{
	"id": "2f45a451-cba6-4397-93b0-9aaf3ba742b9",
	"created_at": "2026-04-06T03:37:56.69841Z",
	"updated_at": "2026-04-10T03:22:11.132477Z",
	"deleted_at": null,
	"sha1_hash": "59da826127e8ec9d0aa34f1691b53909f2cbbea2",
	"title": "Meet PoisonTap, the $5 tool that ransacks password-protected computers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 589137,
	"plain_text": "Meet PoisonTap, the $5 tool that ransacks password-protected\r\ncomputers\r\nBy Dan Goodin\r\nPublished: 2016-11-16 · Archived: 2026-04-06 03:31:05 UTC\r\nSkip to content\r\nBiz \u0026 IT\r\nThe perils of leaving computers unattended is about to get worse.\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 1 of 7\n\nCredit: Samy Kamkar\r\nCredit: Samy Kamkar\r\nThe perils of leaving computers unattended just got worse, thanks to a newly released exploit tool that takes only\r\n30 seconds to install a privacy-invading backdoor, even when the machine is locked with a strong password.\r\nPoisonTap, as the tool has been dubbed, runs freely available software on a $5/£4 Raspberry Pi Zero device. Once\r\nthe payment card-sized computer is plugged into a computer’s USB slot, it intercepts all unencrypted Web traffic,\r\nincluding any authentication cookies used to log in to private accounts. PoisonTap then sends that data to a server\r\nunder the attacker’s control. The hack also installs a backdoor that makes the owner’s Web browser and local\r\nnetwork remotely controllable by the attacker.\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 2 of 7\n\nCredit: Samy Kamkar\r\nCredit: Samy Kamkar\r\nPoisonTap is the latest creation of Samy Kamkar, the engineer behind a long line of low-cost hacks, including a\r\npassword-pilfering keylogger disguised as a USB charger, a key-sized dongle that jimmies open electronically\r\nlocked cars and garages, and a DIY stalker app that mined Google Streetview. While inspiring for their creativity\r\nand elegance, Kamkar’s inventions also underscore the security and privacy tradeoffs that arise from an\r\nincreasingly computerized world. PoisonTap continues this cautionary theme by challenging the practice of\r\npassword-protecting an unattended computer rather than shutting it off or, a safer bet still, toting it to the restroom\r\nor lunch room.\r\nKamkar told Ars:\r\nThe primary motivation is to demonstrate that even on a password-protected computer running off of a\r\nWPA2 Wi-Fi, your system and network can still be attacked quickly and easily. Existing non-HTTPS\r\nwebsite credentials can be stolen, and, in fact, cookies from HTTPS sites that did not properly set the\r\n‘secure’ flag on the cookie can also be siphoned.\r\nUnsecured home or office routers are similarly at risk. Kamkar has published the PoisonTap source code and\r\nadditional technical details here and has also released the following video demonstration:\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 3 of 7\n\nPoisonTap – exploiting locked machines w/ Raspberry Pi Zero.\r\nOnce the device is inserted in a locked Mac or PC (Kamkar said he hasn’t tested PoisonTap on a Linux machine),\r\nit surreptitiously poisons the browser cache with malicious code that lives on well after the tool is removed. That\r\nmakes the hack ideal for infecting computers while they are only briefly unattended. Here’s how it works.\r\nOnce the PoisonTap software is installed, the Raspberry Pi device becomes a miniature Linux computer that\r\npresents itself as an Ethernet network. Like a router, it’s responsible for allocating IP addresses for the local\r\nnetwork through the dynamic host configuration protocol. In the process, the device becomes the gateway for\r\nsending and receiving traffic flowing over the local network. In this sense, PoisonTap is similar to a USB exploit\r\ntool demonstrated in September that stole login credentials from locked PCs and Macs.\r\nThrough a clever hack, however, PoisonTap is able to become the gateway for all Internet traffic as well. It does\r\nthis by defining the local network to include the entire IPv4 address space. With that, the device has the ability to\r\nmonitor and control all unencrypted traffic the locked computer sends or receives over its network connection.\r\nPoisonTap then searches the locked computer for a Web browser running in the background with an open page.\r\nWhen it finds one, the device injects HTML iframe tags into the page that connect to the top 1 million sites ranked\r\nby Alexa. Because PoisonTap masquerades as the HTTP server for each site, the hack is able to receive, store, and\r\nupload any non-encrypted authentication cookies the computer uses to log in to any of those sites.\r\nGiven its highly privileged man-in-the-middle position, PoisonTap can also install backdoors that make both the\r\nWeb browser and connected router remotely accessible to the attacker. To expose the browser, the hack leaves a\r\ncombination of HTML and JavaScript in the browser cache that produces a persistent WebSocket. PoisonTap uses\r\nwhat’s known as a DNS rebinding attack to give remote access to a router.\r\nThat means attackers can use PoisonTap to remotely access a browser as it connects to a website or to gain\r\nadministrative control over the connected router. Attackers still must overcome any password protections\r\nsafeguarding an exposed router. But given the large number of unpatched authentication bypass vulnerabilities or\r\ndefault credentials that are never changed, such protections often don’t pose much of an obstacle.\r\nPoisonTap challenges a tradition that can be found in almost any home or office—the age-old practice of briefly\r\nleaving a locked computer unattended. And for that reason, the ease and thoroughness of the hack may be\r\nunderstandably unsettling for some people. Still, several safeguards can significantly lower the threat posed by the\r\nhack. The first is to, whenever possible, use sites that are protected by HTTPS encryption and the transmission of\r\nsecure cookies to prevent log-in credentials from being intercepted. A measure known as HTTP Strict Transport\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 4 of 7\n\nSecurity is better still, because it prevents attack techniques that attempt to downgrade HTTPS connections to\r\nunsecured HTTP.\r\nAs a result, neither Google nor Facebook pages can be triggered by computers infected by PoisonTap. Sadly,\r\nmulti-factor authentication isn’t likely to provide much protection because it generally isn’t triggered by\r\ncredentials provided in authentication cookies.\r\nEnd users, meanwhile, should at a minimum close their browsers before locking their computer or, if they’re on a\r\nMac, be sure to enable FileVault2 and put their machine to sleep before walking away, since browsers are unable\r\nto make requests in such cases. Regularly flushing browser caches is also a sound, albeit imperfect, measure. For\r\nthe truly paranoid, it may make more sense to simply bring laptops along or to turn off machines altogether.\r\nListing image: Samy Kamkar\r\nDan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer\r\nespionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking,\r\nand following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and\r\nhere on Bluesky. Contact him on Signal at DanArs.82.\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 5 of 7\n\n102 Comments\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 6 of 7\n\n1.\r\n2.\r\n3.\r\n4.\r\n5.\r\nSource: http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nhttp://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
	],
	"report_names": [
		"meet-poisontap-the-5-tool-that-ransacks-password-protected-computers"
	],
	"threat_actors": [],
	"ts_created_at": 1775446676,
	"ts_updated_at": 1775791331,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59da826127e8ec9d0aa34f1691b53909f2cbbea2.pdf",
		"text": "https://archive.orkl.eu/59da826127e8ec9d0aa34f1691b53909f2cbbea2.txt",
		"img": "https://archive.orkl.eu/59da826127e8ec9d0aa34f1691b53909f2cbbea2.jpg"
	}
}