PoisonTap - exploiting locked machines w/Raspberry Pi Zero

  • Published on Nov 16, 2016
  • PoisonTap - siphons cookies, exposes internal router & installs web backdoor (reverse tunnel) on locked/password protected computers with a $5 Raspberry Pi Zero and Node.js. samy.pl/poisontap/
    By Samy Kamkar
    Full details and source code at samy.pl/poisontap/
    Buy a Raspberry Pi Zero here: amzn.to/2eMr2WY
    Buy cement for your USB ports here: amzn.to/2fX0I1e
    When PoisonTap (Raspberry Pi Zero & Node.js) is plugged into a locked/password protected computer (Windows, OS X or Linux), it:
    - emulates an Ethernet device over USB (or Thunderbolt)
    - takes over all Internet traffic from the machine (despite being a low priority network interface)
    - siphons and stores HTTP cookies from the web browser for the Alexa top 1,000,000 websites
    - exposes the internal router to the attacker, making it accessible remotely
    - installs a persistent web-based backdoor in HTTP cache for hundreds of thousands of domains and common Javascript CDN URLs, all with access to the user’s cookies
    - allows attacker to remotely force the user to make HTTP requests and proxy back responses (GET & POSTs) with the user’s cookies on any backdoored domain
    - does not require the machine to be unlocked
    - backdoors and remote access persist even after device removal
    Music by Epoch Rises: soundcloud.com/epochrises
    Intro graphics by Darin Leach: goo.gl/HDKRFG
  • Science & TechnologyScience & Technology

Comments • 881

  • Jergus N
    Jergus N 15 days ago

    I understand how you get the poison tap onto the pi but what happens when you plug it into your computer to try to reprogram it. What if you have poison tap on it and you want to change the code on it. How do you do this. Do you just remove the SD card because if you plug it into your pc to reprogram it then it will create a backdoor onto your own pc. If someone could help me I would appreciate it.

  • CoolKoon
    CoolKoon Month ago

    Back in 2016 this seemed like a pretty sweet concept and a very promising product. Unfortunately the GitHub repo's stale, it's pretty obvious that no bugfixes have been made since the release of this video and this channel itself went dead as well. So sad.

    • Samy Kamkar
      Samy Kamkar  Month ago

      @CoolKoon I suspect that's the point of github -- users who are interested can fork, modify, submit pull requests, and openly communicate. I'm always happy to accept pull requests. However I personally switch around to different projects and don't focus on one thing (and I make everything freely available for others to do as they please)

    • CoolKoon
      CoolKoon Month ago

      @Samy Kamkar That's great, but doesn't the concept of "open source" imply that a community gets developed around the code and hardware?

    • Samy Kamkar
      Samy Kamkar  Month ago

      It's an open source project and I'm happy to accept pull requests.

  • Sean Miller
    Sean Miller Month ago

    This dude is dangerous! I respect that you got the balls to put this type of stuff on youtube.

  • Cove
    Cove 3 months ago

    You're unironically my hero.

  • Google User
    Google User 4 months ago

    I feel scared just watching your videos in case you're exploiting through RU-clip LOL. Thanks for your videos, you inspire me to learn more

  • CoolTops
    CoolTops 5 months ago


  • WarriorCatsSquirrelFlight

    i heard you took down myspace accidentially once must have been.. bad

  • Katrina Brinson
    Katrina Brinson 9 months ago

    Incredible. According to your site.. this works on all operating systems correct? Windows/Linux/OS X

  • P
    P 9 months ago

    You can disable USB ports with software and/or in firmware.
    Software security can never be fully trusted. (Especially not in Windows.)
    Firmware lockouts seem to work perfectly on some machines. But other machines still automatically provide USB power, some also automatically permit USB device enumeration, on at least some USB ports. Specific motherboard models (or firmware/BIOS versions) have different implementations and it's not a technical fault any OEM ever admits or advertises.
    I've never specifically tested against PoisonTap attacks - can't wait to build one and wreak some havoc! - although I have secured many machines vs unauthorized USB access.
    If security is a priority then never assume and never trust the manufacturer, always test and confirm/deny actual results for yourself.

