Software Integrity Blog


‘PoisonTap’ steals network passwords

A new exploit tool requires only 30 seconds to install a privacy-invading backdoor on a previously locked computer.

Dubbed “PoisonTap” the exploit can be run from a Raspberry Pi Zero device plugged into any USB port. From there it intercepts all unencrypted Web traffic. In particular PoisonTap captures any authentication cookies being used to log in to private accounts and then sends that data to a server under the attacker’s control. A backdoor installed on the computer (even one that has been locked with a strong password) allows the owner’s Web browser and local network to be remotely controlled by the attacker.

PoisonTap is the work of Sammy Kamkar, who last year unveiled RollJam, a wireless way to open electronic locks on automobiles.

Kamkar told Ars Technica “The primary motivation is to demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily. Existing non-HTTPS website credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the ‘secure’ flag on the cookie can also be siphoned.”


More by this author