Skip to main content

Evil USB Stick Steals PC, Mac Logins in 13 Seconds

Have you ever devised an elaborate plan, only to see it foiled by a trivial mishap that you could have easily seen coming? If so, you know how Microsoft and Apple must be feeling right about now.

A clever new hack can steal login credentials from nearly any Windows computer, and possibly from Macs as well. While the programming is a little demanding, a ,moderately skilled Linux user could theoretically accomplish it with only $50 and 13 seconds of spare time.

MORE: Best Antivirus Protection for PC, Mac and Android

Rob Fuller, a Virginia-based security researcher for R5 Industries in Austin, Texas, posted the information on his Room362 blog, and appeared positively flabbergasted that his hack actually worked.

"There is no possible way that I’m the first one that has identified this, but here it is," Fuller wrote. "Trust me, I tested it so many ways to confirm it because I couldn’t believe it was true."

Briefly, by using a miniature computer built into a USB stick and a little programming know-how, a savvy attacker could connect a thumb drive to a computer and trick said computer into transmitting login data — even if the computer is currently locked.

Fuller started with the $155 USB Armory, a miniature Linux-based computer that runs on a single USB stick. (The $50 Hak5 Turtle, also Linux-based, would also work, he said.) He then programmed the USB Armory to claim it was providing an Ethernet connection, much as common USB-to-Ethernet adapters currently do, as well as a local area network (LAN), which USB-to-Ethernet adapters don't normally provide.

To begin the attack, Fuller would just have to plug the attacking computer straight into the target computer.

Here’s the really clever part: By default, most Windows and OS X computers prioritize Ethernet connections over Wi-Fi ones, even if those computers are locked. Because workplace computers transmit their user-login information when connecting to the workplace network, those credentials are sent to the Linux machine on the USB stick, and the rest of the job involves just good, old-fashioned data-snooping and password-hash cracking (very easy to do on older versions of Windows).

On average, Fuller said, he was able to get credentials from locked machines in 13 seconds.

"If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out (yes, logged in, just locked)," Fuller wrote.

It’s not too hard to imagine what kind of havoc an attacker could wreak with professional login credentials, especially since many workplaces allow their employees to log into vital services remotely.

While such an attack could theoretically be as catastrophic, the everyday user might not need to panic just yet. First and foremost, Fuller is a penetration tester, or "pen tester" -- his job is to test the security of workplace networks and systems by trying to break into them. Both of the USB-based Linux computers Fuller used to test his software are built for pen testers. 

For a malefactor to target a home computer, he or she might need to be sure that that computer automatically transmits login credentials over Ethernet, which home consumer systems don’t necessarily do. He or she would also need to break into a house, apartment or hotel room, making computer hacks the least of a user’s worries. (Breaking into a workplace is often the first part of a pen tester's assignment.)

Still, the issue is as severe as it sounds when it comes to workplace machines, and Microsoft and Apple will probably want to address it as soon as possible.

Fuller made the attack work on Windows 98, 2000, XP, 7 and 10 (both Enterprise and Home), and it's safe to assume it might work on Windows Vista and 8/8.1 as well. He wrote that he also got it to work on OS X Mavericks and El Capitan, but added that "I’m still testing to see if it was a fluke, or my own configurations."

In the meantime, keep an eye on your laptop whenever it’s with you, and make sure you don’t do anything to tick off your tech-savvy roommates or family members.