This Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials

Rob Fuller a security researcher has discovered a unique attack method which can steal PC credentials from both Windows and Mac computers, and possibly even Linux (not tested as of now).

Rob’s attack is very effective against locked computers in which user has already logged in.

The reason this attack works is because most computers will automatically install any plug-and-play (or PnP) USB device once it is connected.

“Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, USB still gets installed,” Rob explained.

“I believe there are some restrictions on what types of devices are allowed to install at a locked out state on latest operating systems (Win10/El Capitan), but LAN /Ethernet is definitely on the white list” he said.

When installing a new rogue plug-and-play USB-Ethernet adapter, the computer will give out the local credentials needed in order to install the device.

Rob’s modified device includes software which intercepts these credentials and saves them on an SQLite database.

This researcher’s modified device also includes a small  LED which lights up when the credentials are recorded.

Any attacker would possibly need a physical access to the  device to plug in the rogue USB Ethernet adapter, but Rob  says the average attack time is 13 seconds.

Rob coul d not believe that this type of attack was possible, so he tested the scenario with USB Ethernet dongles such as USB-Armory and also Hak5 Turtle.

He says the attack was successful against operating systems like  Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. He is planning to test the attack against several Linux distros as well. Below is a video of Fuller’s attack in action.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil