Why does this work?
Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed. Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list. Computers are constantly creating traffic, even if you don’t have any browsers or applications open, and most computers trust their local network for some reason (I know the technical bits on ‘why’, just complaining…) Network preference when there are more than gateway or network connection is based on “metrics” on Windows and a combination of metrics and “preference” on OSX, but by default “wired” and “newer/faster” always win out.
Security researcher shows how easy it is to steal password from PCs with lock screen
Posted on Wednesday, September 07 2016 @ 14:07 CEST by Thomas De MaesschalckOn his blog, security researcher Rob Fuller illustrates how easy it is to steal security credentials from locked machines. The technique is so simple it's hard to believe it works, not just on Windows 10 but also on Mac OS X "El Capitan". You can read the full detailed version over here. The short story is that by plugging in a device that poses as a USB Ethernet adapter, it is possible to steal the login details from systems in a lock screen state.
