first published week of: 09/12/2016
Attackers can use rogue USB-to-Ethernet adapters to steal credentials from locked Windows, and possibly OS X, computers
Most users lock their computer screens when they temporarily step away from them. While this seems like a good security measure, it isn't good enough, a researcher demonstrated this week.
Rob Fuller, principal security engineer at R5 Industries, found out that all it takes to copy an OS account password hash from a locked Windows computer is to plug in a special USB device for a few seconds. The hash can later be cracked or used directly in some network attacks.
For his attack, Fuller used a flash-drive-size computer called USB Armory that costs $155, but the same attack can be pulled off with cheaper devices, like the Hak5 LAN Turtle, which costs $50.
The device needs to masquerade as an USB-to-Ethernet LAN adapter in such a way that it becomes the primary network interface on the target computer. This shouldn't be difficult because: 1) operating systems automatically start installing newly connected USB devices, including Ethernet cards, even when they are in a locked state and 2) they automatically configure wired or fast Ethernet cards as the default gateways.
For example, if an attacker plugs in a rogue USB-to-Gigabit-Ethernet adapter into a locked Windows laptop that normally uses a wireless connection, the adapter will get installed and will become the preferred network interface. continued…