
IRON-HID: Create your own bad USB [pdf] - josephscott
https://conference.hitb.org/hitbsecconf2016ams/materials/D1T2%20-%20Seunghun%20Han%20-%20Create%20Your%20Own%20Bad%20USB%20Device.pdf
======
resoluteteeth
This is just an arduino acting as a HID device that can be controlled from an
android phone, right? The slides talk about also acting as a mass storage
device for a payload in case there's no internet, but I'm assuming there's no
channel back to the arduino/android phone[1] in that case, so you're not going
to be able to send screenshots back as described.

Basically, if there's internet access to talk to a server, the arduino alone
is going to do just as much damage, and if there's not this whole setup is
still going to have to send keystrokes blindly and won't be able to exfiltrate
data regardless of the android phone controlling everything.

Therefore, luckily, I don't think this actually introduces any new threat
beyond the existing problem of people already being able to insert random
devices that act as keyboards. Unfortunately, this is a hard problem to fix in
general, but at least for devices like POS machines it's easy enough to simply
not leave the machine logged in.

1: It might be possible to use the caps lock status (or maybe a raw HID
device?) to get data back, it doesn't sound like Iron-HID is doing this, and
anyway the bandwidth probably wouldn't be very high to say the least.

