$5 PoisonTap Can Hack into Your Password Protected Mac

A developer has created a $5 device powered by a Raspberry Pi Zero called Poison Tap that can hack into Macs which are password protected. Besides having physical access to the computer in question, the only other pre-requisite of the device is that a web browser must already be running on it.

The tool needs to be plugged into the USB port of a Mac after which it hijacks its web traffic by presenting itself as standard internet connection thereby gaining access to cookies. With these cookies, any hacker could log into websites of those cookies without having to enter any username or password for verification purposes.

While developer Samy Kamkar has shown the hack to work on a Mac in his above video  he notes that Poison Tap will work on other platforms as well.

Rik Ferguson from Trend Micro speaking to the BBC states that Poison Tap is a potentially dangerous device, and it can even bypass two-step verification. He notes that the only way to prevent this attack from happening is by using HTTPS, which is an encrypted connection.

“[In normal circumstances] Even when you are not using a web browser it is still making requests and communicating – due to update or ads. Once the device is plugged in it exploits that communication and steals session cookies from the top one million websites,” said Mr Ferguson.

So, the next time you leave your Mac unattended, make sure that you don’t have any web browser running in the background as well.