back to article Spoof an Ethernet adapter on USB, and you can sniff credentials from locked laptops

Security consultant and blogger Rob Fuller has turned a USB SoC-based device into a credential-sniffer that works even on locked machines. Fuller's attack works by modifying the dongle; when it's plugged in, it installs and makes itself the victim's network gateway, DNS server, and WPAD (Web proxy autodiscovery protocol) …

  1. Christian Berger

    Yes, that's one of the bad design decisions of USB

    Since you can connect "anything" to USB, you can also connect things you don't expect, like ethernet cards, mass storage devices or input devices. Previously Windows didn't actually support USB in any meaningful way, but now since it does, there is some focus on USB security.

    Obviously the sane way to go would be to have dedicated ports again. Connect printers and scanners via Ethernet, connect input devices via some sort of overclocked PS/2, and have a special port for mass storage devices. That way you could essentially eliminate all harmful device spoofing...

    Of course now some dimwits are saying that "signed USB devices" will save us all. Well first of all I'd like you to acknowledge that the new USB keyboard you just plugged in is the one you actually want to have so it's signature can be stored. Secondly this will probably only be used for vendor lock ins.

    1. Charles 9 Silver badge

      Re: Yes, that's one of the bad design decisions of USB

      "Obviously the sane way to go would be to have dedicated ports again. Connect printers and scanners via Ethernet, connect input devices via some sort of overclocked PS/2, and have a special port for mass storage devices. That way you could essentially eliminate all harmful device spoofing..."

      Not really. What's to stop an evil keyboard from presenting itself as TWO keyboards or simply transmitting stuff AS that keyboard. Same with mass storage; just present as TWO mass storage devices, one of which can perform auto-launching tricks (even with AutoRun turned off). Plus the reason these things have appeared is because uses have arisen for them, such as non-Ethernet laptops needing to hook up to a wired network or one with a single port needing to connect to two of them. Or someone needing extra desktop real estate but only has one video port.

      Besides, do you REALLY want to go back to the jungle days of finicky PS/2 ports that require interrupts and can seize the system if you unplug them and so on? Remember SCSI terminator packs? The fat Centronics printer connections? Oh, and multi-function devices don't have a universal network communication standard, meaning you're usually locked into the vendor's software there or you probably can't use say the scanner over a network.

    2. Anonymous Coward
      Anonymous Coward

      No, signed devices would be the fix

      Leave a way to turn it off for people like you who are more afraid of lock-in than being hacked, and let the rest of us have good security.

      Even if it would work, who the hell wants to have a dozen USB ports with only one of any given type. I can't plug two USB storage devices in at once because I have only one port for it? I have to waste a perfectly good USB printer port because I don't have a USB printer? Hey, I just bought a USB webcam but don't have a webcam port...guess I need to buy a new PC. And that's supposed to be better than vendor lock-in??

      1. Charles 9 Silver badge

        Re: No, signed devices would be the fix

        Signed USB hardware won't save you from evil hardware inserted behind the USB chip (such as can be expected from an evil USB keyboard or network dongle). And we already know state actors are attacking storage devices at the firmware level: both OS- and interface-agnostic.

        USB isn't really the problem here. It's attacks on hardware at levels no end user has the ability to verify. IOW, this is damn close to DTA Mode.

        1. Adam 52 Silver badge

          Re: No, signed devices would be the fix

          In the old days Windows would say "new hardware found, would you like to search for drivers".

          Going back to that model would stop, for example, a memory stick installing network drivers.

          1. Gotno iShit Wantno iShit

            Re: No, signed devices would be the fix @Adam 52

            In the old days Windows would say "new hardware found, would you like to search for drivers".

            It'll still do that if you tweak a few policy settings but as usual the defaults are set for convenience not security. See the link below.

            https://msdn.microsoft.com/en-us/library/bb530324.aspx#grouppolicydeviceinstall_topic3b

            There is no defence as far as I am aware if an attacker uses a modified device for which the driver has already been installed. But if the attacker knows what devices you use and what USB ports you use them on you're hosed anyway.

          2. John Brown (no body) Silver badge

            Re: No, signed devices would be the fix

            "In the old days Windows would say "new hardware found, would you like to search for drivers".

            And since, to find the right driver, the OS already knows something about the device, make it say something a bit more meaningful than just "new hardware" before the user blindly clicks yes. ANd what's with Windows "detecting new hardware" if you happen to plug the same bloody keyboard or mouse you always use into a different sodding USB port? Part of a good lockdown should include not allowing a user to install new drivers anyway, let alone the damned system doing it automatically.

            I actually think this hack is a bit of a non-even really since the sort of system this is meant to target should be properly locked down and not allowing a device to install new drivers willy nilly.

        2. Mage Silver badge
          Coat

          Re: No, signed devices would be the fix

          USB *IS* the problem, and since it's inherent, it can't be fixed, only mitigated by a dialogue for yes / no and temporary / permanent for each "device" the USB dongle/mouse/keyboard/PSU/etc found/handed at show/bought/arrived as free sample etc. The automatic installation of USB devices has to stop.

    3. Warm Braw Silver badge

      Re: Yes, that's one of the bad design decisions of USB

      You think that's bad. PCMCIA cards of old and eSATA ports (among others) potentially have DMA access to the whole of memory, depending on how well or how badly the drivers and controllers sanitise the addresses that pass across them.

      1. Dwarf Silver badge

        Re: Yes, that's one of the bad design decisions of USB

        The same attack was also used in FireWire, which could DMA any memory address, so you could pull the running device's memory image out for off-line analysis

        Info for those who want it is here

        Obviously that would take longer than 13 seconds, but gave access to a lot more information.

        I note that Linux offers an option to disable DMA for things like firewire now, hence thwarting this issue. Perhaps the other OS's should do something similar.

    4. Anonymous Coward
      Anonymous Coward

      Re: Yes, that's one of the bad design decisions of USB

      Or for a far simpler solution - just don't respond to devices being plugged in while the OS is locked.

      1. Wade Burchette Silver badge

        Re: Yes, that's one of the bad design decisions of USB

        "Or for a far simpler solution - just don't respond to devices being plugged in while the OS is locked."

        Sometimes, the OS needs to install hardware while it is locked. If you replace your keyboard, for example, and you must enter a password, how will you enter the password if new hardware is not installed until after you enter the password?

        1. Stoneshop Silver badge

          Re: Yes, that's one of the bad design decisions of USB

          If you replace your keyboard, for example, and you must enter a password,

          Hot-plugging while locked only for HID, anything else can wait until the user is at the console again. There'll probably be flaws in this approach too and other ways to extract credentials from a locked machine, but at least this attack will be foiled.

      2. OtotheJ

        Re: Yes, that's one of the bad design decisions of USB

        ...Not so good if you've plugged in a new USB keyboard before logging on :-)

    5. BlartVersenwaldIII
      Coffee/keyboard

      Re: Yes, that's one of the bad design decisions of USB

      > Of course now some dimwits are saying that "signed USB devices" will save us all. Well first of all I'd like you to acknowledge that the new USB keyboard you just plugged in is the one you actually want to have so it's signature can be stored.

      In order to avoid these problems, vendors are innovating and are planning on introducing a dedicated type of interface for HID devices like mices and keyboard called Peripheral-Specific USB2 (to be shortened to PS/2). It's going to use a completely different style of connector (circular rather than square) so as not to be confused with regular USB.

    6. heyrick Silver badge

      Re: Yes, that's one of the bad design decisions of USB

      This might be simplistic and stupid, but why not just have the computer ignore USB devices until the user specifically clicks a doodah saying "Yes, I want to use this device" ?

      The problem isn't that USB is insecure (things can be spoofed, but spoofing works all over the world - think about fake licence plates and counterfeit money), the problem is that the operating system will see a device, blindly install drivers for it (if it can), and then start talking to it. It is useful that one can plug in a new USB harddisc and it'll "just work", but it is considerably less useful when you take a moment to consider the opportunities that present themselves if the computer will not only install the device but would go a step further and try using and/or autorunning it. The possibilities are... worrying.

    7. druck Silver badge
      Stop

      Re: Yes, that's one of the bad design decisions of USB

      Christian Berger wrote:

      Obviously the sane way to go would be to have dedicated ports again. Connect printers and scanners via Ethernet, connect input devices via some sort of overclocked PS/2, and have a special port for mass storage devices. That way you could essentially eliminate all harmful device spoofing...
      That wouldn't stop this at all, as long as its port you can plug a programmable device in to the port, it can be compromised.

      A better way would be to ensure that network cards are only recognised when plugged in to the machine's internal expansion bus. It takes a longer than 13 seconds to get the cover off the machine and swap a card over, can't be done when powered up, and is a lot more obvious to anyone watching.

    8. Tom Samplonius

      Re: Yes, that's one of the bad design decisions of USB

      "Since you can connect "anything" to USB, you can also connect things you don't expect, like ethernet cards, mass storage devices or input devices. "

      Actually, the attack as presented, doesn't need USB. The issue is that when connecting to a wired network (and most wireless networks), credentials are presented to the far end (and data is sent), before knowing what the far end is. You could create an ethernet based solution that does that the same type of collection. USB is more convenient, since development board exist, and USB provides power.

      And inline ethernet device with pass through capability would be more damaging, as it could actually present a working network connection, while still collecting important data.

  2. getHandle

    13 seconds?

    It can take windows that long to notice a USB mouse being plugged that it has seen before on the same port!

    To detect, install and start using a brand new device? Probably need a reboot before it started working...

    1. A Non e-mouse Silver badge

      Re: 13 seconds?

      I always wonder why it takes Windoze so long to get a keyboard working when other O/Ss manage it in a second or so.

      Can anyone explain?

      1. Nick Ryan Silver badge

        Re: 13 seconds?

        AFAIK it's partly because of a dumb-as USB implementation within Windows which may in part have been caused by USB device manufacturers taking shortcuts (for cost saving reasons) and failing to provide a manner to categorically identify a USB device rather than just the class/model of the device. Categorically identifying a USB device requires that it has a unique ID programmed into it somehow but this cost that the manufacturers of volume, cheap as possible devices would rather avoid. I'm not sure whether or not this unique ID is a mandatory specification or not as it's a long time since I read the specifications and these things are probably different between device classes and USB revisions.

        Windows stores the device configuration against the port that the device was connected to. Merely moving a device from one port to another triggers Windows into believing that this is an entirely new device and to install fresh drivers or configuration for it. This could have been avoided if there was a unique ID to trust and that Windows trusted this, however Microsoft chose to implement a per-port configuration model. While the per-port configuration is daft it does often help because as with anything registry based the damn configuration does get corrupted (likely due to a horrible database such as the registry not being transactional and it not being possible to apply settings atomically). In this case when a device stops working when plugged into one port you can simply move it to a different port for it to start working again as it will have fresh configuration.

        1. Ken Hagan Gold badge

          Re: 13 seconds?

          @Nick: The ID is, as you suspect, mandatory for some device classes and not for others. Windows implements both per-port and per-ID recognition of devices, falling back on the former only if the device turns out to have no ID.

          A question for the hardware people out there: What's the cost of ensuring that your mass-produced devices all have unique IDs (or even "statistically very likely to be unique" ones)?

          1. Anonymous Coward
            Anonymous Coward

            Re: 13 seconds?

            Have a spot in PROM/Flash for a GUID and done. Of course the operating system would have to "know" what to do with that type of information. It's what I've done with GUID forever for any data uniqueness requirement.

  3. mr_souter_Working

    Drivers?

    i wonder if that would work on systems where the logged in user does not have rights to install device drivers, or where the organisation uses technology to prevent any unknown USB devices from being installed.

    1. Ken Hagan Gold badge

      Re: Drivers?

      I don't think the logged-in user (presumably you mean one of the possibly several users logged in at the console) is the one running any of the code involved, so I don't think their rights would ever be relevant.

      I would hope, however, that blocking unknown USB devices (if practised) would be effective.

  4. Anonymous Coward
    Anonymous Coward

    "In the process of trying to install what it thinks is an Ethernet adapter, the target machine will send its credentials over the spoofed network."

    Am I the only one who read this and thought "huh"? Where is it sending these "credentials"? Are we talking domain joined PCs authenticating to update AD DNS or something? How is it getting around encryption?

    1. Anonymous Coward
      Anonymous Coward

      IMHO it's a non-domain joined machine that is sending NTLM hashes. A domain joined one should be using Kerberos. Anyway if it's spoofing some key services, it will have a lot to work on.

  5. Anonymous Coward
    Anonymous Coward

    Oh look, there's a dongle in one of the USB ports of my laptop

    Slight flaw methinks.

    1. Jellied Eel Silver badge

      Re: Oh look, there's a dongle in one of the USB ports of my laptop

      Oh look, there's a cleaner with a dongle. Who'd notice?

      The attack requires physical access for not very long. So challenge is to get that access.. Or more importantly, prevent it. Some secure sites have been trying to prevent USB, but it's ubiquity and lack of support for non-USB keyboards and mice can make that tricky.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh look, there's a dongle in one of the USB ports of my laptop

        Lets just say, I do not know if anyone has tried it but it would probably work.

        But imagine what a cleaner, with access to any kind of business, could do with half a dozen usb keyloggers to fit between the keyboards and a pc.

        Because if I owned any businesses like those, I would both superglue in all keyboards and locktite the usb sockets. Possibly also shield the cables.

        Yes it is a one in a million chance you get targeted, but if I can think of it so can the cleaner.

        1. Nick Ryan Silver badge

          Re: Oh look, there's a dongle in one of the USB ports of my laptop

          You may think it's rare, but I know that a few years ago (4+?) Imperial College London was on the receiving end of USB dongle interception devices - and given the targets it was judged not to have been students behind it.

          These types of devices are particularly hard to spot because if your keyboard and mouse are on your desk and the wires run to the PC under the desk, when was the last time that you checked that there wasn't another cable inserted into this arrangement?

          1. Jellied Eel Silver badge

            Re: Oh look, there's a dongle in one of the USB ports of my laptop

            It's one of those areas where protection needs thinking outside the IT security box. Easiest way to hack a network is usually from the inside, and easiest way to get inside might be via a cleaning contractor. High staff turnover, and often supervised by someone looking for dust, not dongles. Port locking can go some way to slowing down connection of foreign devices, but this kind of attack is harder to stop. Having virtualised desktops might be one way, but still vulnerable to keylogger dongles.

            1. Charles 9 Silver badge

              Re: Oh look, there's a dongle in one of the USB ports of my laptop

              "Having virtualised desktops might be one way, but still vulnerable to keylogger dongles."

              Not just dongles. Evil keyboards. They can be done by contractors sent to replace bad keyboards. And this attack would be OS-agnostic.

            2. Ken Hagan Gold badge

              Re: Oh look, there's a dongle in one of the USB ports of my laptop

              "outside the IT security box"

              I agree, but is this really, still, considered outside the box? I thought this was common knowledge before I was born? Almost everyone inside an organisation is paid less than the value of the information that they have access to and in most cases there are enough of them with access that you'd never be able to prove it in court unless you caught them red-handed.

