Skip to main content

Android handset used for USB hack attack

Two researchers have discovered a way of compromising pretty much any computer using nothing more nefarious than an Android handset and a USB cable.

Angelos Stavrou who teaches computer science at George Mason University near Washington DC and his student Zhaohui Wang have rewritten the Android operating system's USB driver so that any connected device can be controlled without authentication and in some cases without alerting the host user.

The attacker is able to type commands and manipulate the mouse pointer as if he were in control of the primary mouse and keyboard.

If you've ever allowed someone to charge their phone using your PC's USB port you'll be aware of the implications here, but we would be more worried about what would happen if you added a wirelss USB dongle into the mix.

How many of us regularly check exactly what is hanging out of the back of our boxes? We know in our case that temporary USB connections are made using either the front panel ports or a desk-dwelling hub. It could feasibly be months before something going bang or a dropped bacon sandwich would force us to assume the position and go crawling around in the dust-ridden zone of spidery doom under our desks.

The software written by the pair automatically detects which operating system is running and can quickly close the notification pop-ups which are a part of Windows but not OSX or Linux. And let's face it, how many of us would think something was awry if a USB device was detected and then disappeared in a fraction of a second? These things happen all the time as USB peripherals have power supply wobbles or a badly-seated cable is wiggled in the wrong way.

"Anti-virus software wouldn't necessarily stop this because it can't tell that the activities of the exploit are not controlled or sanctioned by the user," Stavrou told Cnet (opens in new tab), adding: "It's hard to separate good behaviour from bad behaviour when it comes from the keyboard."

The next stage would be for hackers to write automated scripts which could use the keyboard/mouse exploit to do untold damage to a connected system.

So the next time someone asks you if they can charge their phone using your PC's USB port, tell them to bugger off. Unless it's your mum. And she's not a Black Hat hacker.

ITProPortal.com monitors all leading technology stories and rounds them up to help you save time hunting them down.