Serial hacker Samy Kamkar has invented a new USB hacking tool that can break into any computer—locked or not—for just under $5.
The new device poses a threat to every company that doesn't have a plan of action for physical cybersecurity.
Poison Tap is a revolutionary tool
Imagine this—your organization has a number of old computers plugged in under empty desks in a seldom visited area of the office. It's the wing where a layoff occurred, or staffing has yet to begin. No one has the time to move them, so they've been sitting there for days—perhaps even months.
A delivery man comes in and leaves, but no one notices. Later in the day the network collapses, client or employee information is stolen and IT departments are left scratching their heads as to how a hacker found his or her way into the system.
Poison Tap is a new and dangerous USB flash drive that can break into any locked computer. Kamkar developed it to attack vulnerabilities found in nearly every operating system, according to Wired. As long as the computer is plugged in—or will be plugged in at any point of time in the future—the program can bypass any security controls and head straight for access to accounts, corporate intranet and anything in-between.
"In a lot of corporate offices, it's pretty easy: You walk around, find a computer, plug in Poison Tap for a minute, and then unplug it," Kamkar said in his YouTube video.
Now, companies leaving older computers lying around is nothing unique—in fact, it's rather commonplace. But this new tool, which can be purchased for less than the price of a pizza, opens up a world of hurt for any business that overlooks physical cybersecurity in its IT department.
Time to revamp your strategy
Malware, though difficult to manage, is relatively simple to spot. The same goes for viruses and phishing attempts. But Poison Tap embeds itself in the target's browser cache, according to Wired, which makes it near impossible to find until it has done its damage.
BBC reported that the device pulls cookie information from all the websites being stored, allowing the hacker to find any and every bit of information he or she needs.
"Degauss and crush computers to avoid Poison Tap."
There is, of course, one way to stop cybercriminals from being able to pull this stunt on inactive computers. Simply get rid of them. Unfortunately, securely disposing of electronics is a little more complex than just tossing them in the garbage—that's exactly what a hacker would want you to do.
Instead of leaving systems lying around still plugged in and vulnerable to attack, organizations should be developing a plan that incorporates degaussing and crushing—a surefire way to prevent against physical hacking attempts.
Degaussers are certified by the National Security Agency as a compliant way to demagnetize hard disk drives, which completely erases any bits of data that would be stored, like cookie sessions. Many organizations turn to reformatting or software wipes, but these only scramble the code. Poison Tap would still be able to retrieve it, since it's not actually gone.
After degaussing the computer, it's highly suggested to crush it. Doing this informally can be dangerous—a sledgehammer may be fun to use, but flying pieces of plastic could hurt someone. Instead, consider using crushers specifically created for one task—to grind a computer to tiny bits and pieces.
Using this strategy will undoubtedly leave the IT department with fewer computers to watch out for as Poison Tap picks up more popularity. It's far more difficult to plug a USB drive into a system that's in use, instead of one that hasn't been touched in months.