This $5 hacking tool lets attackers bypass security on locked computers

This $5 hacking tool is called Poison Tap — It’s so sophisticated that it can even compromise a locked (password-protected) computer.

Samy Kamkar has long been under the limelight for developing sophisticated hacking tools that simply leaves security community speechless. Recently, Kamar has developed a small USB that goes by the name of Poison Tap. The device works by re-routing all the internet traffic to its own domain and hence accesses cookies. Using this information, the device enables attackers to access all the account information.

A network-accessing device

Essentially, the device works by loading itself onto the victim’s computer. The computer recognizes the device as an Ethernet Device. As such, the device takes over the entire IPv4 address space leading all the network traffic of victim to be routed through Poison Tap.

This means the traffic is not able to reach the actual gateway and instead uses the device to do so. This leads the attacker to access HTTP cookies and bypass any security.

After gaining access to these cookies, the attacker can even remove the device and still have access to the victim’s computer remotely.

PoisonTap HTML5 canvas animation/Source: Ara

Hacking made easy

It seems that Kamar has consequently made hacking as easy as possible. Simply using a USB device, a victim’s online accounts can be also hacked and various other security measures can be breached.

PoisonTap evades the following security mechanisms:

Password Protected Lock Screens

Routing Table priority and network interface Service Order

Same-Origin Policy


HttpOnly Cookies

SameSite cookie attribute

Two-Factor/Multi-Factor Authentication (2FA/MFA)

DNS Pinning

Cross-Origin Resource Sharing (CORS)

HTTPS cookie protection when Secure cookie flag & HSTS not enabled

A must watch video for in-depth technical understand

Previously, he demonstrated how an attacker can hack and open garage doors in seconds with a toy. He also showed how consumer drones can be hacked for personal use. That’s not all, Kamkar also demonstrated how an attacker can locate, unlock and start General Motors (GM) cars with a hacked mobile app. As far as his latest development, let us hope the security community figures out a defense mechanism against this before the device gets into the wrong hands.

Related Posts