New PoisonTap Hack Uses $5 Raspberry Pi Zero To Backdoor Locked Computers

Hacker Samy Kamkar recently demoed how to use a $5 Raspberry Pi Zero to backdoor locked Windows and Mac computers. Find out more about Kamkar's new PoisonTap tool, here.
Hacker Samy Kamkar recently demoed how to use a $5 Raspberry Pi Zero to backdoor locked Windows and Mac computers. Find out more about Kamkar's new PoisonTap tool, here. Samy Kamkar

A $5 Raspberry Pi Zero can be used to backdoor a locked Windows or Mac computer, says Hacker Samy Kamkar. Find out more about Kamkar's new PoisonTap tool, here.

Want to backdoor a password-locked computer? No problem. In a simple, yet impressive YouTube demo, long-time hacker and security researcher Samy Kamar reveals how a $5 Raspberry Pi Zero could be used to launch an internet backdoor attack he dubs “PoisonTap.” The attack is simple to create but has the power to compromise password-protected PC, Mac or Linux computers, giving attackers access to a ton of the victim’s internet related data. The hack takes about a minute to perform and can allow an attacker to gain access to a victim’s online accounts, corporate intranet sites, or even their router.

What Is PoisonTap? How Can A Raspberry Pi Zero Compromise My Computer?

According to Kamkar, the PoisonTap backdoor involves installing a special software (written by Kakmar) on a tiny Raspberry Pi Zero. Add a MicroSD card and micro-USB cable and the tool is ready to go. An attacker only needs about a minute alone with the target’s computer to plug in the PoisonTap tool and allow it to do its dirty work.

Kamkar's PoisonTap tool can backdoor a Mac, Window or Linux computer even when it's locked.
Kamkar's PoisonTap tool can backdoor a Mac, Window or Linux computer even when it's locked. Samy Kamkar

PoisonTap’s effectiveness lies in the absolute trust all computers have in network devices. At any given time, you can plug a flash drive, printer or other USB network device into your computer and there’s nothing barring it from doing whatever it pleases. There is no warnings or passwords required to allow it to connect to your computer. Your computer just inherently “trusts” these devices.

PoisonTap takes advantage of this trust, and once plugged in a computer, it starts impersonating a new Ethernet connection. Ethernet connections are considered LAN and so this tricks the computer into allowing any IP address accessed through that connection higher priority than the WiFi network. Given its priority, PoisonTap can now intercept internet traffic.

If a computer – locked or unlocked – has a webpage open while the PoisonTap tool is attached, the tool will wait for the page to add some kind of new content. This doesn’t take long since most webpages are constantly offering new pieces of data like an advertisement or news update. Once this happens, the PoisonTap tool spoofs a response a delivers its own payload to the victim’s browser. This payload includes a set of iFrames, which are basically modified versions of the top million most popular sites according to Alexa Ranking. As these sites are loaded, the PoisonTap tool then tricks the victim’s browser into sharing with it any cookies stored from those million websites and store them on the MicroSD card attached to the Raspberry Pi. Cookies allow sites to remember when we’ve visited them and if users have passwords stored in their browsers, cookies enable quick login to those sites. By capturing those cookies, an attacker can log into any of the victim’s stored accounts.

But even after the PoisonTap tool is physically removed from the computer, it continues to backdoor websites the user visits. This is because the iFrames PoisonTap fed to the victim’s browser are cashed, which means everytime the user visits those sites, they actually load the attacker’s modified version of the site. This allows for an ongoing communications channel called a websocket, which connects the site back to a server controlled by the hacker every time the victim visits it. This kind of attack is undetectable by antivirus or other policing software and can allow hackers to further exploit a victim’s browser. Furthermore, by utilizing known vulnerabilities in many routers, PoisonTap could allow an attacker to “see” any unencrypted traffic on a victim’s network.

“Their browser basically acts as a tunnel into their local area network,” Kamkar said in the YouTube demo.

Should I Be Worried About PoisonTap? How To Protect Yourself From The Backdoor Tool

For most users, Kamkar’s PoisonTap tool doesn’t pose a real threat, but for individuals working in corporate environments, for example, the dangers of leaving one’s computer unattended – locked or not – are heightened. While PoisonTap requires a number of situational constraints (attacker must have physical access to the device, a website must be open, pages must be delivered in HTTP) it nonetheless signals a needed change to trust protocols for network devices like USBs.

Users who are concerned about possible attacks leveraging the PoisonTap tool are given this advice by Kamar:

  • Close (not minimize) your browser every time you step away from your desk.

  • Set your computer to hibernate rather than sleep, so the computer wakes more slowly

  • Or, on a more cheeky note, fill your USB ports with cement.

To learn more about Kamar’s PoisonTap tool or to access the source code, visit, https://samy.pl/poisontap/.

Join the Discussion
Top Stories