• Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Archives
    Archives Contains a list of blog posts that were created previously.
  • Login
    Login Login form

This $5 device can hack password-protected computers in just 30 seconds

Posted by on in Internet Privacy
  • Hits: 9641

Even the strongest passwords are fallible, and as Samy Kamkar demonstrates, sometimes it doesn’t take much.

Kamkar’s new exploit, PoisonTap, uses free software and a $5 Raspberry Pi Zero microcomputer. After attaching the Raspberry Pi to a USB adapter and plugging it in, the device goes to work. In all of 30 seconds, it bypasses your lock screen and begins installing a backdoor that works even after the device is removed from the USB port.

If you think a strong password will save you, you’d be wrong. PoisonTap doesn’t work that way. It’s not trying to guess your password, but instead bypass it entirely — and it works.

After plugging in the PoisonTap device, it begins to emulate an internet over USB device. Once detected, your laptop assumes it’s connected via ethernet, and begins to send all unencrypted web traffic to the microcontroller. Your existing Wi-Fi network’s security won’t save you, as the device tricks your computer into prioritizing its connection rather than the one you’re already connected to.

Acting as a man-in-the-middle, the device then begins stealing any HTTP authentication cookies that you’d use to log in to private accounts, as well as session data from a million of the web’s top sites, according to Alexa. Worse, due to the way it’s designed, two-factor authentication might not help. Since PoisonTap siphons cookies, and not the actual login credentials, it’s fully capable of hijacking accounts using two-factor.

The one caveat to its effectiveness is it requires the user to have a running browser tab open on the locked device. But I don’t think the vast majority of us are closing browsers before lowering the lid on our laptop.

Kamkar does have a few tips to protect yourself, although he recognizes most aren’t all that practical:

  • Set your computer to hibernate, rather than sleep. In hibernation, the computer suspends all processes.
  • Close your web browser each time you walk away from your machine.
  • Regularly clear your browser cache.
  • Use full-disk encryption and your device’s hibernation mode.
  • Disable the USB ports



Rate this blog entry:


airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media