Even the strongest passwords are fallible, and as Samy Kamkar demonstrates, sometimes it doesn’t take much.
Kamkar’s new exploit, PoisonTap, uses free software and a $5 Raspberry Pi Zero microcomputer. After attaching the Raspberry Pi to a USB adapter and plugging it in, the device goes to work. In all of 30 seconds, it bypasses your lock screen and begins installing a backdoor that works even after the device is removed from the USB port.
If you think a strong password will save you, you’d be wrong. PoisonTap doesn’t work that way. It’s not trying to guess your password, but instead bypass it entirely — and it works.
After plugging in the PoisonTap device, it begins to emulate an internet over USB device. Once detected, your laptop assumes it’s connected via ethernet, and begins to send all unencrypted web traffic to the microcontroller. Your existing Wi-Fi network’s security won’t save you, as the device tricks your computer into prioritizing its connection rather than the one you’re already connected to.
Acting as a man-in-the-middle, the device then begins stealing any HTTP authentication cookies that you’d use to log in to private accounts, as well as session data from a million of the web’s top sites, according to Alexa. Worse, due to the way it’s designed, two-factor authentication might not help. Since PoisonTap siphons cookies, and not the actual login credentials, it’s fully capable of hijacking accounts using two-factor.
The one caveat to its effectiveness is it requires the user to have a running browser tab open on the locked device. But I don’t think the vast majority of us are closing browsers before lowering the lid on our laptop.
Kamkar does have a few tips to protect yourself, although he recognizes most aren’t all that practical:
- Set your computer to hibernate, rather than sleep. In hibernation, the computer suspends all processes.
- Close your web browser each time you walk away from your machine.
- Regularly clear your browser cache.
- Use full-disk encryption and your device’s hibernation mode.
- Disable the USB ports
via The Hacker News