Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials

[Batu69]

Possibly Linux creds too, but yet untested

Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).

Fuller's attack is effective against locked computers on which the user has already logged in.

The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it's connected to.

Attack works because computers trust PnP devices

The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

"Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed," Fuller wrote on his blog yesterday.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

Modified USB Ethernet adapter logs PC credentials

When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the local credentials needed to install the device.

Fuller's modified device includes software that intercepts these credentials and saves them to an SQLite database.

The researcher's modified device also includes a LED that lights up when the credentials have been recorded.

Attack average runtime is 13 seconds

An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.

Fuller couldn't believe this type of attack was possible, so he tested the scenario with USB Ethernet dongles such as USB Armory and Hak5 Turtle.

He says the attack was successful against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. The researcher is planning to test the attack against several Linux distros as well. Below is a video of Fuller's attack in action.

USB credential stealing while screen is locked

 

Article source

 

[straycat19]

Won't work if you lock your USB ports as part of your security procedures.  Once we created folders on the network for all the users we locked all the USB ports since they have no need to copy anything because it is all stored on the network and is accessible from work, home, or on the road.  I don't see any exploit that requires physical access to a computer as a threat because you can't access our offices nor our computers.  And there are easier methods of getting the data without modifying a device.  There are law enforcement programs that you install to a usb drive and just plug it in, no modifications needed to anything. It automatically downloads libraries, registry hives, and a memory dump without doing anything but plugging it in.  But again you have to have physical access, though it is pretty easy to sneak a single flash drive into a system if that is all that is needed.

[steven36]

This this reminds me of a movie I watched  the other day were they  had someone to go into a business and install spyware on there system   If  someone had access to you're PC like this exploit requires  they could steal you're  whole hard drive  anyways or install any kind  of malware they wish.. they would own you as long  they dont get caught . But how many people on a software site like this has anything  that someone would find valuable enough to break in there house and  install spyware on there system ? There more likely to self infect  themselves with from  being  addicted to installing software than some going  on there PC and installing it. All it takes is one bad player.    These journalist be watching to many hacker movies a lot of things are possible  but chances are slim to none it would be a reality  in you're world . And if its not part of my world i could careless  what some business with a mole has happen too them