They are nifty little dev boards, as you can pretend to be a variety of different devices, but the real benefit in my mind is the ease at which you can use the solder pads to build a device and connect it to usb. YOu can dump roms.
The teensy 3.0 is a 32 bit arm processor and has extra ram and flash memory, which is certainly an improvement over the 8 bit avr processor... that said the teensy 2.0 or 2.0++ might be better if you have arduino experience. Both are great boards to play around with, and I expect lots more exploits based around pretending to be various usb devices.
Interesting hack, somewhat relieved to see that a) it's for OS X, and b) it just leverages a poor design/trade-off between security and convenience on that platform.
I suppose this kind of stuff is a good reason to disable sudo-session caching (or whatever it's called) and demand an OTP for elevating privileges [on Linux].
Looks like windows supports OTP, but only with a dedicated server handling the authentication -- does anyone know if there's an easy way to demand OTP for UAC elevation to local admin on a stand-alone windows 8.1 workstation?
[edit: for Linux/freeBSD the libpam-oath package/toolkit can be used to enable TOTP (Time Based One-time Passwords) that are compatible with Google Authenticator -- there are a lot of tutorials on how to use it with openssh (and with the new ability to demand a set of authentication methods, how to demand eg: both ssh-key and a TOTP). With a little familiarity with pam, it's easy to set up for demanding OTP for sudo. AFAIK OS X also supports pam -- but if the gui allows the system to be backdoored, there's not much point...]
Still, you should be locking the screen if you leave your device unattended. The only things OTP guards against in a physical access scenario are hardware keyloggers and shoulder-surfing, neither of which were part of this attack.
 😉 Just kidding, mostly.
Well, yes. But in the case of bsd/Linux, if your user is in the sudo group/file -- requiring OTP on privilege escalation would help. While in many common configurations, when sudo is set to prompt for a password, it'll also cache that for a certain period.
If* you could make window UAC ask for an OTP (or password) rather than just accept a click on OK, it would also help in this scenario. Note that OTP for every UAC prompt would probably be quite annoying even in windows 8 -- but possibly more manageable than typing in a (secure) password.
But since Teensy is a different beast, maybe there could be some new neat things you could do with it.
I can't recall the URL and Google-fu is failing me right now, though.
In my example, we interestingly see how by default, OS X does not require additional permissions in this unique scenario. Crazy!
The exploits that could lead to privilege escalation are a different matter (imo they should be fixed).
This hack is very relevent for personal computers, where the user account (in windows i.e.) is an admin and plugging in a USB device does not seem as dangerous as you demonstrated it is.
But I was more thinking about corporate computer systems where such an exploit should only last one session (except for privilege escalation, as OP mentioned).