A simple $5 device can easily gatecrash a computer even if the computer is locked. To take control of Computer, You can easily connect PoisionTap to the USB port and it declares that it is not a USB device; rather it is an Ethernet interface. The computer, through Wi-Fi sends a DHCP request; it requests to allocate an IP. PoisionTap reacts to the request, and it produces a large range of IPs that is actually connected to the local LAN through the fake wired connection.
Your computer can easily accept these requests and send details to the fake IPs on PoisonTap instead of sending to the real services and websites. The transactions can happen without your interference. Pre-loaded items such as ads and analytics will be vigorous, and once it sends the HTTP request, immediately PoisnTap responds with a stream of the data-hideout, nasty iframes for a top-million Alexa Sites. These iframes are set with back doors, stay there until someone removes it.
In the meantime, sessions and cookies are being converted and collected to the invader’s own reasons. The router itself is uncovered to remote management. All this stays after PoisonTap has been removed, and in less than a minute everything happens even if your computer is locked.
This intruding can happen even if you have taken standard security measures, including password protection, DNS pinning, two-factor authentication, and more. All this happens because basically the OS determines to trust an odd USB connection when it says it is a LAN surrounding the entire Internet.
In fact, server admins must prevent this by implementing HTTPS at every level. But it is awful at the client side. Microsoft and Apple found about this only today. When the reporters approached both the companies for the comment, but the reporter still didn’t get any reply from the Company Authorities.