14 DAY TRIAL // At the Black Hat DC security conference this week, two hackers have demoed an attack that relies on tricking the computer into believing an attached USB device is actually a keyboard.
Security researchers Angelos Stavrou and Zhaohui Wang have modified the USB stack on an Android smarphone to make it register itself as a human interface device (HID) when connecting it to a computer.
The device can then emulate keystrokes in order to start a potentially malicious application or perform other malicious tasks.
With the exception of Stuxnet, which exploited a critical Windows zero-day vulnerability to launch files from USB storage devices, such attacks usually exploit the Windows AutoRun feature.
Because of this, security products are designed to detect AutoRun actions when devices are connected via the USB.
Some of them even recommend disabling AutoRun entirely, since the risks far outweigh the feature's supposed benefits.
However, emulating keyboard commands has a high chance of bypassing such security protections, because the software cannot differentiate between an exploit and a user's real actions.
Stavrou said that even though they choose Android for their demo, the same attack can theoretically be done on any device, including iPhones.
"It can work on any computing device that uses USB. [...] Say your computer at home is compromised and you compromise your Android phone by connecting them," the researcher said, according to CNET.
"Then, whenever you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise other computers off that Android. It's a viral type of compromise using the USB cable," he explained.
This is a variation of already existing attacks that use USB-based microcontoller systems to hack gaming consoles like the PS3. The Teensy USB Development Board is a good example of that.
The two hackers have developed exploits for the operating system and the Android phones, which can be weaponized easilby by attaching malicious payloads to them. However, the software has not been publicly released and was used only for demonstrative purposes during the presentation.