In his blog post published today, security researcher Rob Fuller demonstrated and explained how to exploit a USB SoC-based device to turn it into a credential-sniffer. Fuller said that the hack could be used to trick a PC into sending credentials to the device while the PC believes it is installing an Ethernet adapter. Fuller modified the firmware code of USB dongle that spoofed Plug-and-Play adapter turns itself into the systems’ network gateway, a DNS server, and WPAD (Web proxy autodiscovery protocol) server. When the victim’s PC recognizes that the device has been plugged in, credentials are then sent over the spoofed network, whereby they can then be sniffed by the potential hacker. Fuller says that his attack “should not work” but it does, and it can sniff login passwords on a variety of operating systems. Fuller tested his spoof attack successfully against Windows 98, Windows 2000, Windows XP SP3, Windows 7 SP1, Windows 10 — both Home and Enterprise — and OS X El Capitan and Mavericks. However, it is worth noting that Fuller is not certain whether the attack against the Mac operating systems was due to his own system configurations, or whether the average user would indeed be vulnerable. Linux machines have not been tested. “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.” Fuller’s spoof attack method works because most PCs will automatically try to install Plug-and-Play USB devices. Fuller says that “Even if a system is locked out, the device still gets installed,” and the hacker steal your passwords. The researcher tested out the attack using two products, the USB Armory and a Hak5 Turtle. In the video Fuller demonstrates his spoof attack against a Windows 10 OS on a virtual machine which is locked but a user is logged-in.
For Fuller’s spoof attack to work, the hacker has to have physical access to the PC’s.