VPN Articles and News

USB Ethernet Adapter Can Steal OS Passwords

By
Friday, August 31st, 2018


Security researcher Rob Fuller has uncovered a straightforward but highly dangerous method which allows attackers to gain access into Windows and Mac (and possibly Linux) based computers. As per the details published by him on his blog, it is possible to connect to a locked computer system and steal its login credentials through a plug-and-play device. Ron used USB Armory, a flash drive sized computer which costs $155; to carry out this hack but it is even possible to achieve the same results by using far cheaper devices (such as Hak5 LAN Turtle) that cost no more than $50.

It is not uncommon for users to lock their computers when they are not planning to use it for some time. As a matter of fact, this is the standard practice in most corporate environments. However, Rob says that the safety of locked computer systems where the users have already logged in is no longer guaranteed since it is possible to communicate with them via a USB device that masquerades as an Eternet adapter. He also says that theoretically this hack shouldn’t work since it defeats the security mechanisms put in place by Windows and Mac.

To carry out the hack, Rob used a customized version of USB Armory whose firmware code had been altered. He reprogrammed the plug-and-play device so that it appeared as a legitimate network gateway as well as a WPAD, DHCP and DNS server to the target system. And since both Windows and Mac trust plug-and-play devices, the target systems would install them even if the system itself was locked. Of course, there are some restrictions regarding what kind of devices could be installed when the system is locked but connecting to and communicating with Ethernet/ LAN adapters is permitted by both these operating systems.

Rob explains that by configuring the plug-and-play device to appear as a USB Ethernet adapter and a DHCP server, he was able to capture login credentials from a locked system where the user had already logged in. Both Windows and Mac pass usernames and passwords when communicating with a trusted DHCP server so Rob was able to capture this information just by installing an information capturing tool (such as Responder) on the plug-and-play device. Although the passwords captured in this way are in hashed format, it is possible to crack them with the current available technology.

Rob carried out the hack on a number of operating systems including Windows 10, Windows 7 SP1, Windows XP SP3, Windows 2000 SP4 and Windows 98 SE. He also tested the method against OS X El Capitan and Mavericks and was able to successfully communicate with the target OS. However, it is not yet known whether the method would work on other configurations of the Mac OS. Rob says that it takes an average of just 13 seconds to steal user credentials in this way. He also advises users not to leave their systems logged-in and locked-out for extended periods of time to remains safe from this vulnerability.


August 31, 2018
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


9 + 7 =