Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).

Fuller's attack is effective against locked computers on which the user has already logged in.

The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it's connected to.

Attack works because computers trust PnP devices

The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

"Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed," Fuller wrote on his blog yesterday.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."

Modified USB Ethernet adapter logs PC credentials

When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the PC credentials needed to install the device.

Fuller's modified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology.

The researcher's modified device also includes a LED that lights up when the credentials have been recorded.

Attack average runtime is 13 seconds

An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.

Fuller couldn't believe this type of attack was possible, so he tested the scenario with USB Ethernet dongles such as USB Armory and Hak5 Turtle.

He says the attack was successful against Windows 98 SE, Windows 2000 SP4, Windows XP SP3, Windows 7 SP1, Windows 10 (Enterprise and Home), OS X El Capitan, and OS X Mavericks. The researcher is planning to test the attack against several Linux distros as well. Below is a video of Fuller's attack in action.