This $5 hacking tool is called Poison Tap — It’s so sophisticated that it can even compromise a locked (password-protected) computer.
Samy Kamkar has long been under the limelight for developing sophisticated hacking tools that simply leaves security community speechless. Recently, Kamar has developed a small USB that goes by the name of Poison Tap. The device works by re-routing all the internet traffic to its own domain and hence accesses cookies. Using this information, the device enables attackers to access all the account information.
Also Read: 8 Most Popular and Best Hacking Tools
A network-accessing device
Essentially, the device works by loading itself onto the victim’s computer. The computer recognizes the device as an Ethernet Device. As such, the device takes over the entire IPv4 address space leading all the network traffic of victim to be routed through Poison Tap.
This means the traffic is not able to reach the actual gateway and instead uses the device to do so. This leads the attacker to access HTTP cookies and bypass any security.
After gaining access to these cookies, the attacker can even remove the device and still have access to the victim’s computer remotely.
PoisonTap HTML5 canvas animation/Source: Ara
Hacking made easy
It seems that Kamar has consequently made hacking as easy as possible. Simply using a USB device, a victim’s online accounts can be also hacked and various other security measures can be breached.
PoisonTap evades the following security mechanisms:
Password Protected Lock Screens
Routing Table priority and network interface Service Order
Same-Origin Policy
X-Frame-Options
HttpOnly Cookies
SameSite cookie attribute
Two-Factor/Multi-Factor Authentication (2FA/MFA)
DNS Pinning
Cross-Origin Resource Sharing (CORS)
HTTPS cookie protection when Secure cookie flag & HSTS not enabled
I’ve released PoisonTap; attacks *locked* machines, siphons cookies, exposes router & backdoors browser w/RasPi&Node https://t.co/mbTAti33wy
— Samy Kamkar (@samykamkar) November 16, 2016
A must watch video for in-depth technical understand
[fullsquaread][/fullsquaread]
Previously, he demonstrated how an attacker can hack and open garage doors in seconds with a toy. He also showed how consumer drones can be hacked for personal use. That’s not all, Kamkar also demonstrated how an attacker can locate, unlock and start General Motors (GM) cars with a hacked mobile app. As far as his latest development, let us hope the security community figures out a defense mechanism against this before the device gets into the wrong hands.
