This $5 “PoisonTap” USB Device Can Hack Any Locked Computer [Video]
A developer has created a USB device called PoisonTap, costing no more than $5, which he claims can hack or hijack any computer’s web browser cookies and more by simply being plugged into a spare USB port on the computer.
The device was shown hacking a Mac via a YouTube video, though the developer claims that there is no reason why PoisonTap, as he calls his USB-based contraption, will not work on other computing platforms such as PCs powered by Microsoft Windows.
Developer Samy Kamkar built PoisonTap out of a Raspberry Pi microcomputer, and once the device is connected to an open USB port, it pretends to be an internet connection, stealing cookies and such so long as a web browser is running on the target machine. Kambar points out that the target computer does not need to be unlocked in order for the attack to come to fruition, though a web browser does need to be running in the background at least.
The device apparently requires no expertise to use and the hack can be carried out remotely should the need arise.
Once initiated, that attack allows for cookies to be stolen, allowing attackers to spoof a user’s identity across any social networks, or other websites for which cookies were stored on the machine.
Kamkar explaining PoisonTap and the exploits it employs to siphon cookies and install a web backdoor
According to Rik Ferguson of security outfit Trend Micro, the device is a plausible threat, especially considering that with cookies in play, two-factor authentication may not be enough to keep users safe. Ferguson says that HTTPS should be used going forward as that would also be a fantastic step forward for the web’s security, emphasizing that the ongoing move towards HTTPS rather than plain HTTP for website access and distribution needs to continue.