  • Aayush Khandelwal
    Aayush Khandelwal 9 months ago

    y dont u restart

  • dbmaster46446
    dbmaster46446 9 months ago

    there are so many cookies of porn sites :'D

  • bahhaziz
    bahhaziz 9 months ago

    This guy disappeared 🤔

  • bbrun
    bbrun 9 months ago

    Apple store here i come

  • Jul Jul
    Jul Jul 10 months ago

    Ladies and gentlemen ,

    *_We got him_*

  • Daryl B
    Daryl B 10 months ago +1

    What happened to you?

  • Idaho
    Idaho 10 months ago

    Nice .../alexa-static/top-1m.csv.zip :-D

  • Rif_Zild
    Rif_Zild 11 months ago

    U still are my hero!!!!!

  • KryoTronic
    KryoTronic 11 months ago

    Just came here cause I saw you on Wired and they did u a disservice

  • RUHS Videos
    RUHS Videos Year ago

    Samy is my hero

  • Nathan Kellert
    Nathan Kellert Year ago

    Wow! So dude came out with this video and then never released another video. Coincidence?

  • Nevermind
    Nevermind Year ago +1

    I miss you Samy ;_;

  • MrLaser
    MrLaser Year ago +1

    Hahah so my professor used your video on "hacking" a lock, and showed it on my university

  • Shafiq Ahmadzai
    Shafiq Ahmadzai Year ago

    Does poison tap​ work on the raspberry pi 3 b+

  • Antonio Carniero
    Antonio Carniero Year ago

    Your my hero

    BLCK HAT Year ago

    Samy I'm truly a fan off the work you do and the amount of dedication and discipline you have put into all of your projects recently two years ago I got into cyber security and became very interested in it and would love to learn what you know please if you can message me or get ahold of me I would very much appreciate it ! Have a great day and looking forward to learning with you. 702 200 5895 my name is kuya

  • Prince Dreddly
    Prince Dreddly Year ago

    please don't steal me cookies

  • dropn loads
    dropn loads Year ago

    Wtf is he talking about

  • Suharto Gutur
    Suharto Gutur Year ago

    *cementing ports*

  • TheServerfreak
    TheServerfreak Year ago

    i'm using usbguard.github.io/ ... should solve it

    TAUZER Year ago

    Can you teach hacking from beginning as nobody on RU-clip is teaching it

  • hubertwouts
    hubertwouts Year ago

    nice vid got some more comming ?

  • Tonio
    Tonio Year ago

    Basically it's like a kid that steals all your cookies. oh god

  • Jkl Alskjdjhg
    Jkl Alskjdjhg Year ago

    You should do beginner videos

  • Kevin Mayo
    Kevin Mayo Year ago +1

    @sammy will you be my Myspace friend

  • The Dorito
    The Dorito Year ago +3

    Your life must be like Watchdogs the game, and Jason Bourne combined.

  • Kamilione
    Kamilione Year ago

    Easy way to restore access when you forget your password ;-)

  • Zes
    Zes Year ago

    wrg, no cemenx or enjoyx or not, tw just a toolx, nonerx

  • Olf Mombach
    Olf Mombach Year ago

    Wow so it doesn't work for https sites, as always. That means it doesn't work for almost all major sites.

    • Samy Kamkar
      Samy Kamkar  Year ago +1

      Often an oversight or users just didn't know about it. Additionally, most sites stated out as HTTP, so when someone adds HTTPS, they don't necessarily think of all the other areas that need to be accounted for. Security is difficult; it's not easy to lock everything down as there are so many possible ways in!

    • Olf Mombach
      Olf Mombach Year ago

      Samy Kamkar
      That's interesting and counter-intuitive. I also wonder why one would not just set the SecureOnly flag to true for cookies if you have SSL activated anyways?

