Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.
Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.
And all a hacker has to do is plug it in and wait.
“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away,” Kamkar told Motherboard in a phone call. “You don’t even need to know how to do anything.”
PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it’s plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim’s cookies, as long as they come from websites that don’t use HTTPS web encryption, according to Kamkar.