A serial hacker has come up with a little USB device that can hack into any computer, even one that is password protected, with little or no effort. Called PoisonTap, the $5 (£4) USB stick is reportedly able to hack into even a locked PC in just one minute.
Created by Samy Kamkar, the fully automated, proof-of-concept device works by opening up a web-based backdoor onto victims' PCs, which allows hackers to gain access to online accounts and their routers. PoisonTap is built on a Raspberry Pi supercomputer and once plugged into a PC, it mimics a network device, purporting to be the entire internet, to attack all outbound connections and hoodwink computers into sending all its traffic to the device.
"It's entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away," Kamkar told Motherboard. "You don't even need to know how to do anything."
"In a lot of corporate offices, it's pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it," Kamkar told Wired. Regardless of whether the computer is locked, PoisonTap "is still able to take over network traffic and plant the backdoor", he said.
"This is going to be really hard to detect," said Jeremiah Grossman, a web security researcher and chief of security strategy at SentinelOne. "Provided you have physical access, I think it's actually the most cleverly designed and effective backdoor tool that I've seen."
PoisonTap poses as the man-in-the-middle, proceeding to steal the victims' HTTP authentication cookies, which are used to log on to private accounts. Alarmingly enough, the attack is designed such that two-factor authentication may not be of much use in deterring attackers from gaining access to user accounts. Given that PoisonTap siphons off cookies and not user credentials, the device is also able to hijack accounts using two-factor authentication.
According to Kamkar, there is no 100% fix to avoid being hacked by PoisonTap. He jokingly claimed that the best solution would be to "fill your USB ports with cement". However, he did provide an alternative solution, adding that implementing user permission access when plugging in new devices could likely safeguard users' from such attacks.
"If I were Apple/Microsoft, I would have network devices (actually, probably any USB device except a mouse or keyboard) ask the user if they want to allow it to operate...at least the first time it's plugged in," Kamkar told TechCrunch.
"People feel secure leaving their laptops on their desk at lunch or when they leave the office with a password on the screensaver," Kamkar added. "That's clearly not secure."
A Microsoft spokesperson told Wired that for PoistonTap to work, "physical access to a machine is required. So, the best defense is to avoid leaving laptops and computers unattended and to keep your software up to date".