Latest in Gear

Image credit:

A $50 device and an app can easily steal your PC's log-in

Doesn't matter if your computer is locked.
1192 Shares
Share
Tweet
Share
Save

Sponsored Links

You'd think protecting your computer with a strong password can keep it safe, but apparently, all it takes to steal your log-in credentials is a $50 piece of hardware and an app. According to R5 Industries principal security engineer Rob Fuller, he was able to pilfer usernames and passwords from locked computers using a USB device loaded with a hacking app called Responder. The stolen passwords are encoded, sure, but once they're in another person's possession, they can be cracked. One of the small, Linux-powered computers he used (USB Armory) costs $155, but the other (Hak5 Turtle) costs only $50. Computers share log-in credentials with them, because they recognize the devices as trusted Ethernet adapters.

Fuller said the combination worked on all versions of Windows and even on El Capitan, though he still needs to check whether his Mac experiment was a fluke. He also said that the hack was so easy to pull off, he "tested it so many ways to confirm" since he had such a hard time believing it was possible.

He captured the process on cam, which you can watch below, and explained how it works in an email to Ars Technica:

"What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it's doing this, the victim is recognizing it as a Ethernet adapter. The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the "real" network connection. Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as "trusted" it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid)."

Of course, this is a non-issue if you exclusively use your computer at home, and there's nobody living there you don't trust. But if you tend to bring laptops to coffee shops and other places, check out this prevention technique Fuller recommends, or just make sure you never leave your computer unattended.

Source: Rob Fuller
In this article: gear, security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1192 Shares
Share
Tweet
Share
Save

Popular on Engadget

US Space Force logo unveiled with a clear Star Trek influence

US Space Force logo unveiled with a clear Star Trek influence

View
Uber reaches its last major city in North America

Uber reaches its last major city in North America

View
Grab a discounted Pixel 3a and get a $100 gift card at these US retailers

Grab a discounted Pixel 3a and get a $100 gift card at these US retailers

View
Watch Google's upcoming AirDrop-style file sharing in action

Watch Google's upcoming AirDrop-style file sharing in action

View
Google vows to make Search 'better' after redesign backlash

Google vows to make Search 'better' after redesign backlash

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr