Bad guys can use cute little android to attack PCs by connecting to them via a USB port.

At this year’s Black Hat conference, researchers demonstrated a new way to attack PCs. Just plug in an android phone after you have programmed the programmable USB controller on the phone to pretend to be a keyboard or mouse. The PC has no way of telling a real keyboard from a fake one so it has no idea that something is wrong. Meanwhile, the phone can take control of the computer.

Now the phone is free to install malware, viruses or anything else that can install malware to any other phone that later plug into the PC. The PC has absolutely no defense against this attack.

Using the USB port to attack computers is nothing new. Play Station 3 was the first victim of USB driver’s flaws. What is different is that the hackers were not using flaws in the USB drivers to gain entry. Instead they are pretending to be a different kind of hardware that can operate the computer.

These researchers used android because it is open source and has programmable USB controllers which they programmed to fake being an input device.

What can be done to prevent this kind of attack? Operating systems will need to have the ability to filter USB packets or a protocol will need to be developed that can tell what kind of device is actually connected to the PC. Currently Windows and OS X only ask the device what it is but do not verify that the device is actually what is says it is. Linux doesn’t even check to see what kind of device is plugged in.

Operating system programmers say there is very little actual risk because the hacker has to have physical access to the PC and they could do the same damage just typing on the PC’s keyboard.

I am not sure I agree because I could use my phone to transfer a keystroke logger that can report back to one of my websites whenever the PC connects to the web is just a few seconds if the PC user walks away for a few seconds.

What do you folks think?