A new gadget demonstrates why even locked computers are vulnerable to attack.
Many of us lock our computers when we step away from them in order to keep our personal data secure. There already exists a few ways to get around your windows lock screen, but white-hat hacker Samy Kamkar has just developed a cheap gadget that demonstrates how insecure your computer really is, whether you’re on Windows, OSX or Linux.
The device, dubbed “PoisonTap”, is composed of nothing more than a one-chip Pi Zero computer, a USB cable, and some special software, all of which will set you back around USD 5. Once plugged into your computer, PoisonTap pretends to be an ethernet connection that is coming across USB. The computer will automatically attempt to connect to the ethernet connection, and the gadget then takes over all internet traffic to your computer. It does this by making the computer think that almost all the IP addresses on the internet exist inside PoisonTap, and will thus begin communicating with the device. At this point, PoisonTap begins sending nefarious software and data through the use of several security loopholes, resulting in a severely compromised computer.
As Kamkar details in his YouTube video, the device tricks your browser into making a request for an attack code, and the attack code then results in the browser launching hidden frames to the top million websites. PoisonTap steals the cookies from the websites, and then “cache poisons” the domains. As a result, any time you access one of the websites, a cache-based backdoor is opened which allows the attacker to remotely access your computer, even when it’s locked. The device further infiltrates your router and allows access to that as well. The exploits will remain on your computer, even after the device has been removed.
It is unlikely that you’re going to fall victim to such a nefarious attack when you leave your laptop at the office to go visit the bathroom, but it serves as an interesting example of how easy it is to circumvent the security measures that our OS manufacturers like to paint as very safe. Perhaps the best lesson here is to exercise caution, especially when you’re in public, and be aware of exactly how fast and easy it can be for someone to wreck your computer.
source: Samy Kamkar