PoisonTap Makes Raspberry Pi Zero Exploit Locked Computers

[Samy Kamkar], leet haxor extraordinaire, has taken a treasure trove of exploits and backdoors and turned it into a simple hardware device that hijacks all network traffic, enables remote access, and does it all while a machine is locked. It’s PoisonTap, and it’s based on the Raspberry Pi Zero for all that awesome tech blog cred we crave so much.

PoisonTap takes a Raspberry Pi Zero and configures it as a USB Gadget, emulating a network device. When this Pi-come-USB-to-Ethernet adapter is plugged into a computer (even a locked one), the computer sends out a DHCP request, and PoisonTap responds by telling the machine the entire IPv4 space is part of the Pi’s local network. All Internet traffic on the locked computer is then sent over PoisonTap, and if a browser is running on the locked computer, all requests are sent to this tiny exploit device.

With all network access going through PoisonTap, cookies are siphoned off, and the browser cache is poisoned with an exploit providing a WebSocket to the outside world. Even after PoisonTap is unplugged, an attacker can remotely send commands to the target computer and force the browser to execute JavaScript. From there, it’s all pretty much over.

Of course, any device designed to plug into a USB port and run a few exploits has a few limitations. PoisonTap only works if a browser is running. PoisonTap does not work on HTTPS cookies with the Secure cookie flag set. PoisonTap does not work if you have filled your USB ports with epoxy. There are a thousand limitations to PoisonTap, all of which probably don’t apply if you take PoisonTap into any office, plug it into a computer, and walk away. That is, after all, the point of this exploit.

As with all ub3r-1337 pen testing tools, we expect to see a version of PoisonTap for sale next August in the vendor area of DEF CON. Don’t buy it. A Raspberry Pi Zero costs $5, a USB OTG cable less than that, and all the code is available on Github. If you buy a device like PoisonTap, you are too technically illiterate to use it.

[Samy] has a demonstration of PoisonTap in the video below.

53 thoughts on “PoisonTap Makes Raspberry Pi Zero Exploit Locked Computers

    1. My linux machines (Ubuntu, Raspian) all happily auto-configure USB Wifi devices, so I don’t see why not. Whether they’re tricked by the same address range I’m not sure, but I would be willing to bet that they are.

    2. Networking over USB is pretty much plug-and-play on Linux. But if you care about security, you have a manually-configured firewall that blocks traffic from/to unknown interfaces, and the attack won’t work. Unless maybe poisontap is smart enough to spoof the MAC address of an existing interface.

      1. I almost immunized my Win10 _by accident_ thanks to paranoia about blocking W10 spying.

        >netsh advfirewall firewall show rule name=all

        Rule Name: Core Networking – Dynamic Host Configuration Protocol (DHCP-In)
        ———————————————————————-
        Enabled: Yes
        Direction: In
        Profiles: Domain,Private,Public
        Grouping: Core Networking
        LocalIP: Any
        RemoteIP: LocalSubnet
        Protocol: UDP
        LocalPort: 68
        RemotePort: 67
        Edge traversal: No
        Action: Allow

        Rule Name: Core Networking – Dynamic Host Configuration Protocol (DHCP-Out)
        ———————————————————————-
        Enabled: Yes
        Direction: Out
        Profiles: Domain,Private,Public
        Grouping: Core Networking
        LocalIP: Any
        RemoteIP: LocalSubnet
        Protocol: UDP
        LocalPort: 68
        RemotePort: 67
        Edge traversal: No
        Action: Allow

        Basically I only allow DHCP from LocalSubnet. Of course according to Microsoft LocalSubnet :
        “The keyword localsubnet, which includes all addresses that are on the local computer’s current subnet.”
        but how the hell does your computer know “local computer’s current subnet” BEFORE it receives its IP from DHCP server???
        Hmm, I think Ill just hardcode this to private subnet (192.168.0.0/16).

  1. “If you buy a device like PoisonTap, you are too technically illiterate to use it.”

    or you’re so 1337 that “ain’t nobody got time for that” cause you’re busy actually breaking things?

  2. *nervously checks to see if an unfamiliar cable and bare circuit board with flashing LEDs is attached to side of my laptop less than three inches left of the screen I’m looking directly at all the time*

    More seriously though, this is exactly the exploit you get with USB-C and the requirement to have a data connection into your computer if you want to charge it.

  3. Probably would work in a small company or one that would fail a security audit. Most companies with a professional security department would have by now setup company wide policies that disable the usb (beyond a keyboard or mouse) and cd rom. Mine has, the usb is only good to charging things and the cd is useless, a half dozen year ago that was not the case.

        1. The postIt Notes are in fact enforced by the IT security department :-) Because they mandate regular password changes. If they even enforce very different passwords every time, then there is nearly no other possibility.

          1. P@ssword1 (upper and lower case with a number and special character)

            P@ssword12 – after 1 month password policy change
            P@ssword123 – repeat to fade

            After six months the first password expires and can be reused.
            IT corporate security FTW.

          2. Even better than Dave’s is P@sswordMMYY (MMYY being the current month/year.) Change every 30 days and you’ll have unique passwords for the next 1200 changes (one catabase at my job won’t let me repeat any of the last 32 passwords and it has to be changed every 60 days.)

  4. Does anyone know how to run custom scripts when the PC is locked.

    One could defeat this by using a firewall rule to block the plug and play service on 127.0.0.1 when the PC was locked.

  5. If you can set up the computer to only connect to a known MAC address for network, the gadget would have to spoof the MAC – not perfect security but not bad. I do this on the router end; never tried it on the laptop/desktop. Can you do this?

    I also wonder how hard it would be to modify PoisonTap to use WiFi instead of Ethernet? You could use that to pwn devices that automatically connect to open WiFi. If you know the SSID that a computer automatically connects to, you could probably get it to connect at a different location; accept any password and you pwn the “secure” login. What would keep this from working?

    1. I got 7, all in use. All cost less than £5 as I brought them when buying other stuff and got free shipping. All I can say, don’t buy other priced ones. They are good but not that good,

  6. Am I missing something?

    I don’t see how you can route your network traffic through Poisontap. It would have to send the traffic back to the computer and have it route it to the real network since it has no other network connection. But a typical desktop doesn’t do IP routing/forwarding and even if, since local networks are prefered over the gateway and the device impersonates the whole Internet, no traffic will be sent to the gateway. You’d notice that pretty fast I think…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s