              1. Anonymous Coward
                Thumb Up

                Re: Oh look, there's a dongle in one of the USB ports of my laptop

                Insider threat is the largest single threat category and reason enough to have networks crunchy on the inside and monitored to a fare-the-well. I don't think I've ever read an industry security newsletter where that isn't the case over the last couple of decades. Before or after the internet.

              2. Jellied Eel Silver badge

                Re: Oh look, there's a dongle in one of the USB ports of my laptop

                I agree, but is this really, still, considered outside the box? I thought this was common knowledge before I was born?

                It should be, and often was in places that told you what color bikini to wear that day. But take finance, where there are strict audit and compliance rules. Yet the LIBOR rigging showed the participants happily co-ordinating via their own IM channel. And then there's BYOD, with all the potential risks that entails. The physical side can also be overlooked. So a company may have a nice, secure data centre or comms room with strict access control to authorised persons only. And a couple of cleaning passes. Closing that vector can get tricky, ie having IT staff supervising, or doing the cleaning themselves. Or executives who sometimes think IT policy applies to staff, not them, and they should be allowed whatever gizmo they fancy. Despite often being the most obvious targets.

        2. Loyal Commenter Silver badge

          Re: Oh look, there's a dongle in one of the USB ports of my laptop

          Because if I owned any businesses like those, I would both superglue in all keyboards and locktite the usb sockets. Possibly also shield the cables.

          It's nice to know you have the budget to replace the entire machine when your el-cheapo USB keyboard fails then.

          1. DropBear
            Trollface

            Re: Oh look, there's a dongle in one of the USB ports of my laptop

            "It's nice to know you have the budget to replace the entire machine when your el-cheapo USB keyboard fails then."

            Oh, I suppose he would just have to shear off the cable somewhere and braze on the new keyboard directly to the copper wires...

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh look, there's a dongle in one of the USB ports of my laptop

        @Jellied Eel - Thanks, re-read the article and I see how it works now.

    2. Lotaresco Silver badge

      Re: Oh look, there's a dongle in one of the USB ports of my laptop

      Why would it have to be a dongle installed by someone else? The user could be conned into buying and installing a device that does more than it is supposed to. BadUSB is a known phenomenon, with even reputable looking organisations supplying USB devices that don't only do what they are supposed to do. There were the bar code scanners that contained "Zombie Zero" for example. These devices were supplied via reputable suppliers in the US/UK who didn't know that they were shipping malware infested devices to their clients.

      Zombie Zero barcode scanners

      There are also multi-function USB devices such as the 3g and 4g modems that also contain USB storage, usually in the form of a micro-SD card reader. It doesn't take much imagination to think of one of these devices being compromised to sniff credentials and to store the information on the SD card. The user would be unaware of what was going on and the device could "phone home" occasionally to dump the information it had gathered.

  6. Anonymous Coward
    Anonymous Coward

    If the laptop has an ethernet port already, you can simply plug into that to get the same effect.

    (As more and more laptops are wireless-only then it's less of an issue of course)

    > Where is it sending these "credentials"

    Probably SMB drive mounts. See El Reg passim; Microsoft now tell you to block all SMB and NetBios ports at your firewall.

    1. Stoneshop Silver badge

      Wired

      If the laptop has an ethernet port already, you can simply plug into that to get the same effect.

      For an autonomous device able to collect the data the same way as described here that would require a short length of cable, a port (or at least the magnetics thereof), something that speaks IP, and a power source. Doesn't need to be much bigger than the USB dongle, but not all laptops have Ethernet ports anymore, and if they do they're often not quite as accessible as its USB ports. Desktop PCs have their network port somewhere on the rear and nearly always in use anyway, but a free USB port on the front would be there in a lot of cases.

      And the USB device gets provided with power by the target.

  7. Kevin McMurtrie Silver badge
    Big Brother

    Hmmmm

    That's not how authentication hashes are supposed to work. I wonder the experiment was performed on a LAN with bad security and everyone configured their laptop to enable blacklisted protocols. Toss a 1990s era music file server on the network and post instructions for connecting. sudo sysctl -w ...

