In the office or at home, locking your workstation is a basic security habit that we are always encouraged to do. When you take a break away from your desk, this simple step protects your work from snoopers by suspending your tasks, requiring your password to resume.
Unfortunately, locking your computer may no longer be as secure as we think it should be.
A few months ago, we reported about a $50 USB device that can steal login credentials of a locked computer in 20 seconds.
This week, a scarier USB device has emerged and it's taking it one step further - it can bypass the entire user account lock and steal online credentials and data in less than a minute.
Meet the PoisonTap
Dubbed the PoisonTap by its creator Samy Kamkar, the USB gadget consists of a $5 Raspberry Pi Zero microcomputer and a simple USB cable. When connected to a locked computer, he claims that the device can masquerade as an Ethernet connection interface and route all internet traffic through it.
This means the device can "see" and steal all of the data that's being sent and received by the computer, including sensitive information like login credentials and activity from millions of websites and web services including Facebook, Twitter and Gmail.
The device also installs a web-based backdoor that allows remote access by a hacker even when the PoisonTap is no longer plugged in.
Kamkar states that the whole attack can be accomplished in less than a minute and it steals all HTTP authentication cookies for millions of websites that are sent to a remote server. All the hacker needs is physical access to the locked computer.
Watch Kamkar's video below to see the PoisonTap in action:
How to protect yourself from a PoisonTap attack
Kamkar identifies himself as a white-hat hacker and probes and tests exploits like the PoisonTap to warn companies and users against possible attacks. Thankfully, he has no plans to sell the technology.
To prevent getting "PoisonTapped" he advises:
- Closing web browsers each time you lock your computer.
- Putting your computer into hibernate mode instead of sleep.
- Users to clear their web browser cache regularly.
- In extreme cases, protecting USB ports by disabling them.