Hacking Windows with Phones… I don’t get it.
Over the weekend, Engadget and CNet ran a story discussing what was described as a new and novel attack using Android smartphones to attack PCs. Apparently someone took an Android smartphone and modified the phone to emulate a USB keyboard.
When the Android phone was plugged into Windows, Windows thought it was a keyboard and allowed the phone to inject keystrokes (not surprisingly, OSX and Linux did the same). The screenshots I’ve seen show WordPad running with the word “owned!” on the screen, presumably coming from the phone.
I have to say, I don’t get why this is novel. There’s absolutely no difference between this hack and plugging in an actual keyboard to the computer and typing keys – phones running the software can’t do anything that the user logged into the computer can’t do, they can’t bypass any of Windows security features. All they can do is be a keyboard.
If the novelty is that it’s a keyboard that’s being driven by software on the phone, a quick search for “programmable keyboard macro” shows dozens of keyboards which can be programmed to insert arbitrary key sequences. So even that’s not particularly novel.
I guess the attack could be used to raise awareness of plugging in devices, but that’s not a unique threat. In fact the 1394 “FireWire” bus is well known for having significant security issues (1394 devices are allowed full DMA access to the host computer).
Ultimately this all goes back to Immutable Law #3. If you let the bad guys tamper with your machine, they can 0wn your machine. That includes letting the bad guys tamper with the devices which you then plug into your machine.
Sometimes the issues which tickle the fancy of the press mystify me.
Comments
Anonymous
January 24, 2011
I have to agree it's not much of a threat. Physical access already opened the gates. If, instead of a phone, it looked like a USB drive, you could hand it over to someone to "share some files", when in reality, it would open a command prompt, quickly copy files from "C:My Secret Files" to the device, then close the command window. It could even install malware. It's a stretch, but has it's place. :)Anonymous
January 24, 2011
Indeed. But then, you have those devices that actually fake themselves as keyboard/mouse without you necessarily realizing it. blogs.msdn.com/.../9919504.aspx Be aware what you yourself plug into the computer...Anonymous
January 24, 2011
The novelty is that an attacker can attack your PC by attacking your phone, for example by putting the malware into a game app.Anonymous
January 24, 2011
Hey, could be good for pranks.Anonymous
January 24, 2011
@Markus: You're right, that's why I quoted the 3rd law. If you're plugging in a device you don't trust, you're 0wned.Anonymous
January 24, 2011
The guy who used to sit at the desk opposite me had great fun* in plugging his keyboard into the back of my laptop whilst I was making a cuppa. *about 30 seconds of fun for him, and 30 seconds of great annoyance for me. :DAnonymous
January 24, 2011
It's just one more CNet article in a long stream that shows how little their staff really understand technology. It's not just CNet either, that's a trend I have been seeing all over the place.Anonymous
January 24, 2011
Can this result in an untrusted driver being installed, even though the logged in user is not admin?Anonymous
January 24, 2011
@jon23423: Theoretically. There's actually an interesting attack that could be mounted on XP and Vista here (Win7 cut off the attack vectors for the attack with the autorun changes that were made for USB devices). For Win7, the attack surface is limited to drivers which are present on Windows Update.Anonymous
January 27, 2011
This is not new either, it has been done with other USB fobs in the past: www.irongeek.com/i.php and before that you had the fake cd-rom usb dongles: www.hak5.org/.../USB_Hacksaw and www.hak5.org/.../USB_SwitchbladeAnonymous
January 28, 2011
The comment has been removedAnonymous
February 24, 2011
The comment has been removed