Security News Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).

Fuller's attack is effective against locked computers on which the user has already logged in.

The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it's connected to.

Attack works because computers trust PnP devices
The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

"Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed," Fuller wrote on his blog yesterday.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

Modified USB Ethernet adapter logs PC credentials
When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the local credentials needed to install the device.

Fuller's modified device includes software that intercepts these credentials and saves them to an SQLite database.

The researcher's modified device also includes a LED that lights up when the credentials have been recorded.

Attack average runtime is 13 seconds
An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.

Fuller couldn't believe this type of attack was possible, so he tested the scenario with USB Ethernet dongles such as USB Armory and Hak5 Turtle.

He says the attack was successful against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. The researcher is planning to test the attack against several Linux distros as well. Below is a video of Fuller's attack in action.


 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top