It can redirect any unencrypted Internet traffic using only some code and a $5 Raspberry Pi Zero.
A sleeping Mac or PC, even if it’s password protected, is no match for the Internet-hijacking PoisonTap.
Polish security blogger Samy Kamkar created the Raspberry Pi-based device, which hackers could theoretically plug into the USB port of a sleeping computer, intercept all unencrypted Web traffic, and send the data to his or her own server.
The technique relies on a browser loophole: even if your computer is asleep, Kamkar explains, any open browser window displaying a non-secure HTTP Web page will continue to send and receive data.
“As long as a Web browser is running the background, it is likely one of the open pages will perform an HTTP request in the background (for example to load a new ad, send data to an analytics platform, or simply continue to track your web movements),” Kamkar writes in a blog post.
A $5 Raspberry Pi Zero loaded with PoisonTap then tricks the computer into recognizing PoisonTap as a new Ethernet connection, allowing it to route all traffic to the hacker’s server.
The major caveat, of course, is encryption. PoisonTap only works if the site isn’t using HTTPS, the Internet’s standard encryption protocol. Many mainstream commercial websites have adopted HTTPS.
Even Netflix, which accounts for more than 30 percent of all North American Internet traffic, figured out a way to encrypt its video streams without affecting their quality.
So Kamkar’s PoisonTap is simply the latest reason why the entire Internet should be encrypted—indeed, Google’s Chrome browser will soon display warnings when you visit any site that isn’t. Kamkar notes that turning on whole-disk encryption, such as Apple’s FileVault, can also thwart PoisonTap.
“Going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up,” he writes.