Plug'n'play USB attack steals locked Windows creds

By on
Plug'n'play USB attack steals locked Windows creds
Rob "Mubix" Fuller.

No fix for cheap, easy hack.

A customised USB Ethernet networking adapter is all it takes to capture the credentials of a logged-in user in a locked Windows system, a researcher has found.

Security researcher Rob "Mubix" Fuller tried the hack with two USB devices - the Hak5 Turtle and USB Armory - configured to appear to a computer as Ethernet adapters, and added a Windows NetBIOS name service responder to capture the credentials.

Fuller also ran a DHCP server to assign IP addresses for interfaces and a network gateway on the USB device.

He found that he could obtain system credentials within around 13 seconds of plugging in the USB device into a port on a workstation. 

Mubix demonstrating the capture of system credentials via USB with a Windows 10 virtual machine.

Fuller was able to get login credentials from Windows 98 SE, 2000 Service Pack 4, XP SP3, Windows 7 SP1, Windows 10 Enterprise and Home Editions.

He also believes he succeeded in using the USB device attack against Apple's OS X El Capitan and Maverick operating systems, but is still testing whether it was a fluke.

Fuller said he was initially incredulous that it was possible to capture system credentials this easily.

"First off, this is dead simple and shouldn’t work, but it does. Also, there is no possible way that I’m the first one that has identified this, but here it is - trust me, I tested it so many ways to confirm it because I couldn’t believe it was true," he wrote.

The flaw stems from how USB is designed, using the plug-n-play protocol for self-configuration.

Thanks to PnP, "even if a system is locked out, the device still gets installed," Fuller noted. Ethernet network adapters are also whitelisted from operating system restrictions on what devices can be installed with PnP.

Once the USB device is plugged into a computer, it becomes a network gateway, domain name system and web proxy autodiscovery protocol server, amongst others. 

Fuller said computers constantly generate traffic, even without applications open, and implicitly trust the local network and try to reach other hosts and routers via the USB device, which allows attackers to capture data.

There is currently no known fix for the vulnerability due to the way USB and network protocols are designed, beyond disabling the external device ports in the computer's BIOS.

Copyright © iTnews.com.au . All rights reserved.
Tags:
mubix networking rob fuller security windows

Most Read Articles

NBN Co adds 50 new suburbs to FTTC rollout

NBN Co adds 50 new suburbs to FTTC rollout
Ransomware strikes Victorian speed cameras

Ransomware strikes Victorian speed cameras
Ombudsman stunned by Vic CIO's 'calculated nepotism'

Ombudsman stunned by Vic CIO's 'calculated nepotism'
First NBN FTTC areas unlikely to be able to order retail service

First NBN FTTC areas unlikely to be able to order retail service
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
Building platforms for future health and education
Building platforms for future health and education
Breach Level Index Report
Breach Level Index Report

Events

Most popular tech stories

Log In

Username:
Password:
|  Forgot your password?