Plug and Play USB Attack Technique That Opens Locked PCs and Macs

An alarming new hacking has been discovered that will let an individual gain access to a locked computer within 20 seconds: The plug and Play USB attack is also surprisingly simple and only costs around $50 to pull off. Because it can be performed so quickly, it could easily be used to gain access to a computer while the user visits the restroom.

In order for the hack to be pulled off, the victim must be logged in to their device; however, the lock screen will not prevent the computer from being accessed, no matter how complex the password is.

Security Researcher Rob Fuller discovered that it is possible to obtain system credentials using the Plug and Play USB attack in as little as 13 seconds on devices running Windows 98, XP SP3, Windows 7 SP1, and Windows 10 Enterprise/Home, as well as on devices running OS X (El Capitan/Maverick).

A Plug and Play USB attack as simple as this should not work, yet it does. Even Fuller was surprised at how quick and easy it was to steal system credentials. He also believes there is no way that he can be the first person to have worked this out.

The Plug and Play USB attack can be performed using the HAK5 LAN Turtle, a flash-drive sized minicomputer that costs $49.99. The technique also works using the USB Armory which costs $155. Fuller also said that the hack could be pulled off with a RaspberryPi, which costs just $5, although set up takes a little longer.

When plugged in to the target computer they appear as an Ethernet adaptor. Some simple changes to the configuration of the devices is required to make them appear as DHCP servers. Then, when the device is plugged in it is automatically made to be the default gateway that receives network traffic. The hack works because local networks are automatically trusted by most operating systems.

The device will capture the username and password hash. The hash is then cracked or downgraded to another hash that can be used to get authorized access to the device in a pass-the-hash attack.

The device can be plugged in and access to the locked computer can be gained without any keyboard input. The attack is alarmingly simple.

While physical access to a device will usually allow a skilled IT professional to gain access eventually, the process takes time. What is particularly worrying with this technique is the speed at which access can be gained. This method would also allow access to the computer to be gained without leaving any obvious signs that there has been any tampering. The device would be locked, as before, when the attacker is finished loading malware or copying files.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of