It takes less than a minute for a credit card-sized device to install a backdoor to your computer’s web browser and local network, allowing hackers to control your device remotely.
Dubbed PoisonTap, the device runs on another $5 device: the Raspberry Pi Zero. Once plugged into a computer’s USB port, PoisonTap is able to intercept unencrypted Internet data – including authentication cookies used for account logins. PoisonTap could then send the stolen data to a hacker’s server, allowing the cybercriminal to do what they so please.
PoisonTap was created by Samy Kamkar, an American security engineer and researcher whose claim to fame includes creating a password-stealing USB device, a key-sized dongle that can unlock cars and garages, and an app that uses Google Maps for stalking. His inventions highlight security and privacy vulnerabilities in our ever-increasing digital world, advocating for better practices and applications.
It takes less than a minute for a credit card-sized device to install a backdoor to your computer – allowing hackers to control your device remotely.
His creation of PoisonTap maintains this theme, pushing for the password-protection of unattended computers. Kamkar added, “The primary motivation is to demonstrate that even on a password-protected computer, your system, and network can still be attacked quickly and easily.”
To add to that, Kamkar said that existing unsecured website credentials could be stolen. Cookies from HTTPS websites that were not properly secured can also be hijacked. Similarly, unsecured home and office routers can be hacked into through the same method.
Kamkar publicly released the source code and technical specs of PoisonTap – even uploading a demonstration video on how to exploit locked computers.
As PoisonTap is plugged into a locked computer, it covertly infects the browser cache with a code that remains in the system even after the device is unplugged – making it perfect for computers that are only temporarily unattended.
A hacker could potentially use the PoisonTap device to access a browser as they communicate with websites, or gain admin access to a connected router. While password protections stand in the way of cybercriminals, they do not necessarily provide much security since a majority of them have unpatched authentication vulnerabilities or unchanged default logins.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.