Over the weekend, Engadget and CNet ran a story discussing what was described as a new and novel attack using Android smartphones to attack PCs. Apparently someone took an Android smartphone and modified the phone to emulate a USB keyboard.
When the Android phone was plugged into Windows, Windows thought it was a keyboard and allowed the phone to inject keystrokes (not surprisingly, OSX and Linux did the same). The screenshots I’ve seen show WordPad running with the word “owned!” on the screen, presumably coming from the phone.
I have to say, I don’t get why this is novel. There’s absolutely no difference between this hack and plugging in an actual keyboard to the computer and typing keys – phones running the software can’t do anything that the user logged into the computer can’t do, they can’t bypass any of Windows security features. All they can do is be a keyboard.
If the novelty is that it’s a keyboard that’s being driven by software on the phone, a quick search for “programmable keyboard macro” shows dozens of keyboards which can be programmed to insert arbitrary key sequences. So even that’s not particularly novel.
I guess the attack could be used to raise awareness of plugging in devices, but that’s not a unique threat. In fact the 1394 “FireWire” bus is well known for having significant security issues (1394 devices are allowed full DMA access to the host computer).
Ultimately this all goes back to Immutable Law #3. If you let the bad guys tamper with your machine, they can 0wn your machine. That includes letting the bad guys tamper with the devices which you then plug into your machine.
Sometimes the issues which tickle the fancy of the press mystify me.