You probably know by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar's latest invention may make you think of your computer's USB ports themselves as unpatchable vulnerabilities--ones that open your network to any hacker who can get momentary access to them, even when your computer is locked. Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim's online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against. "In a lot of corporate offices, it's pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it," Kamkar says.
For big tech companies, data is money. Their goal is to collect as much info about you as they can, and try as we might, there's no surefire way to shut them out entirely. There are steps you can take to limit what advertisers know about you, though. It all starts with your Facebook settings. Tap or click here for 7 ways to delete yourself from the internet.
A proof of concept from security researcher and software developer Samy Kamkar shows that macOS, Windows, and Linux computers can have any previously active Web logins hijacked merely by plugging in a tiny Unix device via USB or Thunderbolt, even if the computer is locked and password protected, and possibly even when it seems to be asleep. This will make it harder to root out and resolve. Kamkar said in an interview, "The interesting attacks to me are by design: how do you exploit the protocol rather than a single buffer overflow that gets patched the next day." Kamkar debated how to release news of this flaw, but it's such a long-standing problem in plain view, that he believes it's likely been found quietly before. There was no one company or product affected, but effectively all of them.
More than 10 million devices hooked up to the internet of things were hacked in a Friday attack that slowed a huge swath of the internet to a crawl. The next time that happens, your device could be one of them (if it wasn't already). Research conducted by ForeScout Technologies, a network security firm, found seven home smart devices connected that can be hacked in 180 seconds and may be weaponized in the future. Those devices include smart refrigerators, smart lightbulbs, video conference systems, VoIP phones, printers, security systems and climate control meters. "While [internet of things] devices make it possible for organizations to run faster and more efficiently, they are too often used with little regard to their security risk," the authors of the ForeScout report wrote.