If you have $20 to spare and some “basic programming knowledge,” you can create a powerful hacking tool that can collect huge amounts of user credentials, easily. The best part about it is that you don’t even need to use any malware or viruses — everything can be clean as a whistle.
The news was revealed by security experts Kaspersky Lab, which was able to create such a device using a Raspberry-Pi microcomputer that was then configured as an Ethernet adapter.
With a few simple modifications to the OS running the machine, and with the help of a few publicly available packet sniffing, data collection and processing tools, they were able to set up a server to collect intercepted data.
The conclusion is that attacked machines can easily be fooled into seeing the Raspberry-Pi computer as a LAN adapter, automatically assigning it higher priority and giving it access to data exchange in the network.
“As a result, researchers were able to collect authentication data sent by the attacked PC and its applications, as they tried to authenticate domain and remote servers. In addition, researchers were also able to collect this data from other computers in the network segment,” Kaspersky Lab says.
“There are two major things that we are worried about as a result of this experiment: firstly — the fact that we didn’t really have to develop the software — we used tools freely available on the Internet. Secondly — we are worried about how easy it was to prepare the proof of concept for our hacking device. This means that potentially anyone, who is familiar with the Internet and has basic programming skills, could reproduce this experiment. And it is easy to predict what could happen if this was done with malicious intent. The latter is the main reason why we decided to draw public attention to this problem. Users and corporate administrators should be prepared for this type of attack,” says Sergey Lurye, a security enthusiast and co-author of the research at Kaspersky Lab.