Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn’t good enough, a security researcher demonstrated this week.
Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers.Fuller’s attack is effective against locked computers on which the user has already logged in.
Fuller used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD(Web Proxy Auto-discovery Protocol ) servers on the computer it’s connected to.
The attack is possible because most computers will automatically install any plug-and-play USB device.
USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed,” Fuller wrote on his blog .
“Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
Mdified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology
According to Fuller, computers in a locked state still generate network traffic, allowing for the account name and hashed password to be extracted. The time it takes for a USB device to capture credentials from a system using this attack is around 13 seconds. He used two ethernet dongles USB Armory and Hak5 Turtle.
Fuller successfully tested his attack against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks.
He says the attack was successful against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. He is about to test linux OS.