After reading this article, you’ll think twice about going out to lunch while leaving your computer unattended at the office. Thanks to a new tool that makes it effortless for hackers to log onto websites posing as you, getting access to your network router, and launching other attacks, you might not want to look this one over.
The new $5 device known as PoisonTap, created by hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.
All a hacker has to do is plug in the device and be patient. The worst part? It takes one minute, and basically, other than plugging it in and removing it, no other skills are required.
Built on a Raspberry Pi Zero microcomputer, once PoisonTap is plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. If that’s not alarming enough, after the device is positioned, it can steal the victim’s cookies, as long as they come from websites that don’t use HTTPS web encryption, according to Kamkar.
“I, as the attacker, can get onto the Raspberry Pi and get on your cookies, and log into the same websites as if I’m you,” Kamkar told Motherboard. “And I don’t need any password and I don’t need any username.”
Security experts that reviewed Kamkar’s research for Motherboard agreed that this is a novel attack, and a good way to expose the trust that Mac and Windows computers have in network devices. But that’s the key of PoisonTap’s attacks — once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.
Although this isn’t an attack everyone should worry about, it’s a reminder that if a hacker has physical access to your computer, there’s no turning back. But not all hope is lost. To prevent someone from hijacking your accounts with PoisonTap, the best solution, according to Kamkar, is to “fill your USB ports with cement.” In other words: be very careful with your personal information.
Joking aside, one solution is to completely shut down your computer when you walk away from it, or at lease close your browser, since PoisonTap needs to piggyback on it in order to work. At the network level, websites that use HTTPS are immune to such a hack — another reason why the entire internet should be encrypted.
Learn more about Electronic Products Magazine