Slashdot Mirror
Modified USB Ethernet Adapter Can Steal Windows and Mac Credentials (softpedia.com)
An anonymous reader writes from a report via Softpedia: An attacker can use a modified USB Ethernet adapter to fool Windows and Mac computers into giving away their login credentials. The attack relies on using a modified USB Ethernet adapter that runs special software, which tricks the attacked computer into accepting the Ethernet adapter as the network gateway, DNS, and WPAD server. The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. Even worse, when installing the new (rogue) USB Ethernet adapter, the computer will give out the local credentials needed to install the device. The custom software installed on the USB intercepts these credentials and logs them to an SQLite database. This attack can take around 13 seconds to carry out, and the USB Ethernet adapter can be equipped with an LED that tells the attacker when the login credentials have been stolen.
This is why ALL of my USB devices are white listed on my computers.
There is no reason to allow rogue/unidentified hardware to be connected to a computer.
Bad article is bad. It initiates a man-in-the-middle attack for network requests.
On Windows, this gets NTLM for a pass-the-hash attack if a network share is mounted or set to automatically connect.
The USB device pretends to be an Ethernet adapter. Once the adapter is installed, the PC attempts to communicate with the network. The other portion of the box is running code that will automatically respond as if it's a domain controller so that Windows will attempt to authenticate using the existing credentials. This request includes the password hash. The software responds "thanks for the hash!". Unplug everything and go home to break the hash on your own time.
The OS isn't running any software from the device, the device is just taking advantage of the default behavior (authenticate to the new network).