Ars Technica reported on a terrifying new exploit that exposes the login ID and hash of Windows and OS X computers left turned on with the lock screen up:

http://arstechnica.com/security/2016/09/stealing-login-credentials-from-a-locked-pc-or-mac-just-got-easier/?comments=1

It's terrifying because it requires a total of less than a minute of physical access, and doesn't inherently leave physical evidence of intrusion.

This is right up there with the mythical "plug the USB thingy into the locked computer and wait a few seconds while the CEO/whoever is distracted in another room" trope that's been repeated over and over again on movies and TV for the past decade. Of course, this is Ethernet, not USB, and it gives you a login and hash that have to be cracked offsite, but it's still on par. Lots of damage has been done over the past few decades stemming from acquisition of login/hash pairs .

Scary, yes, but offers preciously little information as to what is happening there and why it's working. And on which Windows versions, for that matter. :smallconfused:

It doesn't terrify me, for one simple reason: if someone has physical access to your computer then they can gain access to it trivially easily. I can boot a Windows computer from a CD-ROM and reset the admin password to allow me full access in a couple of minutes, tops, and since people rarely use the Administrator account on modern versions of Windows, chances are good the intrusion would not be noticed for a good long time. So, this exploit isn't allowing any more access than you could get anyway.

It doesn't terrify me, for one simple reason: if someone has physical access to your computer then they can gain access to it trivially easily. I can boot a Windows computer from a CD-ROM and reset the admin password to allow me full access in a couple of minutes, tops, and since people rarely use the Administrator account on modern versions of Windows, chances are good the intrusion would not be noticed for a good long time. So, this exploit isn't allowing any more access than you could get anyway.
Oddly enough on corporate networks this one should take you nowhere - the BIOS should be passworded with the boot order set to hard disk first - no disk/usb booting attacks should then work.

Yeah... Requires physical access and specialised hardware. Granted the latter is cheap, but still it takes a fairly purposeful attacker. If someone like that can get physical access to my machine, I've always assumed they'd be able to crack it.

Just another reason why a computer is not a safe. Don't keep anything on it that has significant cash value. But that's always been a good rule anyway.

I recently screwed up my user profiles on my laptop (Renamed one that had an umlaut - somehow resulted in there being only one profile with the original Umlaut name that suddenly had a gibberish password) and had to pretty much hack myself. Googled a bit and found a technique that requires nothing but a Windows 10 setup DVD or USB stick. Made myself a new administrator profile and off I went.

This one is only particularly notable only for the speed and ease of use. If you can just unlock the lock screen and continue as an existing user, you don't have to clean up after yourself afterwards, and you get the same access to encrypted data that the user in question has.

Oddly enough on corporate networks this one should take you nowhere - the BIOS should be passworded with the boot order set to hard disk first - no disk/usb booting attacks should then work.

But on a corporate machine they'd probably also disable the ability to plug random USB devices in as well, so the attack in the OP wouldn't work either. :smallsmile:

I'll echo what's already been said - sounds like a fancy proof of concept hack that's getting more attention than it legitimately demands. Physical security breaches are interesting, but if someone unauthorized has physical access to a secured system you have bigger problems than compromised hashes.


But on a corporate machine they'd probably also disable the ability to plug random USB devices in as well, so the attack in the OP wouldn't work either. :smallsmile:

My personal favorite variant of this is finding the USB ports on a computer filled by hot glue.

Sure, you could disable it with security policies... but one local corporation during USB's early days decided that wasn't a good enough guarantee and removed CD ROM and Floppy, then disabled the USBs by filling them with hot glue.

Apparently they'd been hit by some early autorun viruses and had problems with reinfection and responded with extreme force. They had safety screws on the cases to boot. This seems to be a common response from 99~2006 from what I can tell on google, which kind of scares me and makes me wonder if anyone's still doing it. :smalleek:

But on a corporate machine they'd probably also disable the ability to plug random USB devices in as well, so the attack in the OP wouldn't work either. :smallsmile:
Oddly enough, in my experience they tend not to, or limit it to certain users (which usually means the port works but the user cannot see the device).
USB control tends to be procedural because there are uses that USB sticks are unparalleled for (such as transferring data between air-gapped networks). So they rely on people not plugging unauthorized USBs in rather than preventing them.
That said, different companies, different processes.

Also, I am currently a software tester and a few weeks ago I left a CD in a PC while rebooting it and, despite the PC BIOS being set to boot from hard disk only, the PC boot hung because the CD wasn't bootable. Puzzled our engineers no end (serendipity plays a surprisingly significant role in my work).

Incidentally, we have a Security forum at work where people are pretty good at posting links to articles about new threats. I checked it as soon as I read the OP and no-one had linked this one yet so I did - thank-you.

But on a corporate machine they'd probably also disable the ability to plug random USB devices in as well, so the attack in the OP wouldn't work either. :smallsmile:

Interesting. Do they store the "cmos" in flash these days and pulling the battery won't reset the password, nor allow a hardware reset on the motherboard (presumably anyone capable of using a bootdisk could pull the battery).

Supposedly the first version of NT was certified to the "second lowest security rating" (the lowest being completely insecure) by the NSA. For computers to qualify, you had to fill the floppy drive with epoxy and almost certainly leave out any network card (remember the floppy, and no windows computer was ever safe once connected to a network). There were said to be a ton of higher levels of security, but I'm not sure anybody ever built a (working) computer that could achieve them. The proposals to get there were pretty silly.

If you are wondering about all the myriad ways a computer a computer can be attacked once physical access is granted, I'd recommend googling "bad maid attacks". It is pretty much a given that such a machine will be instantly pwned in security circles.

One of the immutable laws of computer security is that if the bad guy has physical access to your machine, it's not your machine any more.

So while you could probably legitimately argue that there's something going on that shouldn't and it'll probably get patched soon, it's not "terrifying" in the slightest.