CyberCrimeSecuritySecurity Management

Cheap ‘Poison Tap’ Tool Hacks Locked Computers

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Google + Linkedin Subscribe to our newsletter Write a comment

Unattended password-protected or locked PCs or Macs can be hacked with a simple $5 device

A security researcher has demonstrated how a cheap tool dubbed ‘Poison Tap’ can be used to hack unattended Apple Mac’s or PCs.

The device is especially dangerous as it hijacks a victim’s web browser cookies, potentially allowing a hacker to use the victim’s online accounts.

Cookie Monster

Raspberry Pi Zero 4“Poison Tap is software that lives on a $5 (£4) Raspberry Pi microcomputer,” said Samy Kamkar of the Applied Hacking channel.

“When plugged into a locked or password-protected computer, it takes over all Internet traffic momentarily. It siphons and stores all HTTP cookies for top 1 million websites,

“It also exposes the internal router to the attacker making it accessible remotely,” said Kamkar. “It also installs a web-based backdoor in HTTP cache….for hundreds of thousands of domains. The backdoor is an remote backdoor persist, even when the device is removed and you walk away.”

The video shows Poison Tap being plugged into an Apple PC (but it can also work on PCs) and the Raspberry Pi microcomputer which is hosting the malware is powered via the machine’s USB connection.

When it boots up the malware emulates an Ethernet over USB device.

As soon as the computer detects this, it assumes there is Ethernet plugged it, and it automatically attempts to make a DHCP request out to Poison Tap, which returns IP address. The malware appears almost all of IP addresses on the Internet are actually part of Poison Tap’s LAN. This forces the computer to route Internet traffic to the device and not the Internet.

Poison Tap sends out one million hidden iframes to the top million websites, stealing cookies sent to those websites. The only way to avoid this is to use the secure flag on cookies and only allowing HTTPS.

And it installs a backdoor, so the attacker can continue to remotely access the websites, even when USB device is removed from the machine.

The device highlights the pressing need for users to not leave their PCs or laptops unattended, or plug in rogue USB sticks.

The researcher jokingly suggests another way to protect a machine is to “add cement to all the USB ports.”

Shocking USBs

This is not the first time that a cheap USB-based device has been used to damage machines.

Last year a Russian security researcher called ‘Park Purple’ created a USB stick that could destroy a computer with a 220 volt charge.

That charge is sent through the signal lines of the USB interface, effectively killing the computer within seconds.

Are you a security pro? Try our quiz!