Phone Disguised as Keyboard Can Hack Computer

News
By Marcus Yam
published

You know it's a phone, but does your computer know that?

We plug a lot of things into our computers without thinking about it. That’s one of the wonders of USB, which has made it exceptionally easy to connect all sorts of different peripherals to our computers while using one standard plug.

Of course, this kind of ubiquity along with our carefree spirits presents a massive security hole. Computer security researchers have demonstrated how computers can be fooled through the USB port.

A team at the George Mason University used an Android-based Nexus One to fool a laptop that it was a keyboard. Through that, it can issue commands to the computer to steal files and download malware.

This exploit is possible because the USB protocol allows for a connection without authentication. Part of the problem is that operating systems do no prompt the user whether he or she wishes to really connect the peripheral to USB.

In Windows, a little pop up appears briefly informing the user that it's detected a new device. On a Mac, a command can get rid of that notification, and there's no notification at all on Linux.

The malware can be transferred from USB to USB, meaning that a phone could transfer it to a computer, which could then transfer it to another phone when it's connected via USB.

Of course, like the case of staying safe in the real world, just be careful where you choose to plug your ports (or what you allow to be plugged into your ports).

Read more at Cnet.

Marcus Yam
Marcus Yam
Marcus Yam served as Tom's Hardware News Director during 2008-2014. He entered tech media in the late 90s and fondly remembers the days when an overclocked Celeron 300A and Voodoo2 SLI comprised a gaming rig with the ultimate street cred.
22 Comments Comment from the forums
  • aznguy0028
    "Of course, like the case of staying safe in the real world, just be careful where you choose to plug your ports (or what you allow to be plugged into your ports)."

    GIGGIDY!
    Reply
  • barmaley
    Now they are going to make keyboards that will function as "keyboards" but will also have cell phones built into them. That way it will act as a key logger and will email out credit card numbers and passwords via cell phone network. No firewall will ever save you from that. They can make the keyboards look like generic ones from Dell and Microsoft. So, the new generation of burglars will not steal your grandma's engagement ring. They'll steal your keyboard and replace it with their own and then max out your credit cards and take everything you have in the bank!

    I love technology, but I hate it when it turns around and bite me in the ass!
    Reply
  • joytech22
    Ooh! maybe now I can secretly upload a bandwidth capper onto a few computers and have it all to myself mwahaahw!

    Or I could get into serious trouble, sooo not going to happen. :)
    Reply
  • cmcghee358
    This is precisely why you can no longer plug in any personal or unauthorized USB device into an Air Force computer. I can't go into specifics, but needless to say this was a long standing breach that was exploited by our neighbors for YEARS.
    Reply
  • Scott2010au
    The Defence forces appear far more concerned about data theft than being hacked. The most secure machines & staff will not even be exposed to the cellular network in the first place - by various means.
    Reply
  • Onus
    Didn't Stuxnet get in on a USB drive?
    Reply
  • guardianangel42
    jtt283Didn't Stuxnet get in on a USB drive?Thats the running theory. I'm sure no one really KNOWS how exactly a sophisticated virus got onto Iranian computers that were isolated from the internet via hardware but the most likely method of delivery is USB.

    I don't know the code of the thing (And even if I did I'd still be clueless) but it might contain the ability to piggyback on a burn process. I'm not really sure.
    Reply
  • Scott2010au
    I believe Symantec have the answers you are looking for re: Stuxnet
    Google: +Symantec +Stuxnet

    There's a good YouTube video here: http://www.youtube.com/watch?v=cf0jlzVCyOI

    Yes, They believe it was via USB key.
    Reply
  • Kylehume
    I think that's good advice for your 'personal' life, too-

    "just be careful where you choose to plug your ports (or what you allow to be plugged into your ports)."
    Reply
  • jaybus
    Given physical access and ample time, there is no machine that is not hackable. Now what is scary is Bluetooth.
    Reply