Researchers Find a New Way of Stealing Your Login Credentials via USB Devices
USB Devices Can Steal Your Windows and OS X Passwords in Just 13 Seconds
You need to leave the computer for a few minutes, but you don't want to shut it down? You think that by leaving it locked, your information will be safe from curious eyes? Rob Fuller has found a worryingly simple way of proving you wrong. When we say simple, the task is not exactly novice-friendly, but if modified correctly, an innocuous-looking USB device can be turned into a powerful password stealer.
What did Rob Fuller Do?
He was able to steal the passwords of users logged into locked out systems using two different devices:
- The USB Armory – a flash drive-sized computer which, ironically enough, was once dubbed by its creators "the Swiss Army Knife of security devices"
- The LANTurtle – a USB ethernet adapter (supposedly designed for penetration testers) that can perform anything from DNS spoofing to Man in the Middle attacks
Fuller modified the firmware, plugged the devices into the USB port of a locked computer, and after about 13 seconds, he had the password of the logged in user safely stored in an SQLLite database. The passphrase was hashed, but cracking it presented no problems.
He performed tests on a number of computers running anything from Windows 98 SE to Windows 10, and he also tried it on a couple of machines with OS X El Capitan and OS X Mavericks OSs. All the tests were successful. He promised that he'd try the same method on Linux as well, and as of right now, we're waiting for the update.
How Did Rob Fuller Do It?
The problem lies with the fact that both Windows and OS X trust Plug and Play USB devices too much. Even when they are locked, the operating systems are in a hurry to install the devices. At the same time, computers create network traffic all the time. All Rob had to do was use software that would intercept the traffic and store the password. With the USB Armory, he even programmed the LED light to notify him when the operation is ready.
How Are People Reacting to Rob Fuller's Findings?
Tech enthusiasts are impressed with the capabilities of the USB devices. Some of them have performed tests of their own and have succeeded in executing exactly the same attack using the Raspberry Pi Zero. It should be noted that andreasdotorg, one of the users who read Rob Fuller's post, pointed out that by modifying the group policies, enterprises using Windows can mitigate the attack.
Nevertheless, Rob Fuller's research shows that in the wrong hands, plug and play USB devices can be quite dangerous. Hopefully, Microsoft and Apple will take note.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.