It’s Monday morning, and you desperately need another cup of coffee. You know that going to the lunchroom only takes a few minutes, so you don’t bother closing all your applications and shutting down your machine. Instead, you lock your computer using a password. Your data is safe, right? Not anymore, thanks to a device known as PoisonTap.
When plugged into the USB port of a Windows or Mac computer, PoisonTap can gain access to that machine in less than a minute, even if it is password-protected. All the device needs is a web browser running in the background.
After being tricked into thinking that the plugged-in device is a new Ethernet connection, the computer starts routing web traffic through PoisonTap instead of the Internet. PoisonTap then looks for a running web browser, which it uses to connect to the top 1 million websites. It captures all unencrypted Web traffic from those websites, including any authentication cookies the computer uses to log in to those sites. PoisonTap stores the collected data on the computer, which it later sends to a server under the hacker’s control. It also installs a backdoor so that the hacker can remotely access the computer and the local network at any time.
Samy Kamkar, a security researcher and white-hat hacker, created the PoisonTap device from a $5 (USD) Raspberry Pi Zero computer and some code. He did it to “demonstrate that even on a password-protected computer running off of a WPA2 Wi-Fi, your system and network can still be attacked quickly and easily,” said Kamkar. Given that the device is the size of a credit card, getting it inside a business is no problem. Then, all a hacker needs to do is wait for an employee to leave his or her computer unattended for a few minutes.
There are several ways you can protect your business’s computers from this threat. At the top of the list is not letting visitors wander through your office unattended. However, this will not protect your company from insider threats.
Further, when employees leave their machines unattended, they should get into the habit of closing their web browser before they lock their computer with a password. Ideally, they should shut down their computers, but that is often impractical.
Another way to keep an unattended computer secure is using a full-disk encryption application such as Mac’s FileVault 2 in combination with a “deep sleep” mode, according to Kamkar.
Although PoisonTap was created by a white-hat hacker, it is only a matter of time before malicious hackers create and use these devices. So, now is the time to start educating employees about the threat and how to thwart it.