In large organizations, individuals tend to leave their personal work computer unattended and unlocked in their office. But be careful, a new tool that has emerged on the market can now make it a trivial pursuit for cyber criminals to hack into your computer. This new tool allows them to log onto websites on your behalf and gain full access to the network routers. In which case, will allow them to perform other malicious attacks.
For years now, hackers and cyber security researchers have found countless ways to hack into computers left unattended. And now, thanks to the development of Raspberry Pi, the $5 mini-computer and standalone tools, this task has been made easier.
PoisonTap, a device created by hacker and developer Samy Kamkar, allows hackers to hack their way into computers that are password protected, but only if the browsers are still open in the background.
This device is easy to use – just plug the device into a targeted computer and … wait.
“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and walk away,” Kamkar informed Motherboard. “You don’t even need to know how to do anything.”
PoisonTap is built on the newly released mini-computer, Raspberry Pi Zero. When the hacker plugs this computer into a USB port on their targeted computer, it will then proceed to emulate itself as a network device, attacking any and all outbound connections, thus tricking the computer into believing that the PoisonTap is the entire Internet. This device can also steal the victim’s cookies if they are coming from websites that don’t make use of the HTTPS web encryption.
Kamkar states “I, as a hacker, can get onto the Raspberry Pi and get on your cookies, and log into same websites as if I’m you. And don’t need any password and I don’t need any username.”
When other security researchers stepped up to review Kamkar’s research, they agreed that this new line of cyber-attack does appear to be a novel one, in that when you connect new networking devices to a computer, the computer automatically starts talking with the new networking card, proceeding to exchange data with it.
An experienced pen tester, Jayson E. Street, has stated “We have to come to the realization that maybe having a locked workstation probably isn’t enough.” Street has previously experienced these types of cyber-attacks while working in his day job.
Craig Smith, the director over the transportation security at Rapid7, also noted PoisonTap’s ability. “Samy has strung together a lot of neat, small attacks on a $5 Raspberry Pi to create a symphony of smaller attacks into a grand finale.”
Kamkar joked that you can still protect yourself by “fill[ing] your USB ports with cement.”
While there are several software programs you can utilize to help prevent a malicious attack against your computer, in this case, the best thing to do is simply turn it off when you’re not near it. This new malware, PoisonTap, works by basically piggybacking off your computer while it is powered up. On the network level, those sites that make use of HTTPS encryption are currently immune to this vulnerability.