  8. Peter 26

    Inconspicuous dongle

    On a side note. I don't get the point of these dongles looking like USB Ethernet Adaptors. If the idea is to leave the dongle connected to a LAN for remote access then it needs to plugged in permanently. You're not going to leave the laptop there permanently are you? So it ends up plugged into a power socket USB charger, looking really suspicious having a network cable going towards the power sockets. I guess you could plug it into a desktop if they have any, but again slightly suspicious to an IT person. Wouldn't it be better to make it look like a POE adaptor, even act like one?

    1. Stoneshop Silver badge
      FAIL

      Re: Inconspicuous dongle

      If the idea is to leave the dongle connected to a LAN for remote access then it needs to plugged in permanently.

      Have you read the article? It doesn't. It collects the credentials the PC thinks it's sending to the domain controller (because that new interface is now the default gateway), then it gets pulled out again by the cleaner/janitor/inconspucuous visitor. Needs 13 seconds for that.

      Afterwards the collected data gets used to access the target in some other way.

    2. Anonymous Coward
      Anonymous Coward

      Re: Inconspicuous dongle

      It's to harvest credentials in a quick, easy, and replicable manner. WIth the newest version of L0phtcrack (version 6) hitting the streets, cracking the hash shouldn't be too onerous.

  9. Anonymous Coward
    Anonymous Coward

    Far from a 'non story' this is a serious flaw but there are ways to prevent it.

    There are software products and even BIOS versions which are written specifically to prevent users plugging in non approved USB hardware, they can be configured to lock down the port or even the whole machine.

    While it wouldn't be impossible to add a bit of keylogger microcontroller goodness inside a keyboard that snarfed login credentials, those sites which have that level of security also require smartcard login credentials too.

    The support calls are a PITA when Jules in admin plugs in her iPhone to charge it but it does prevent her stealing data from the company by downloading it onto her phone or uploading some nasty that's on her phone.

    Plus, staff should know that their machine will lock out if they plug random crap into it.

    'Nonymous because I can't tell you which sites.

  10. John H Woods Silver badge

    So...

    ... the fantasy USB stick beloved of crime and spy dramas which can subvert a computer just by being shoved into a locked computer is actually real!

    1. TechnicalBen Silver badge
      Holmes

      Re: So...

      You've never seen Windows Autorun have you? (It was the "CD" back before the usb on all those spy shows)

      Sherlock, I guess he used a letter knife instead.

      1. hplasm Silver badge
        Big Brother

        Re: So...

        "Sherlock, I guess he used a letter knife instead."

        Or the long letter tweezers loved by the Stazi, to unroll and extract without opening the envelope...

    2. Lotaresco Silver badge

      Re: So...

      " the fantasy USB stick beloved of crime and spy dramas which can subvert a computer just by being shoved into a locked computer is actually real!"

      Is real and has been real for some considerable time.

      If the computer will boot from USB then all you needed at one time was to boot from your own Linux distro with a suitable array of hacking tools and attack the HD. If Windows was set to autorun media then you could install your own malware and own the user's account. Rubber duckys exist and can be used to hack someone else's PC.

      Rubber Ducky

    3. Anonymous Coward
      Anonymous Coward

      Re: So...

      I believe it has been for awhile.

      Wasn't Stuxnet introduced into the Iranina systems that way?

  11. Karl Vegar

    Oh, nasty. And difficult to protect against.

    For the no USB on a locked machine crowd: Ever had to replace a keyboard? Kind of difficult unlock if you can't use the new keyboard.

    For the no auto install of USB without clicking on something: Ever replaced a keyboard (so you can unlock) or mouse (so you can click)?

    For the reboot required crowd: What are the odds you need to replace x for your C*O with the machine locked, and that important draft not saved...

