Skip to content
Naked Security Naked Security

Sidestepping your lockscreen with an innocent-looking USB stick

Auto-configuration of new network interfaces considered harmful.

Here’s something that’s supposed to happen, and it’s jolly convenient, too.

If you plug a USB ethernet dongle into a Windows or OS X computer and the system supports it, then the operating system will activate the needed drivers, fire up the device, configure the network interface and get you online.

Indeed, to anyone who ever tried to get online back in the days of MS-DOS, this is more than convenient, it’s close to miraculous.

You’re unlikely to get caught out by this sort of “frictionlessness,” or so you might think, because it only happens after you’ve physically plugged in the device, so that it’s unlikely to happen without you realising.

But here’s something similar that really shouldn’t happen, says security researcher Rob Fuller, also known as Mubix.

If you plug a USB ethernet dongle into a locked Windows or OS X computer, the operating system goes through the same process.

That’s convenient, but unfortunately more convenient for an opportunistic attacker than for you.

Presumably, your computer’s locked because you aren’t using it: maybe you’ve popped out to the little girls’/boys’ room, or gone to get a coffee.

In other words, it’s probably not you plugging in the ethernet dongle…

…and, for all you know, it might not be just any old ethernet dongle.

It might be a full-blooded but super-tiny computer that looks like a USB ethernet adapter, and indeed behaves like an ethernet adapter, but has a general-purpose, reprogrammable, hackable operating system such as Linux running on the motherboardlet inside the adapter.

Such as the Hak5 LAN Turtle, which certainly looks like an uninteresting, generic, no-name branded USB ethernet adapter, but isn’t:

A device like the LAN Turtle can not only be an ethernet adapter, and thus present a network interface to the computer you plug it into, but also be a server running on that very interface.

So, you can run a DHCP server on the ethernet adapter itself, and when the computer into which you just plugged the booby-trapped dongle tries to configure the newly-inserted device…

…it ends up getting its network setup right from the turtle’s shell, so to speak.

Worse still, DHCP configuration options can include all sorts of settings that are at a much higher level than just IP numbers for the local interface and the network router, notably including a value called Proxy Config, by which you can tell Windows where to go for its so-called WPAD file (Web Proxy Autodiscovery).

A WPAD file pretty much tells your browser, and indeed the operating system itself and thus most web-enabled applications, how to process web requests. Once a web proxy is set, almost all HTTP requests originating from your computer will go to the designated proxy server first, rather than connecting straight to the target website. Legitimate proxies are widely used for web filtering to improve security, caching to improve throughput, and more. Bogus proxies, if crooks can trick you into using them, are widely used for eavesdropping, password stealing and worse.

You can see where this is going, because the booby-trapped dongle can also run the very proxy server to which all your web requests are subsequently diverted, log all the requests that come through, and save them to the flash storage inside the adapter.

So, in theory, a crook who’s passing by an unattended PC can plug in what looks like a USB ethernet adapter (which is both tiny and innocent looking), and covertly capture a whole bunch of network traffic without needing any technical ability or even touching the keyboard.

The crook doesn’t need to plug a network cable into the ethernet port (or he could use a similar device that doesn’t even have a port visible), making it look even more benign and less dangerous.

Later, the crook can remove the device with all the stolen data, perhaps including currently valid network credentials, saved onto it.

Even if the computer is locked.

What to do?

We’re not sure!

We haven’t been able to find any easily-activated settings that prevent the auto-configuration of network devices while a computer is locked.

We think there ought to be such a thing, and if there is, we’ll happily use it, so if you know how to do this, please let us know in the comments.


26 Comments

We use sophos end point protection and disable usb ports on workstations.

Reply

Blocking USB ports outright (or blocking certain classes of device when plugged into a USB port) will prevent this sort of attack, but in many businesses, that reduces flexibility a bit too much, given how much time there is for “special exception” IT requests :-)

Reply

Can’t you just require Windows to prompt you with what to do with devices that get plugged in? Or, is that too late?

Reply

How do you get it to go through a popup for loading network drivers? That means preventing network activation when locked, which isn’t configurable as far as I can see.

Reply

It basically denies access until you agree (in the popup). I almost always say “do nothing”, which then sends me back to Windows. Now I can look at the files and see what’s really there.
The question marks in my post, however, are the downside: I’m not really sure how effective it is (in Windows). I mean, there has to be enough system activity to be able to see that there are files present. That might be enough for a hacker to compromise the popup itself.
Still, it seems better than just allowing the flash drive to decide every time.

Reply

This isn’t a flash drive. (Autorunning from flash drives was killed off long ago by Microsoft for security reasons.) It’s an ethernet adapter, or so Windows thinks.

Reply

Yeah, killing that off is what I’m referring to. But, aren’t the drivers a USB network device still in a plain old file system (somewhere). I haven’t tried one, but shouldn’t Microsoft do the same thing (i.e. ask you before it starts loading files)?

Reply

We used to solve this crudely, there was a version of Symantec Ghost that installed client drivers for remote ghosting, they had a bug where if you plugged a usb device in when the machine was already running, the whole machine would bluescreen and reboot and continue to do so until the device was removed. Which was fine for us as we had strict policy against any and all usb devices for security anyway.

Would it be possible to insert intermediary drivers between the usb stack and windows, like antivirus does with the network stack which would then allow devices to be white and blacklisted or for their activation to be approved by an administrator or active user?

Reply

Hahahaha. Serious bug made into a feature :-) Actually, I’d be really careful of using a crash situation like this as a lockout feature – a BSoD bug is always a huge risk, because for all you know it may be exploitable via a booby-trapped device.

Device control products for USB do exist – indeed, Sophos has one, as used by an earlier commenter for USB lockdown – but in many companies, locking down USBs too tight (especially with travelling staff who may suddenly need a new mouse, a new 3G modem, and so on) can become a bit of a burden in its own right. Like a lot of security, the devil’s in the details and the details are all about balancing usability and safety.

Reply

So this attack will expose what ? A password hash ? Hope no one still uses NTLM in the enterprise space, and the common password length is usually 13+ chars + pwd expiry of perhaps 30-60-90 days, which makes the hash of a long password ridiculously useless to attempt a rainbow crack.

And proxy config can be pushed with a script to auto configure e.g. every 10-15 min via group policy.

Reply

I can see this being a big problem with public computers but for computers within a corporate environment, this should be a lot harder as any old tom dick or harry should not be able to walk in off of the street and plug in a dongle whether it be into a laptop or a desktop, without an ID badge or access key of some type, and if they can oh dear!!! As a commenter has mentioned hopefully USB control is enabled and other staff would notice a stranger walk in a start using an unattended computer and make a call to security or someone in authority.

Reply

Indeed. If you don’t have a system of “if you see something, say something” in your company (and you don’t have a place to say it to), now is a good time to implement it.

However, don’t forget that the whole thing about this sort of trick is that you don’t really have to “start using a computer”. You do have to go near it but you don’t have to bother with the keyboard or the screen. So it’s not as far-fetched as you might think, not least because the computer stays locked the whole time (no weird logins in the log files).

Reply

I wonder if you could build a similar device but make it look like a USB charging cable, as I bet far fewer people would object if you just said “oh, by the way, do you mind if I put my phone on charge quickly?”

Reply

When I was in Asia Pacific and travelling a lot, I always carried a “power only” USB cable (A to micro-B) in case I wanted to charge my devices from an unknown source, or in case someone asked me if I could give their phone a quick powerup in the departure lounge. Many devices used to charge much more slowly if they couldn’t exchange data with the charger to negotiate a faster rate, but you’d get there in the end.

Reply

It is worth remembering that Edward Snowdon had an employee badge and everything, and he was able to get a lot of secrets by telling people he was from IT, and he just needed to access their computer for a few minutes…

In my experience, people are quite trusting if someone acts confidently, and looks like they know what they are doing.

Reply

In the scenarios discussed, people have considered companies. But what about an Internet Cafe – people expect others to be plugging in USB sticks and it might be a while before someone spots them.
Now consider a version of the above where instead of an Ethernet port it contains a wireless connection with suppressed SSID? They would look just like any USB stick – maybe a little on the larger side. Leave a few of these unmarked lying around in public places close to companies and offices and you can be pretty sure someone will pick them up and try them in their PCs. Just another way of social engineering…

Reply

So there are a host of issues that can occur with this, so lets break them out:

1) Redirect traffic through their own gateway, or just packet sniff. This would compromise non HTTP sites, the same as any network snooping device. HTTPS traffic would still be safe.
2) Trying to crack passwords. There are two ways that this can force this. By passively acting as a network adapter and capturing login tokens, or by trying to trick the system into sending a token to it. The automated method that they are talking about uses this second one.

The computer automatically tries to authenticate onto the network in a domain environment, so sends the request for auth. The device is responding with “I don’t do Kerberos or NTLMv2, I only do NTML”. If the computer responds with an NTLM auth request, the hash submitted could be broken using common tools (of course password complexity, length, and uniqueness make this take much longer).

So NTLM (and falling back to it) is the core issue here. In a security sense, why would we use 20+ year old auth mechanisms still. I don’t have an answer to this, but this is the crux of the automated exploit.

Detecting foreign (non-authorized) USB devices is difficult. There have been keyboard sniffers which duplicate the serial number of the connected keyboard to collect keystrokes. Completely transparent to the OS. Sophos currently has Device Control, however this is blocking storage devices at the later Windows layers, not the underlying driver layer. There used to a program Safeguard Configuration Protection, however it stopped selling in 2013 (and went out of support in 2015). It was very difficult to configure, as each USB device had to get authorised (and it didn’t help that later Operating Systems tried to remove direct hardware access as much as possible).

Reply

The crux here, IMO, is the autoinitialisation and autoconfig. Sniffing NTLM hashes is a symptom, not the core problem.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!