$5 'Poison Tap' hacks locked computers

A developer has created a $5 (£4) device that can hack into an unattended computer even with a locked screen.

The tool called Poison Tap can break into a password-protected computer if the user has left an internet browser running in the background.

The attacker can then remotely use the victim’s web accounts undetected.

Samy Kamkar, who has made a YouTube video showing what happens when it breaks into a computer, created the device on a Raspberry Pi microcomputer.

He demonstrated it working on a Macintosh computer, but indicated that it would work on other platforms.

Poison Tap plugs into the target computer’s USB port and once there it pretends to be the internet and hijacks traffic.

The developer says that using the device requires no expertise and it can be used remotely after it is initially plugged into a computer.

It is then able to steal the victim’s cookies – the small files on a user’s computer that store information about internet use. Some have specific functions, for example session cookies allow users to be recognised within a website.

If cookies are stolen then the attacker may be able to access any websites they use – without the need for their username or password.

Rik Ferguson, from security company Trend Micro, told the BBC the device was a plausible threat.

“[In normal circumstances] Even when you are not using a web browser it is still making requests and communicating – due to updates or ads.

“Once the device is plugged in it exploits that communication and steals session cookies from the top one million websites,” said Mr Ferguson.

Password protection

Mr Ferguson explained even two-step verification – adding an extra layer of security to an account, such as requiring a user to type in a code which is then sent to their mobile phone – does not provide extra protection because the device is able to intercept the cookies.

So if you have a Facebook or Twitter account, it could pretend it is already in an open session and bypass any password protection.

He says web servers can prevent an attack by only using HTTPS (hypertext transfer protocol secure) which is an encrypted connection.

“The most important thing they can do is use exclusively HTTPS, this would also be a fantastic step forward for the web,” he said.

He advised all users could do is make sure that they close their browser every time they leave their computer – even if it is locked.

A Microsoft spokesperson told the BBC: “Regardless of operating system, for this to work, physical access to a machine is required. So, the best defence is to avoid leaving laptops and computers unattended and to keep your software up to date”

Apple could not be reached for comment.

Source: http://www.bbc.co.uk/