Defense against PoisonTap

[Lvl4Sword]

What are some defenses against PoisonTap?

[Greenwolf]

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

• Use HTTPS exclusively, at the very least for authentication and authenticated content
• Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
• Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
• When loading remote Javascript resources, use the Subresource Integrity script tag attribute
• Use HSTS to prevent HTTPS downgrade attacks

Desktop Security

• Adding cement to your USB and Thunderbolt ports can be effective
• Closing your browser every time you walk away from your machine can work, but is entirely impractical
• Disabling USB/Thunderbolt ports is also effective, though also impractical
• Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up

Reference: https://samy.pl/poisontap/