Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.
Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.
And all a hacker has to do is plug it in and wait.
“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away,” Kamkar told Motherboard in a phone call. “You don’t even need to know how to do anything.”
PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it’s plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim’s cookies, as long as they come from websites that don’t use HTTPS web encryption, according to Kamkar.
“I, as the attacker, can get onto the Raspberry Pi and get on your cookies, and and log into same websites as if I’m you,” Kamkar told me. “And I don’t need any password and I don’t need any username.”
Security experts that reviewed Kamkar’s research for Motherboard agreed that this is a novel attack, and a good way to expose the excessive trust that Mac and Windows computers have in network devices. That’s the key of PoisonTap’s attacks—once what looks like a network device is plugged into a laptop, the computer automatically talks to it and exchanges data with it.
It’s not necessarily an attack everyone should worry about. But it’s a good reminder that if a hacker has physical access to your computer, it’s game over.
"We have to come to the realization that maybe having a locked workstation probably isn’t enough," Jayson E. Street, a penetration tester who has experience using these types of attacks in his day job, told Motherboard.
Another security researcher called Andrea Barisani, told Motherboard in an email that while “best practices would prevent such a device to have any effect,” the reality is that “sadly the state of the internet is still far from reaching this goal and projects like PoisonTap, [...] are a very effective way in raising awareness about the need for addressing poor web security configurations once and for all.”
“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away.”
Craig Smith, the research director of transportation security at Rapid7, said that with PoisonTap “Samy has strung together a lot of neat, small attacks on a $5 Raspberry Pi to create a symphony of smaller attacks into a grand finale.”
Not all hope is lost though. To prevent someone from hijacking your accounts with PoisonTap, the best solution is to “fill your USB ports with cement,” Kamkar says laughing.
Jokes apart, the other surefire solution is to actually shut down the computer when you walk away from it, or at least close your browser, since PoisonTap needs to piggyback on it to work, according to Kamkar. At the network level, websites that use only HTTPS are immune to PoisonTap, so this is yet another reason why the whole internet should get encrypted.Get six of our favorite Motherboard stories every day by signing up for our newsletter.