About

PoisonTap is built for the $5 Raspberry Pi Zero without any additional components other than a micro-USB cable & microSD card, or can work on any Raspberry Pi (1/2/3) with an Ethernet-to-USB/Thunderbolt dongle, or can work on other devices that can emulate USB gadgets such as USB Armory and LAN Turtle.

When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer, it:

• emulates an Ethernet device over USB (or Thunderbolt)
• hijacks all Internet traffic from the machine (despite being a low priority/unknown network interface)
• siphons and stores HTTP cookies and sessions from the web browser for the Alexa top 1,000,000 websites
• exposes the internal router to the attacker, making it accessible remotely via outbound WebSocket and DNS rebinding (thanks Matt Austin for rebinding idea!)
• installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies via cache poisoning
• allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
• does not require the machine to be unlocked
• backdoors and remote access persist even after device is removed and attacker sashays away

PoisonTap evades the following security mechanisms:

• Password Protected Lock Screens
• Routing Table priority and network interface Service Order
• Same-Origin Policy
• X-Frame-Options
• HttpOnly Cookies
• SameSite cookie attribute
• Two-Factor/Multi-Factor Authentication (2FA/MFA)
• DNS Pinning
• Cross-Origin Resource Sharing (CORS)
• HTTPS cookie protection when Secure cookie flag & HSTS not enabled

More info: https://samy.pl/poisontap/

Guide