Imagine you’ve been at work for a few hours. It’s time to get up, grab a coffee and some morning tea. You’ll only be away from your desk for ten minutes so you know it will be easier to just hit the lock screen on your workstation than to completely log out and then log back in again when you return. No one has your password so your workstation is safe, right?
Many people believe that leaving their computer unattended won’t pose any security risks as long as the device is locked. However, researcher Rob Fuller, principal security engineer at R5 Industries demonstrates that an attacker with physical access to your device can capture your login credentials (username and password) in under a minute if your computer is still logged in.
How it works
Fuller tested the attack method using USB Armory and Hak5 LAN Turtle, two USB drive-size complete computers designed for security application and penetration testing. Each was loaded with hacking app ‘Responder’. When plugged in, these devices capture credentials from a locked, logged-in system by disguising them as a USB Ethernet adapter.
He explained that the hack worked on all versions of Windows and expressed disbelief at how easily he was able to obtain the login details of the workstation. Sure, the data is encrypted, but it can be decrypted easily at another time. The success of this attack is the speed with which credentials can be taken to be used later.
In his report Fuller writes that he “tested it so many ways to confirm” since he had such a hard time believing it was possible. “This is dead simple and shouldn’t work, but it does.”
What it looks like
In an email to Ars Technica, Fuller explained:
“What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it’s doing this, the victim is recognizing it as a Ethernet adapter. The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the “real” network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as “trusted” it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid).”
Surely the scariest thing is how easily and quickly this technology can be adapted to perform more efficiently for less. Mubix reported that some people have already had success with a similar setup on a RaspberriPi Zero, making the cost of this hack around $5 with 10 minutes of configuration.
For further technical information on how his hack works, you can read Fuller’s full report.
What you can do
Anti-Malware programs can’t block attacks like this one. This kind of attack is completed by an entire computer within a usb stick that uses a design flaw in Windows to get in and is how many operating systems deal with newly connected hardware.
Fuller endorses this prevention post: An intro to Windows Device Guard.
But, your simplest and best defence?
Don’t leave your workstation logged in while it is unattended. As seen above, even if you lock the screen, your login credentials can be obtained in under a minute.
Have a great (malware-free) day!