A developer created a tool that costs only $5 that can hack into screen-locked computers as long as the web browser is left running.
Los Angeles-based computer engineer Samy Kamkar revealed his creation, which he called the Poison Tap that only costs $5. The USB device can bypass any password locked computer and opens the machine to remote access without the user knowing anything about it.
Kamkar made a YouTube video of him demonstrating Poison Tap on a Macintosh computer but hinted that it should also work on other platforms, according to BBC News. The device is plugged into the computer's USB port, once plugged, masks itself as the internet, and begins to hijack all traffic.
The Device
The Poison Tap is a minuscule Raspberry Pi Zero computer that makes the target laptop or PC think it is connecting to a network. Once all unencrypted traffic is hijacked, it injects HTML into the open web browser pretending to serve up the correct pages to the computer.
The computer is forced to take in JavaScript code and stores it in the web cache and at the same time grants remote access to the computer's browser. The Poison Tap can also acquire and collect the user's unencrypted login cookies.
The hacker can then proceed to use the stolen cookie data to access all websites the user visited using the user's own login details, MacRumors reported. All this happens in less than a minute and remains within the compromised machine even after Poison Tap has been unplugged, and without having to unlock the computer.
Security threat
What's mind boggling is that the Poison Tap bypasses standard security measures such as password protection, two-factor authentication, DNS pinning and more. The device dupes the operating system by identifying the device as a LAN that encompasses the entire internet.
Protection
For his part, Kamkar also stated in the YouTube video how to protect unattended machines for possible attacks from Poison Tap and similar devices like his. The most basic are taking your laptop with you, always close your browser windows, or enable FireVault2 if you use a Mac. Server admins, on the other hand, can enforce HTTPS at entry level.
For those who would responsible enough and would want to try Poison Tap out, you'll need the $5 Raspberry Pi Zero and Kamkar's software available at his site.