Sidestepping your lockscreen with an innocent-looking USB stick
Here’s something that’s supposed to happen, and it’s jolly convenient, too.
If you plug a USB ethernet dongle into a Windows or OS X computer and the system supports it, then the operating system will activate the needed drivers, fire up the device, configure the network interface and get you online.
Indeed, to anyone who ever tried to get online back in the days of MS-DOS, this is more than convenient, it’s close to miraculous.
You’re unlikely to get caught out by this sort of “frictionlessness,” or so you might think, because it only happens after you’ve physically plugged in the device, so that it’s unlikely to happen without you realising.
But here’s something similar that really shouldn’t happen, says security researcher Rob Fuller, also known as Mubix.
If you plug a USB ethernet dongle into a locked Windows or OS X computer, the operating system goes through the same process.
That’s convenient, but unfortunately more convenient for an opportunistic attacker than for you.
Presumably, your computer’s locked because you aren’t using it: maybe you’ve popped out to the little girls’/boys’ room, or gone to get a coffee.
In other words, it’s probably not you plugging in the ethernet dongle…
…and, for all you know, it might not be just any old ethernet dongle.
It might be a full-blooded but super-tiny computer that looks like a USB ethernet adapter, and indeed behaves like an ethernet adapter, but has a general-purpose, reprogrammable, hackable operating system such as Linux running on the motherboardlet inside the adapter.
Such as the Hak5 LAN Turtle, which certainly looks like an uninteresting, generic, no-name branded USB ethernet adapter, but isn’t:
A device like the LAN Turtle can not only be an ethernet adapter, and thus present a network interface to the computer you plug it into, but also be a server running on that very interface.
So, you can run a DHCP server on the ethernet adapter itself, and when the computer into which you just plugged the booby-trapped dongle tries to configure the newly-inserted device…
…it ends up getting its network setup right from the turtle’s shell, so to speak.
Worse still, DHCP configuration options can include all sorts of settings that are at a much higher level than just IP numbers and routers, notably including a value called
Proxy Config, by which you can tell Windows where to go for its so-called WPAD file (Web Proxy Autodiscovery).
A WPAD file pretty much tells your browser, and indeed the operating system itself and thus most web-enabled applications, how to process web requests. Once a web proxy is set, almost all HTTP requests originating from your computer will go to the designated proxy server first, rather than connecting straight to the target website. Legitimate proxies are widely used for web filtering to improve security, caching to improve throughput, and more. Bogus proxies, if crooks can trick you into using them, are widely used for eavesdropping, password stealing and worse.
You can see where this is going, because the booby-trapped dongle can also run the very proxy server to which all your web requests are subsequently diverted, log all the requests that come through, and save them to the flash storage inside the adapter.
So, in theory, a crook who’s passing by an unattended PC can plug in what looks like a USB ethernet adapter (which is both tiny and innocent looking), covertly capture a whole bunch of network traffic without needing any technical ability or even touching the keyboard.
The crook doesn’t need to plug a network cable into the ethernet port (or he could use a similar device that doesn’t even have a port visible), making it look even less important or dangerous.
Later, the crook can remove the device with all the stolen data, perhaps including currently valid network credentials, saved onto it.
Even if the computer is locked.
What to do?
We’re not sure!
We haven’t been able to find any easily-activated settings that prevent the auto-configuration of network devices while a computer is locked.
We think there ought to be such a thing, and if there is, we’ll happily use it, so if you know how to do this, please let us know in the comments.