Security expert Rob Fuller managed to turn a USB SoC-based adapter into a credential sniffer that works on all compatible systems.
Be Careful When Using an Untrusted USB Adapter, It May Sniff Your Password
The Security consultant Rob Fuller has managed to turn a USB Ethernet adapter into a credentials sniffer. The used principle is that the credentials can be captured by any device connected via the interface.
The attack is made by modifying a dongle so that it captures the network traffic. The presented demonstration has been made with a USB Armory and the Hak5 Turtle devices and open source software such as the Debian Linux distribution, the Kali Linux distribution and open source tools and libraries.
The mechanism allows sniffing of locked computers as well. All USB devices are plug and play compatible and as such, they work even on operating systems that have password protected locks and screen savers. Depending on the operating system and configuration some systems may not automatically install and run all types of USB dongles. However, Ethernet adapters are pretty much used by default. And computers constantly create and process network traffic, so capturing packets are easy for the malicious user.
Plugging in a compromised Ethernet adapter can quickly make it a gateway, DNS server or another type of network service. The security researcher noted that the time for capturing critical credentials is about ten seconds.
The malicious system has been tested on the following operating systems: Microsoft Windows 98 SE, Microsoft Windows 2000 SP4, Microsoft Windows XP SP3, Microsoft Windows 7 SP1, Microsoft Windows 10 (Home and Enterprise versions) and Mac OS X El Capitan and Mavericks.
The default configuration of these systems connects to the fastest network available. As the spoofed Ethernet adapter by definition provides a faster connection all network traffic is routed through it.
The drawback of the method is that it relies on physical access to exploit the target machines. For more information, you can check out Fuller’s detailed blog post.