Exploitative USB Devices are able to Steal Computer Credentials, even while the Computer is Locked

By merely plugging in the device, your Windows and OSX password hashes (long hexadecimal code made uniquely using your password characters) can now be stolen in a matter of seconds. Ranging from $50 to $150, the device works by booting up and auto-installing itself as a USB-to-Ethernet adapter, which modern OS's automatically install even while locked. From there, the default gateway, known as the address a computer sends data to that will leave its local network, is modified to the address of a version of Linux the USB devices run natively. From this point, the Linux machine is able to control a number of different types of web traffic, and within about 13 seconds from the device plug-in, obtain the password hash from the operating system.

Although receiving the password hash requires cracking in order to be able to return the real password, depending on the OS version running and password complexity, some hashes will be much easier to crack than others. The advice from Rob Fuller, an R5 Industries principal security engineer, is to log off workstations at all times when unattended. Although the security flaw for OSX has yet to be widely tested as an OS vulnerability, it is up to the OS manufacturers to begin minimizing allowed network and device discovery while a computer is locked.

Source: PC World

No comments: