A powerful hacking tool can be created for as little as $20, and just a few hours of work by someone with basic programming knowledge. Kaspersky Lab researchers found this after examining publicly available hardware and software tools for covert password interception.
In an experiment they used a DIY Raspberry Pi based USB-device, configured in a specific way, and carrying no malicious software. Armed with this device, they were able to covertly collect user authentication data from a corporate network at a rate of 50 password hashes per hour.
They took a Raspberry-Pi microcomputer, configured it as an Ethernet adapter, made some additional configuration changes in the OS running on the microcomputer, and installed a few publicly available tools for packet sniffing, data collection and processing. Finally, the researchers set up a server to collect intercepted data. After that, the device was connected to the targeted machine and started to automatically feed the server with stolen credential data.
The reason why this happened was that the OS on the attacked computer identified the connected Raspberry-Pi device as a wired LAN adapter, and automatically assigned it a higher priority than other available network connections and – more importantly – gave it access to data exchange in the network.
The experimental network was a simulation of a segment of a real corporate network. As a result, researchers were able to collect authentication data sent by the attacked PC and its applications, as they tried to authenticate domain and remote servers. In addition, researchers were also able to collect this data from other computers in the network segment.
Moreover, as the specifics of the attack allowed for intercepted data to be sent through the network in real time, the longer the device was connected to the PC, the more data it was able to collect and transfer to a remote server. After just half an hour of the experiment researchers were able to collect nearly 30 password hashes, transferred through the attacked network, so it is easy to imagine how much data could be collected in just one day. In the worst-case scenario, the domain administrator’s authentication data could also be intercepted should they log into their account while the device is plugged-in into one of the PCs inside the domain.
The potential attack surface for this method of data interception is big: the experiment was successfully reproduced on both locked and unlocked computers running on Windows and Mac OS. However, researchers were not able to reproduce the attack on Linux based devices.
“There are two major things that we are worried about as a result of this experiment: firstly – the fact that we didn’t really have to develop the software – we used tools freely available on the Internet. Secondly – we are worried about how easy it was to prepare the proof of concept for our hacking device. This means that potentially anyone, who is familiar with the Internet and has basic programming skills, could reproduce this experiment. And it is easy to predict what could happen if this was done with malicious intent. The latter is the main reason why we decided to draw public attention to this problem. Users and corporate administrators should be prepared for this type of attack,” said Sergey Lurye, a security enthusiast and co-author of the research at Kaspersky Lab.
Although the attack allows for the interception of password hashes (a cipher-alphabetic interpretation of a plaintext password after it has been processed by a specific obfuscation algorithm), the hashes could be deciphered into passwords, since the algorithms are known or used in pass-the-hash attacks.
In order to protect your computer or network from attacks with help of similar DIY devices, Kaspersky Lab security experts recommend the following advice:
-On returning to your computer, check if there are any extra USB devices sticking out of your ports.
-Avoid accepting flash drives from untrusted sources. This drive could in fact be a password interceptor.
-Make a habit of ending sessions on sites that require authentication. Usually, this means clicking on a “log out” button.
-Change passwords regularly – both on your PC and the websites you use frequently. Remember that not all of your favorite websites will use mechanisms to protect against cookie data substitution. You can use specialized password management software for the easy management of strong and secure passwords.