Built on a Raspberry Pi Zero, PoisonTap emulates a network device and attacks all outbound connections by pretending to be the internet

After reading this article, you’ll think twice about going
out to lunch while leaving your computer unattended at the office. Thanks to a
new tool that makes it effortless for hackers to log onto websites posing as
you, getting access to your network router, and launching other attacks, you
might not want to look this one over.


The new $5 device known as PoisonTap, created by hacker and
developer Samy Kamkar, can even break into password-protected computers, as long
as there’s a browser open in the background.

All a hacker has to do is plug in the device and be patient.
The worst part? It takes one minute, and basically, other than plugging it in and removing it, no other skills are

Built on a Raspberry Pi Zero microcomputer, once PoisonTap
is plugged into a USB port, it emulates a network device and attacks all
outbound connections by pretending to be the whole internet, tricking the
computer to send all traffic to it. If that’s not alarming enough, after the
device is positioned, it can steal the victim’s cookies, as long as they come
from websites that don’t use HTTPS web encryption, according to Kamkar. 


“I, as the attacker, can get onto the Raspberry Pi and get
on your cookies, and log into the same websites as if I’m you,” Kamkar told Motherboard.
“And I don’t need any password and I don’t need any username.”

Security experts that reviewed Kamkar’s research for
Motherboard agreed that this is a novel attack, and a good way to expose the trust
that Mac and Windows computers have in network devices. But that’s the key of
PoisonTap’s attacks — once what looks like a network device is plugged into a
laptop, the computer automatically talks to it and exchanges data with it.

Although this isn’t an attack everyone should worry about,
it’s a reminder that if a hacker has physical access to your computer, there’s
no turning back. But not all hope is lost. To prevent someone from hijacking
your accounts with PoisonTap, the best solution, according to Kamkar, is to “fill
your USB ports with cement.” In other words: be very careful with your personal

Joking aside, one solution is to completely shut down your
computer when you walk away from it, or at lease close your browser, since
PoisonTap needs to piggyback on it in order to work. At the network level,
websites that use HTTPS are immune to such a hack — another reason why the
entire internet should be encrypted.