Rogue USB-to-Ethernet adapters Can Help Attackers to Extract Credentials of Locked PCs.
If your PC is locked it does not mean that your credentials and data are safe. A rogue USB-to-Ethernet adapter will help the attackers unlock computers running Windows or OS X to steal your private data. Even a $50 adapter can do the job in mere seconds, which is indeed alarming.
Usually, we lock our computer screen for a while if we need to go somewhere else, which apparently is a reasonable enough security practice. However, Rob Fuller has proved that it is not as safe as we might think.
Fuller, the R5 Industries’ principal security engineer, has identified that cyber-criminals can use a special USB device to copy the OS account password hash even if the PC is locked. It only takes seconds to do so. They can easily crack the hash later and apply it directly in conducting network attacks.
To prove his theory, Fuller used a $155 USB Armory, which is a flash-drive-sized computer device, and masqueraded it as a USB-to-Ethernet LAN adapter so that it transforms into a primary network interface. However, Fuller states that other cheaper devices like Hak5 LAN Turtle, which costs just $50 could perform the same task.
The act is not as difficult at all because the OS automatically identifies and installs any new USB device including the Ethernet cards despite being in a locked state. Moreover, wired or fast Ethernet cards are configured automatically as default gateways.
So let’s assume if someone plugs in a USB-to-Gigabit-Ethernet adapter into any locked laptop running Windows OS, then the adapter will be installed and the laptop will mark it as the preferred network interface.
Using the Dynamic Host Configuration Protocol (DHCP), the OS configures the network setting whenever a new network card is installed, which means that cyber-criminals can use a rogue PC at the other side of the Ethernet cable that will pose as a DHCP server. Once this is successfully achieved, the attacker will control the Domain Name System (DNS) responses and will also configure a fake internet proxy using the Web Proxy Autodiscovery or WAPD protocol. This also hints to the fact that the attacker could get into a very privileged man-in-the-middle position to tamper or intercept the incoming network traffic on that computer.
The reason is that locked computers keep generating network traffic, which makes it easy for attackers to extract account names and hashed passwords. The entire feat could be performed in no more than 13 seconds, states Fuller.
Fuller recommends users of PCs and Laptops to never leave their workstations “logged in, especially overnight, unattended,” even if the screen is locked.
#SecurityTip Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen.. ;)
— Rob Fuller (@mubix) September 7, 2016
Watch how it’s done below:
We highly recommend going through Fuller’s post here for more technical details about this findings.
Featured Image Via: Flickr / Trammell Hudson