    • Samy Kamkar
      Samy Kamkar  Year ago +1

      Fortunately the web has come a long way since two years ago (when this was released). Interestingly, however, many sites are still affected by this as though the site itself strictly uses HTTPS, the cookies themselves are not always set with the 'secure' flag, thus they will be transmitted to an HTTP site of the same domain, hence PoisonTap continues to work unfortunately.

  • Michael Rupp
    Michael Rupp Year ago

    I feel butt-hurt watching this.

  • David W. Smith
    David W. Smith Year ago

    Can you disable macs or PCs from auto-running on insert from USB or other devices in the PCI chain?
    Seems that would be a useful setting -- disable auto-run?
    Came here from your Veritasium video exposure.

  • wheat_blazer
    wheat_blazer Year ago

    but if you (poisonTab) establish a connection to the webserver, and it responds to you why can't it intercept https connections? i mean poisontab itself could also perform a RSA_ECDHE operation? or am i missing something here?

    • Samy Kamkar
      Samy Kamkar  Year ago +1

      While you could perform a TLS man-in-the-middle, modern browsers will vehemently warn the user that something is awry due to the cert generated by PoisonTap not being signed by a trusted CA (Central Authority). Your browser contains public keys for various CAs it trusts (e.g. Verisign, Symantec, and the Government of Hong Kong, to name a few) and will only trust certs signed by those trusted CAs. Take a look at PKI and browser CAs to learn more.

  • Lee Quintanilla
    Lee Quintanilla Year ago

    Samy Kamkar it is possible to locate in the apa by MAC I stole my tablet and I saw your page that google alter its system to disable it and if you save it even if you do not share it or you could locate it I will give you the MAC grasias

  • Matescium
    Matescium Year ago

    Nice video.

  • shozab haxor
    shozab haxor Year ago

    Did you written code by all yourself~??

  • No_ U
    No_ U Year ago

    Will work with 3.0

  • rollo
    rollo Year ago

    what linux distro shut i use

  • Sandy G
    Sandy G Year ago

    Samy do a video on pwnat....explaining how it works. Please!!!

  • Zachary Pines
    Zachary Pines Year ago

    Where is he now? Does anyone know why he left again?

  • darkdancerman
    darkdancerman Year ago

    but did he die?

  • Unmask life
    Unmask life Year ago

    Hello Samy!! i need to contact you urgently! please give me your email! i tried to find your email in your website but for any reason it doesnt show it!! i purchased today 2 of your magspoof and i have couple questions that i really need your answer! please write me your email here to communicate with you! thank you Master!

  • Borneagain
    Borneagain Year ago

    Has this been updated?

  • Brandon Gonzalez
    Brandon Gonzalez Year ago

    How can you be so smart

  • Cooper Lyle
    Cooper Lyle Year ago

    Does it work on raspberry pi 0 w?

  • ramanan ram
    ramanan ram Year ago

    Super ☺☺☺😢😢👍👍👌👌👌👌👌👌👌👌👌👌👌👌

  • Master Of Dizaster
    Master Of Dizaster Year ago +3

    What is the intro song?

  • Ništ Zaujímavé

    Working on locked Windows ?

  • Mike Hamilton
    Mike Hamilton Year ago

    The video would be much easier to watch if you turned the music down to your vocal level or lower. Or simply left it out altogether. It doesn't really help in making your points anyway. But it is distracting from your points.
    Otherwise, this was very interesting stuff. Thank you.

    • Samy Kamkar
      Samy Kamkar  Year ago

      Thanks for the note; I'll reduce it further or remove it in future vids.

  • SS
    SS Year ago

    when is your crytocurrency trading bot going public??

  • Whet Faartz
    Whet Faartz Year ago +2

    I fucking saw redtube on the cookies XD 2:33 or someowhere up LOL

  • bahhaziz
    bahhaziz Year ago +1

    Hi Samy, what happened, you stopped making videos? I missed your hacking tricks...