Over the weekend, Engadget and CNet ran a story discussing what was described as a new and novel attack using Android smartphones to attack PCs. Apparently someone took an Android smartphone and modified the phone to emulate a USB keyboard.
When the Android phone was plugged into Windows, Windows thought it was a keyboard and allowed the phone to inject keystrokes (not surprisingly, OSX and Linux did the same). The screenshots I’ve seen show WordPad running with the word “owned!” on the screen, presumably coming from the phone.
I have to say, I don’t get why this is novel. There’s absolutely no difference between this hack and plugging in an actual keyboard to the computer and typing keys – phones running the software can’t do anything that the user logged into the computer can’t do, they can’t bypass any of Windows security features. All they can do is be a keyboard.
If the novelty is that it’s a keyboard that’s being driven by software on the phone, a quick search for “programmable keyboard macro” shows dozens of keyboards which can be programmed to insert arbitrary key sequences. So even that’s not particularly novel.
I guess the attack could be used to raise awareness of plugging in devices, but that’s not a unique threat. In fact the 1394 “FireWire” bus is well known for having significant security issues (1394 devices are allowed full DMA access to the host computer).
Ultimately this all goes back to Immutable Law #3. If you let the bad guys tamper with your machine, they can 0wn your machine. That includes letting the bad guys tamper with the devices which you then plug into your machine.
Sometimes the issues which tickle the fancy of the press mystify me.
I have to agree it's not much of a threat. Physical access already opened the gates.
If, instead of a phone, it looked like a USB drive, you could hand it over to someone to "share some files", when in reality, it would open a command prompt, quickly copy files from "C:\My Secret Files\" to the device, then close the command window. It could even install malware.
It's a stretch, but has it's place. :)
Indeed. But then, you have those devices that actually fake themselves as keyboard/mouse without you necessarily realizing it.
Be aware what you _yourself_ plug into the computer...
The novelty is that an attacker can attack your PC by attacking your phone, for example by putting the malware into a game app.
Hey, could be good for pranks.
@Markus: You're right, that's why I quoted the 3rd law. If you're plugging in a device you don't trust, you're 0wned.
The guy who used to sit at the desk opposite me had great fun* in plugging his keyboard into the back of my laptop whilst I was making a cuppa.
*about 30 seconds of fun for him, and 30 seconds of great annoyance for me. :D
It's just one more CNet article in a long stream that shows how little their staff really understand technology. It's not just CNet either, that's a trend I have been seeing all over the place.
Can this result in an untrusted driver being installed, even though the logged in user is not admin?
@jon23423: Theoretically. There's actually an interesting attack that could be mounted on XP and Vista here (Win7 cut off the attack vectors for the attack with the autorun changes that were made for USB devices). For Win7, the attack surface is limited to drivers which are present on Windows Update.
This is not new either, it has been done with other USB fobs in the past: www.irongeek.com/i.php and before that you had the fake cd-rom usb dongles: www.hak5.org/.../USB_Hacksaw and www.hak5.org/.../USB_Switchblade
I still have an old "self-installing" USB network adapter that worked with Windows 95. When you first plugged it in, it showed up as a keyboard. It brought up a command prompt and ran debug. It used debug to start up a simple program that copied all the driver files it needed at high speed from the keyboard. Next, it used the keyboard to click through several dialog boxes and set up the drivers. Finally it disconnected and reconnected as the proper device. It actually worked reliably too - it seems like the kind of setup that would break at the slightest change in the system, but I've seen it install on multiple boxes that had been used and customized for a long time. It even makes it most of the way through on an XP machine, just messing up because the dialogs aren't the same as they used to be. I should dig it out and try it on 7.
As a victim of of a LOSER-HACKER, both via his Linux computer, mac computer & phone (well there are two loser hackers!), I THINK THE FED's NEED TO CLOSE IN ON THESE NO-GOOD LOSERS AND BUST THEIR BUTTS! These days, it's almost impossible to get anything done without a computer, but when u don't even have ANY PRIVACY, it makes it a pretty SUCKY world we live it because these LOSERS have nothin better to do then "F" with people and their $, minds, etc. and sit back & collect money off tax payers because they "pretend they are also disabled" -- but spend all their time doped up on drugs messing with people for the fun? on it? To steal MY IDENITY? I've had 3 credit cards taken out in my name, by these guys... They left a trail though, cause on of the credit reports clearly shows ONE OF THEIR OWN PHONE NUMBERS! Ya, they may be good, but everyone can get SLOPPY! I've filed charges and HAVE HAD IT!!!!!!!!!!!!!!!!