Giters

samyk / poisontap

Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.

Home Page:https://samy.pl/poisontap/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Defense against PoisonTap

Lvl4Sword opened this issue · comments

commented

What are some defenses against PoisonTap?

commented

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

  • Use HTTPS exclusively, at the very least for authentication and authenticated content
  • Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
  • Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
  • When loading remote Javascript resources, use the Subresource Integrity script tag attribute
  • Use HSTS to prevent HTTPS downgrade attacks

Desktop Security

  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB/Thunderbolt ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

Reference: https://samy.pl/poisontap/