    For those not reading thearticle, and seeing this as something that needs both ethernet access and external power: RTFA. The device would look like a largeish USB thumb drive. To the machine it appears to be a generic ethernet card (drivers already installed), with a network behind it. And since this fake network is wired, new and unreasonably fast, it becomes the new default. Then the computer tries to do something on the network, and the credential hash is uploaded to the DB on the device. Plug it in, look at the lights / give it half a minute, unplug and move on.

    Best way I can see to mitigate it, train your users to log out or power down when they leave for any period of time. Or make sure anyone with physical access to the USB ports are trustworthy.

    1. phuzz Silver badge

      I suppose as a bofh you'd have to have a spare keyboard (ideally an uncommon one) that was pre-authorised on all the machines in your office. If you had to replace one for a user, you could rock up with your trusted keyboard, in order to authorise the new one.

      Imagine the cursing when you realised that you'd forgotten to pre-authorise it on the CEO's new laptop.

      Perhaps a list that could be altered in BIOS/UEFI would be better.

      1. Charles 9 Silver badge

        And THAT just gives the Insidious Insider a known target to replace with a subverted device with the same signatures. Now all you need is a way to force the keyboard you want to break.

    2. Anonymous Coward
      Anonymous Coward

      Or even don't use windows on your machines.

      1. Charles 9 Silver badge

        "Or even don't use windows on your machines.'

        Ethernet is below the software layer, so this attack can be made OS-agnostic since you can duplicate almost any behavior you want on an imitation Ethernet device. Heck, if the device is fed keys ahead of time, it could probably even successfully imitate a secured connection.

    3. TonyHoyle

      Why would it become a route for any network traffic? The OS shouldn't be changing its default route on a whim because something answered ping faster (maybe windows does, but I'm sure even MS aren't that stupid, surely?).

      1. Sir Runcible Spoon Silver badge

        If two potential paths to a destination appear in the routing table (such as directly connected) with the same priority then the choice will come down to other parameters, such as icmp response times and wotnot.

        You could also do something to nobble the 'other' link if your nefarious one turned out to be too slow to be chosen.

    4. TechnicalBen Silver badge
      Angel

      I agree, but I'd then lock the PC in a cabinet. If these people cannot be trusted with the hardware, don't give them access.

      1. Charles 9 Silver badge

        OK, so what if the Insidious Insider is an IT guy?

  12. andy 103 Silver badge

    A totally hypothetical situation then

    As usual with these "security" stories, it's all so hypothetical.

    First of all, this is a modded USB adaptor. This isn't something manufacturers are selling in stores that the world at large is using. This is one single device, that one person has created.

    Secondly, it requires physical access to the machine. Do you often let people just plug random USB devices into your computer? If you're doing anything which is security critical and are doing that then you should look for another job.

    As usual - something and nothing. It's all "this could/might happen, if..." when neither are actually happening in reality. A total non-story, in other words. But I guess it gives people who are interested in security something to think they're experts on.

    1. Lotaresco Silver badge
      Meh

      Re: A totally hypothetical situation then

      It is usual for people who know little about security to respond that threats are hypothetical and unlikely to happen. This story covers details of a proof of concept. It usually doesn't take long for the black hat organisations to capitalise on the proof of concept. This idea doesn't need someone else to plug something into your computer, all it needs is for someone to offer you something that you think is worth plugging into your computer.

      A free USB to Ethernet connector, perhaps? A fan? A free USB memory stick handed out at trade shows? Free USB chargeable torch? I can think of many devices that people pick up and plug in without giving much thought to what they are doing.

      People are dumb. People will plug almost any device into their computer without thinking about what they are doing.

      Look at this for example, possibly one of the dumbest ideas ever. A promotional item that you plug into a USB port and it takes your default browser to the promoters website (or any website that they choose, including malware infested sites). Who would be stupid enough to plug a card they were handed at a show or that dropped out of a magazine into their PC? Lots of them, apparently.

