Defeating PoisonTap (and Other Dirty Tricks) with Beamgun

Late last year, a neat little device called PoisonTap surfaced. With it, anyone can easily steal passwords, credit card numbers and other sensitive data from any computer - even when it’s locked. But hot on the heels of PoisonTap came its antidote: Beamgun.

PoisonTap takes advantage of Windows’ and OS X’ inherit trust in devices connecting to USB and Thunderbolt ports. A lot of different devices can be connected to these ports. Keyboards, mice, printers, scanners, storage devices, and network cards. Just to name a few. Both Windows and OS X will happily activate whatever device is connected without asking the user if it’s OK. Even if the computer is locked. Because if someone has physical access to the computer, they always have good intentions. Right? Wrong. It’s a terrible assumption to make, and one PosionTap takes advantage of. A better assumption is that everyone who has access to a computer has malicious intentions.

When connected to a USB or Thunderbolt port, PoisonTap quickly registers itself as a network card, and effectively becomes a man-in-the-middle (MitM) on the computer. As a MitM, PosionTap can intercept all inbound and outbound network traffic.

Set Beamguns to “stun”1

It seems neither Microsoft nor Apples take physical security very seriously. Thankfully, developer Josh Lospinoso decided to take matters into his own hands. He created Beamgun, a small utility that can give at least Windows user a little peace of mind.

When installed on a Windows computer, Beamgun will try to intercept potentially malicious devices that are connected. If a USB Ethernet device is connected, Beamgun will continuously disable it until it’s told otherwise. This will prevent PoisonTap from initializing correctly, effectively stopping the attack.

As an added bonus, Beamgun defends against other USB attacks as well. It can be used against similar devices, like the LAN Turtle. It will also try to defeat Rubber Duckies. A USB Rubber Ducky uses the same attack vector as PoisonTap. But instead of acting as an Ethernet device, it registers as a USB keyboard and starts running commands. Which can also be really, really pesky.

So if you haven’t filled your USB ports with military grade cement yet, perhaps now is the time to install Beamgun?

  1. Yeah, I know it’s supposed to be “phasers”. ↩︎


Do you have any thoughts you want to share? A question, maybe? Or is something in this post just plainly wrong? Then please send an e-mail to vegard at vegard dot net with your input. You can also use any of the other points of contact listed on the About page.


It looks like you're using Google's Chrome browser, which records everything you do on the internet. Personally identifiable and sensitive information about you is then sold to the highest bidder, making you a part of surveillance capitalism.

The Contra Chrome comic explains why this is bad, and why you should use another browser.