Plug'n'play USB attack steals locked Windows creds

A customised USB Ethernet networking adapter is all it takes to capture the credentials of a logged-in user in a locked Windows system, a researcher has found.

Rob "Mubix" Fuller.

Security researcher Rob "Mubix" Fuller tried the hack with two USB devices - the Hak5 Turtle and USB Armory - configured to appear to a computer as Ethernet adapters, and added a Windows NetBIOS name service responder to capture the credentials.

Fuller also ran a DHCP server to assign IP addresses for interfaces and a network gateway on the USB device.

He found that he could obtain system credentials within around 13 seconds of plugging in the USB device into a port on a workstation. 

Mubix demonstrating the capture of system credentials via USB with a Windows 10 virtual machine.

Fuller was able to get login credentials from Windows 98 SE, 2000 Service Pack 4, XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home Editions.

He also believes he succeeded in using the USB device attack against Apple's OS X El Capitan and Maverick operating systems, but is still testing whether it was a fluke.

Fuller said he was initially incredulous that it was possible to capture system credentials this easily.

"First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is - trust me, I tested it so many ways to confirm it because I couldn’t believe it was true," he wrote.

The flaw stems from how USB is designed, using the plug-n-play protocol for self-configuration.

Thanks to PnP, "even if a system is locked out, the device still gets installed," Fuller noted. Ethernet network adapters are also whitelisted from operating system restrictions on what devices can be installed with PnP.

Once the USB device is plugged into a computer, it becomes a network gateway, domain name system and web proxy autodiscovery protocol server, amongst others. 

Fuller said computers constantly generate traffic, even without applications open, and implicitly trust the local network and try to reach other hosts and routers via the USB device, which allows attackers to capture data.

There is currently no known fix for the vulnerability due to the way USB and network protocols are designed, beyond disabling the external device ports in the computer's BIOS.