
Fake keyboard: PCs hacked with custom Android USB drivers - shawndumas
http://arstechnica.com/security/news/2011/01/fake-keyboard-pcs-hacked-with-custom-android-usb-drivers.ars
======
nupark
You could build a device that's a lot smaller / less obvious than a cell phone
for less than $20.

With an SMD AVR microcontroller, you could power it direct from the USB port,
and the device would be not much bigger than a USB stick. In fact, you could
embed it _in_ a USB flash drive case (I suppose that bonus points would be
awarded for _also_ operating as a USB flash drive).

Example: <http://www.obdev.at/products/vusb/hidkeys.html>

[Edit]

Some quick googling shows that this is not a new idea:

<http://www.taranfx.com/pc-mac-usb-hid-hack>

<http://www.pjrc.com/teensy/>

$18 for a 1.2" by 0.7" USB-enabled ATMEGA32U4 -- and the only reason it's so
'large' is that they break out the atmega's pins to support prototyping,
incude a SPST (switch), etc.

~~~
JonnieCache
This would be a good start: <http://generichid.sourceforge.net/index.html>

A toolkit for making your own USB human interface devices. Supports a variety
of chipsets, including the AVR variants in the parent comment. Comes with its
own crazy visual drag and drop programming language.

Get involved!

EDIT: Aha! found the link I was looking for: "Program Your Own Mayhem-Causing
USB Dongle" [http://hackaday.com/2010/04/05/program-your-own-mayhem-
causi...](http://hackaday.com/2010/04/05/program-your-own-mayhem-causing-usb-
dongle/)

It's a video presentation BTW. And it is seriously devious: "There’s also a
light sensor that can be used to activate a command once an unknowing victim
has shut off the lights in the office and left for the day."

EDIT2: For bonus evil-points, solder it into a USB hub, run a real HID into
the same hub, and hide the whole thing inside the HID, with the hub's host
port wired up to the cable of the HID. Read the link below to see what I mean.

[http://www.thice.nl/hide-your-data-in-plain-sight-usb-
hardwa...](http://www.thice.nl/hide-your-data-in-plain-sight-usb-hardware-
hiding/)

------
fleitz
Or you could just bring a keyboard and mouse with you and take control of the
computer the old fashioned way. I'm sure it would be much easier to type on
than the android on screen keyboard.

Also, there are USB keyboard replay devices out already that are much smaller
than an android phone, if the goal was to automate the process.

I really fail to see why this is noteworthy other than the fact that someone
developed a USB keyboard driver for android which is cool. It doesn't open any
new attack vectors. I mean really how many computers are out there that don't
have a keyboard and mouse but have accessible USB ports AND that it would look
suspicious to have brought your own keyboard and mouse, but it wouldn't look
suspicious to plug your phone into it.

I suppose the one thing it would enable is a social engineering trick where
you convince the persons secretary to go plug your phone into the computer you
don't have access to. Maybe something along the lines of "<insert boss' name
here>, needs you to plug his phone it's running low on battery, can you plug
it in?" and then come back a few minutes later to get the phone.

~~~
wzdd
It opens one new attack vector I think---any exploit targeting an Android
phone could be used to deliver a different exploit to the computer the phone
is connected to. Given that this requires a kernel driver (on the phone side),
it would have to be pretty great exploit. You would have to be pretty
motivated to do this instead of, e.g. sending 1 billion emails with an
attached virus.jpg.exe, but it is a new vector.

~~~
stcredzero
For penetrating a particular target, this is very interesting. Bribe a
repairman into leaving such a device plugged into a developer workstation at a
company where everyone goes home at 5 or 6. The device presents itself as a
USB hub, then waits until late at night, when it connects its keyboard and
_types out and compiles_ an entire rootkit. This would even work at companies
which lock down USB ports against removable drives.

Better yet, the device could act as an attacker's remote shell by downloading
commands using curl and uploading redirected stdout and stderr.

~~~
neworbit
You'd presumably have to be in a shell (or compiler window) and on a system
that didn't lock itself - but yeah, yikes. How are you with centrifuges?

~~~
stcredzero
You can bring up a command line with just the keyboard, even in Windows. The
lock would be a problem.

------
gvb
10 Immutable Laws of Security <http://technet.microsoft.com/en-
us/library/cc722487.aspx>

Law #1: If a bad guy can persuade you to run his program on your computer,
it's not your computer anymore.

Law #3: If a bad guy has unrestricted physical access to your computer, it's
not your computer anymore.

\---

Law #1 should be expanded nowadays: "If a bad guy can persuade you to plug his
widget into your computer, it's not your computer anymore. In the USB case,
the widget (phone) contains the bad guy's program.

------
gus_massa
It is not a bug, it is a feature! :)

It is possible to build a configurable (dynamic?) keyboard on the Android,
like the keyboard in [http://www.alltechnologynews.com/razer-switchblade-
laptop-fo...](http://www.alltechnologynews.com/razer-switchblade-laptop-for-
gaming-with-dynamic-keyboard.html) . (I saw an article about it here a few
months ago, but I can't find it.)

And perhaps it can be useful for non game activities too.

------
3vad3
Adrian Crenshaw a.k.a Irongeek has already done something like this using the
Teensy ( <http://www.pjrc.com/teensy/> ) programmable usb device. The upside
is it is programmable either using C or the Arduino dev environment. It costs
under $20 and can be made to look much more unobtrusive than a phone. Combine
this with some good social engineering and you have yourself a dangerous
penetration testing tool. For more info check out Adrian's writeup
[http://www.irongeek.com/i.php?page=security/programmable-
hid...](http://www.irongeek.com/i.php?page=security/programmable-hid-usb-
keystroke-dongle)

------
pinko
Wouldn't one simple defense be to have the OS pop up a window requiring the
user to hit a specific unpredictable key (or short key sequence) when a new
keyboard is plugged in?

~~~
Splines
It's a difficult problem to solve, and probably not worth the effort. Anything
you do is fraught with running into the "Keyboard not detected, press F1 to
continue" situation, especially in an uncontrolled environment like Windows.

