Samy Kamkar created a tool called PoisonTap that runs of a Raspberry Pi 0 and the article blows its abilities out of the water before slowly reducing it to nothing. It starts out claiming it can “hack a locked computer” but they soon amend this to include “with a browser open in the background”. They even go so far as to claim it will give attackers access to your router and launch other attacks from that platform.
Supposedly the device can be plugged in, wait a minute, be unplugged and its done. They even go so far as to say you need no knowledge to use it. Problem is it doesn’t give the user simple info or even usable for that matter unless the common person suddenly has software to inspect cookies.
Now on to the actual work it does. The Pi 0 emulates a network device and so the computer will send it the network traffic. It then will hunt down all cookies involved with non HTTPS sites and gather them. That is all it does. So no it does not hack your computer. Most important sites run as HTTPS so most cookies are not in danger.
This is not even remotely an effective attack method. In the article the business security side comes up but the problem is due to it being a work environment most users will not even lock the systems so why not just access the PC directly. Better yet install a physical keylogger so that you can get HTTPS info also. Another problem with it is that it needs a browser open to work, and with a locked PC you would never know until you started looking through the Pi’s files at a later point so to be effective you need to hit many devices. Another problem is best practices in the security field would prevent this from ever happening.
Ending note: a USB rubber ducking would be a better idea as it can do so much more.
Evan Delmolino – firstname.lastname@example.org