Hacking into a locked Windows or Mac computer should not be this simple, and yet it is. A security design flaw was recently exposed that shows a PC or Mac that is logged in but locked can have the login credentials stolen. The hack takes an average of 13 seconds and the credentials can then be used to compromise all other accounts sharing those credentials. Here’s how it works and what it means for your enterprise.
What systems are vulnerable
Security researcher Rob Fuller recently exposed the vulnerability which has already made headlines around the world. The simplicity and speed of this attack, along with the sheer number of computers that can be compromised by it, makes this attack especially dangerous.
The attack works on computers that are logged in but locked and requires a USB device to be plugged into the system.
Fuller has confirmed the current version of this attack worked on these systems:
- Windows 98 SE
- Windows 2000 SP4
- Windows XP SP3
- Windows 7 SP1
- Windows 10 Enterprise and Home
- OS X El Capitan
- OS X Mavericks
More potential methods and systems are still being tested, including versions of Linux.
How the attack works
Fuller explains in his blog post that a USB dongle can be modified and plugged into an Ethernet adapter, essentially creating a simple plug-and-play credentials stealing device.
The attack is possible because most systems automatically install Plug-and-Play USB devices, so “even if a system is locked out, the device [USB dongle] still gets installed,” Fuller explained. There are restrictions on what types of devices are allowed to be installed on a locked system, as you might assume, but an Ethernet device is currently not restricted.
After the USB plug-and-play device installs itself, it then acts as the network gateway, DNS server, and Web Proxy Autodiscovery Protocol (WPAD) server for the victim’s system. The login credentials are then automatically and quickly transferred to the USB device because of the default behavior of network name resolution services, which can be exploited to compromise authentication credentials.
An application on the USB dongle, in this case a free application called Responder, spoofs the network, intercepts hashed credentials, and stores them in a database.
The hashed credentials can then be easily decrypted later, giving the hacker the passwords in clear text.
This is what the entire attack could look like: someone connects a USB device to a locked system, removes the device without a trace, and walks away with the stolen credentials - all in an average of 13 seconds per system.
See a video of Fuller performing the attack on a Windows 10 system here.
How to secure your organization
New vulnerabilities like this one in systems we depend on will continue to be discovered, often after the damage is already done, but the critical resources and information in your organization do not have to also be exposed.
Strong privileged access management practices should be the primary solution for eliminating risks from this vulnerability and many others like it. Credentials will be compromised. Instead of focusing on merely preventing credentials from being stolen, it is extremely important to also focus on reducing the risk posed by those stolen credentials.
A single captured credential can be used to compromise sensitive information and resources, other exposed credentials, and then more sensitive information and resources. Stolen credentials are extremely difficult to detect and are a key part of virtually every major breach today.
Organizations should be fervent and disciplined in ensuring that every credential, or “key”, unlocks as little of the organization as possible to reduce and eliminate exposure if that credential is stolen. Every credential needs to be evaluated for its potential risk to the organization and least privilege principles should practiced until they become ingrained as a habit.
Requiring two factor authentication for sensitive assets is another highly effective way to reduce and eliminate the risk of stolen credentials. By requiring two “keys” to authenticate, with one key that is constantly changing, you can eliminate the risk posed by just one of those keys being stolen.
For help preventing risks posed by vulnerabilities like this one in your organization, click below to schedule a risk assessment with CyberSheath privileged access management specialists to get an invaluable report on the risks posed by specific privileged accounts in your enterprise.