Latest in Gear

Image credit:

A $50 device and an app can easily steal your PC's log-in

Doesn't matter if your computer is locked.
Mariella Moon, @mariella_moon
September 8, 2016
Share
Tweet
Share

Sponsored Links

You'd think protecting your computer with a strong password can keep it safe, but apparently, all it takes to steal your log-in credentials is a $50 piece of hardware and an app. According to R5 Industries principal security engineer Rob Fuller, he was able to pilfer usernames and passwords from locked computers using a USB device loaded with a hacking app called Responder. The stolen passwords are encoded, sure, but once they're in another person's possession, they can be cracked. One of the small, Linux-powered computers he used (USB Armory) costs $155, but the other (Hak5 Turtle) costs only $50. Computers share log-in credentials with them, because they recognize the devices as trusted Ethernet adapters.

Fuller said the combination worked on all versions of Windows and even on El Capitan, though he still needs to check whether his Mac experiment was a fluke. He also said that the hack was so easy to pull off, he "tested it so many ways to confirm" since he had such a hard time believing it was possible.

He captured the process on cam, which you can watch below, and explained how it works in an email to Ars Technica:

"What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it's doing this, the victim is recognizing it as a Ethernet adapter. The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the "real" network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as "trusted" it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid)."

Of course, this is a non-issue if you exclusively use your computer at home, and there's nobody living there you don't trust. But if you tend to bring laptops to coffee shops and other places, check out this prevention technique Fuller recommends, or just make sure you never leave your computer unattended.

In this article: gear, security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Sony's A1 is a $6,500 50MP camera that shoots 30fps bursts and 8K video

Sony's A1 is a $6,500 50MP camera that shoots 30fps bursts and 8K video

View
‘Babylon 5 Remastered’ now available to buy, or stream on HBO Max

‘Babylon 5 Remastered’ now available to buy, or stream on HBO Max

View
iOS 14.4 rolls out with Bluetooth audio monitoring

iOS 14.4 rolls out with Bluetooth audio monitoring

View
Chrome OS 88 turns your Chromebook into an impromptu smart display

Chrome OS 88 turns your Chromebook into an impromptu smart display

View
Microsoft's profits jump by 33 percent thanks to the cloud, PCs and Xbox

Microsoft's profits jump by 33 percent thanks to the cloud, PCs and Xbox

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr