool on Nov. 16.

“When plugged into a locked or password-protected computer, it takes over all internet traffic momentarily,” Kamkar said in a video explaining the attack. “The back door and remote access persists even after the device is removed and you walk away.”

The attack is a bold demonstration that leaving a computer unattended is never a good idea.

When PoisonTap is plugged into a computer the device masquerades as an Ethernet device. The computer immediately sends a request to PoisonTap for an IP address, even if it is locked or password-protected. The address that PoisonTap returns makes it seem that “almost all IP addresses on the Internet are part of PoisonTap’s LAN,” Kamkar said.

The result is that the targeted computer will send all its Internet traffic through PoisonTap.

PoisonTap will intercept any requests to the Web and steal cookies to the top 1 million Web sites. The cookies could then be used by an attacker to automatically log into sites without needing a username and password, although the effectiveness of such an attack depends on the site’s security requirements.

The program can also poison the browser cache and redirect requests for certain Web sites to go to an attacker-owned site, essentially giving control of the browser to the attacker, Kamkar said.

“Whenever the Web socket is open, the attacker can remotely send command to the victim and force their browser to execute JavaScript code,” he said. “This allows that attacker to make requests as the user, with the user cookies and view the responses, with no visibility to the user.”

There is very little a consumer can do to secure against the attack, he said.

“To protect a client machine, I suggest adding cement to all you USB ports,” he said. The program will not run on computers that have file system encryption, such as FileVault, because the browser does not run in the background.

Web sites can protect against parts of the attack by requiring all traffic to use HTTPS. While that seems to be a basic precaution, only 21 percent of the top–100 non-Google sites require HTTPS by default, according to a 2016 analysis by Google.

Overall, the attack is able to avoid a laundry list of security protections, including password protected lock screens, same-origin policies in the browser, two-factor authentication and DNS pinning.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...