Beyond Bad USB: Poisontap takes over your sleeping computer with a $5 USB stick

Originally published at:

As always, if someone has physical access to your machine, they have most of what they need to pwn it.


As the 10 Immutable Laws of Security state:

Now if you could plug this into a sleeping computer and get data from some other computer, that would be an interesting exploit. As it stands, any exploit that requires physical access to a machine is going to be a non-starter 99% of the time.

1 Like

Even this may not be a defense. The device could act as a MITM proxy (granted you’d need to trust its certificate to begin with, but this isn’t an impossible hurdle to overcome) and you’d never know it’s seeing everything you’re doing in the clear.

Also, if you leave your computer (or let it out of your sight), TURN IT OFF unless you have a good reason.

1 Like

Is laziness a good reason?


For many things in life!


This is especially ugly because at sub-$10 for the hardware, it is fire-and-forget - you need not retrieve the hardware, making it that much easier to perform this (initially) undetected.

This could really wreak havoc in a typically insecure office environment.


Samy is my hero

1 Like

If you watch the video, once it does its thing, you can walk away with the pi zero. It doesn’t need to stay plugged in.

Presumably, the computer belonging to the person most likely to have one or more HTTP admin consoles active is the one you want to choose if you are looking to plug the device into a sleeping computer and get data from some other computers.

Sure, some Keepers Of The Old Ways use SSH for everything, and some vendors who deserve perdition use abhorrent proprietary management tools for everything; but a lot of very, very, valuable targets have web based administration; and would be vulnerable to the same attacks used here.

You would, presumably, need to tailor the website list to reflect the target’s internal network, the interface conventions of their vendors, etc. rather than the list of popular-on-Alexa; but that information is considerably less sensitive than actual access to those devices.

Unfortunately for most people this is not a practical option. Shutting down my workstation every time I leave my desk would be insane. May as well reformat my hard drive every morning too.

But I don’t see why it’s important for this hack to run on an unattended PC. Couldn’t the same damage be done at any point once the USB device is connected?

1 Like

It doesn’t need to be unattended but most of us don’t let people plug things into our USB ports while we watch.

My laptop is always in sight, alone in my private office (I am lucky enough to work from home) or off.

I guess the scenario I’m envisioning is someone connecting a device while the computer is shut down (and you’re not around) and the next time you start it up it goes to work. As long as it’s connected inconspicuously it seems to me that this would be just as effective as getting access to a locked computer.

Well, sure - but the point is you don’t have to. It is cheap enough to abandon if you want/need to. That means the attack could happen in seconds, and there is no need to recover the device (and so increase risk getting caught).

Sure but in an ideal scenario, people don’t know that they’ve been owned. If they find something hanging out of their USB port, they’re going to know something is up and might just pave their system.

of course, but - the damage is done, they have a lot more to do than wipe and reinstall. I know when I run a site and use session cookies, they point to a db that encodes the source IP (among other things), but I will bet money that’s not universal. I would also bet that the VAST majority of people who find an unidentified USB dongle will, at best, unplug it and wonder. Heh - if you wanted to be tricky, just embed this in an old mouse. Eep.

Switch them off!

1 Like

This is where Mac addicts say, get a Mac?

Well, his sample attack was on a Macbook…