      Paper USB key for promotions

    2. StatsBoy

      Re: A totally hypothetical situation then

      I believe if you re-read the article, it provides not one but two locations to buy the hardware to pull this off. And from following the link to the original researcher's page, even someone with my weak linux-foo skills should be able to pull off the capture.

      Now, I personally have no idea what to actually DO with the captured data, but I'm sure there are plenty of people with that knowledge...

    3. Anonymous Coward
      Anonymous Coward

      Re: A totally hypothetical situation then

      Speaking of USB hacks in general:

      1) Of course it's a custom device. You don't need millions to compromise a machine or a network.

      2) You don't really need physical access to a machine. Drop it on the ground outside of the target facility - someone will pick it up, carry it in and plug it into their PC. I believe that is how Stuxnet entered the Iranian network.

      3) If you don't plan for "hypothetical" situations, you aren't doing your job. They are only hypothetical UNTIL AFTER you're hacked.

    4. SaltyOldMan

      Re: A totally hypothetical situation then

      Still think its hypothetical?

      https://room362.com/post/2016/snagging-creds-from-locked-machines/

  13. oldcoder

    Just another NTLM hack

    It just another NTLM hack - and one that has worked for almost 20 years - and continues to work.

    Microsoft has labeled it as a "feature" and refuses to fix it.

    1. Ken Hagan Gold badge

      Re: Just another NTLM hack

      If it is an NTLM hack then Microsoft fixed it years ago. NTLM isn't enabled by default anymore and corporate users should have disabled it back in 2000 or so when NTLMv2 turned up.

      Funny how Linux supporting (optionally) ancient hardware and protocols is a sign of how great FOSS is, whereas Windows doing the same is a sign of why closed source is evil.

  14. tr1ck5t3r
    Trollface

    Another hole plugged in the colander.

  15. Anonymous Coward
    Anonymous Coward

    Look What I Found!

    Oh, dear.

    Yet another use for the "leave a usb device on the ground outside the office" type hack.

    1. Charles 9 Silver badge

      Re: Look What I Found!

      That's not even considering the Ol' Switcheroo.

  16. Lotaresco Silver badge

    That didn't take long...

    USB / Ethernet adapters that can be used for this exploit are now available for $50. Or would be available if it weren't for the fact that they sold out so quickly that they are now on back order to the end of the month.

    So " This isn't something manufacturers are selling in stores that the world at large is using. This is one single device, that one person has created." is no longer true. This is now into the realms of "This is a popular device that many hackers have access to."

    It should be a warning to tighten up procedures around the use of USB devices and, in a corporate context, of taking care with supply chain assurance. If your company is involved in STEM then it is probably of interest to countries with a track record of industrial espionage. If your business is the Law or financial services then you are already of interest to organised crime.

    1. Anonymous Coward
      Anonymous Coward

      Re: That didn't take long...

      "It should be a warning to tighten up procedures around the use of USB devices and, in a corporate context, of taking care with supply chain assurance. If your company is involved in STEM then it is probably of interest to countries with a track record of industrial espionage. If your business is the Law or financial services then you are already of interest to organised crime."

      And if your business attracts the attention of state-level adversaries with deep pockets, heaven help you...

      1. Version 1.0 Silver badge

        Re: That didn't take long...

        And if your business attracts the attention of state-level adversaries with deep pockets, heaven help you...

        No use looking for help there. As far as ubiquitous USB devices go, it strikes me that most of the commentators here don't get out much.

        It used to be that when you attended an academic conference, the proceedings were a thick paper book. I haven't been given one in ages now - every conference for years has just handed out a USB drive... so handy, all your targets gathered together and hacked as soon as they get back to their rooms and read the proceedings ... and then VPN (for security ha ha) back to their office.

        1. Anonymous Coward
          Anonymous Coward

          Re: That didn't take long...

          "every conference for years has just handed out a USB drive"

          I worked for a company that purchased branded USB drives as a form of advertising.

          Turns out they came to us infected with malware, which we then proceeded to hand out like candy....

          But they were free!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020