It costs only $5 to build this kind of device, hacker says

Nov 17, 2016 10:54 GMT  ·  By

Passwords, iris scanning, and fingerprint protection, are all here to help protect a computer from unauthorized access, but all of these have been rendered useless by a device that costs only $5 to build.

Samy Kamkar has shown in a video that it takes only a $5 Raspberry Pi Zero computer and free software to bypass protection on a computer using backdoor that’s installed through USB.

The hacking device is called PoisonTap and can emulate an Internet over USB connection that tricks the computer into believing that it’s connected via the Ethernet. Using the software, the computer is configured to prioritize the USB connection over wireless or Ethernet, so it begins sending unencrypted web traffic to PoisonTap.

The device automatically collects HTTP authentication cookies and session data from the majority of websites, with the hacker explaining that the top one million websites in Alexa are currently supported. Two-factor authentication is bypassed as well, as PoisonTap looks for cookies and doesn’t attempt to brute-force into the system or compromise login credentials.

How to remain protected

While this is worrying to say the least, Kamkar explains that the hacking device becomes useless if the computer doesn’t have at least one tab running in a browser. Additionally, he says that computers with USB ports disabled, or put in hibernation mode, are also secure because this way all processes are suspended and the hacking device can no longer siphon data.

In case you’re wondering if things like antivirus solutions or stronger passwords can block PoisonTap, this isn’t the case, as the hacking device doesn’t rely in any way on brute-force attacks, so the length of your passwords doesn’t make any difference.

Furthermore, given the fact that it uses free software and a specially crafted backdoor, antivirus solutions won’t detect it, leaving the computer fully vulnerable to attacks.

The entire process is detailed in the video below and, as a general recommendation, make sure you close your browser before leaving the desktop (we know nobody does that, but this is the simplest thing we can all do to stay protected).