Q&A: Explaining how the Nexus One was used to take control of a host computer

Two researchers from George Mason University, Dr. Angelos Stavrou, and Zhaohui Wang, have demonstrated the ability to use a smartphone (a Nexus One, but Dr. Stavrou says this applies to the iPhone as well) as a HID (Human Input Device) via USB.  Simply put, just plugging the phone into a computer causes it to act as a mouse or keyboard, with no server on the computer in question, and offers little or no warning on the computer screen. 

Usually we would call something like this one one helluva cool hack, but there's a scary side, too.  The exploit could be made viral, on Windows, Mac, and Linux.  According to Dr. Stavrou;

"Say your computer at home is compromised and you compromise your Android phone by connecting them, Then, whenever you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise other computers off that Android. It's a viral type of compromise using the USB cable."

That caught our attention, so we reached out to Dr. Stavrou, who was kind enough to answer a few questions for us.  Read the rest, after the break.  [CNet]

How is this different from existing applications that turn your Android smartphone into a HID via WiFi, Bluetooth, or USB?

I think that you refer to "soft" HIDs (i.e. VNC, thin-client) type of keyboards. These approaches have to be exported by the remote computer (i.e. approved) and they are done over the network. This cannot be done stealthily as I mentioned and has to be configured in the victim (remote) computer.

Applications you download from the Android market that appear to do the same thing, require a server component to be installed on your computer.  This exploit not only doesn't need input on the computer side, it also can pass itself on to the host computer, infecting it with the components needed to compromise the next phone you plug in..  Think when you plug your USB mouse into a computer -- the little pop-up you see in the system tray (Windows, Mac -- Linux gives no notification by default) is all the warning you'll get.  A few seconds later the phone can control the computer, just like the "real" peripherals can.

Does your exploit disable screen locks on the affected computer?

Our approach acts as a keyboard. If the phone is connected while there is a screen lock then we cannot disable that but we can reboot the machine (with ctr-alt-del) if this is permitted by the screen lock. We do not claim that we can hack any passwords or screen locks.

This is relieving, but the guy at the airport that asks if he can charge his phone from your laptop could also (in theory) download and install something a good bit worse -- like a keylogger.

Does this exploit give any more power or tools to an attacker than the physical keyboard or mouse that's attached to the computer in question?

Not in the case that you connect a HID device. In our talk, we explained that you can pretend to be a USB ethernet card receiving all the traffic from the victim machine. Also, you can use the classic autorun attack but mount and remount many times per second because you control the remote mounting point (unlike a flash drive where you get only one chance). In that regards, our attack is more general than just plugging in a HID device.

Things get a little hairy here.  Your new airport buddy could also be grabbing, and analyzing your data by pretending to be a USB wireless card, or trying to run exploits against your computer OS.  And finally, the coolest  part of the exploit, but also the bit that's most interesting to Android fans;

Finally, I want to mention that we crafted a cable that puts the Android phone in "host" mode allowing it to be able to connect as a master to USB devices including other phones. This attack empowers an attacker to perform phone-to-phone attacks.

USB host is cool to play with.  Doing pointless, geeky things like having a 250 GB USB hard drive hooked up to your phone is part of the fun thing about having an Android phone.  These fellows have went a step further and have one phone mounted as a USB device on the other phone. I know we're supposed to take this seriously, but guess what I'm going to try next time I have a bit of free time?

In all seriousness, any bit of code that runs on it's own and can transmit itself from one machine to another isn't a good thing.  But this particular exploit requires you to have physical access to a computer, so it's use case isn't very broad.  It's modifying the running kernel on your smartphone, so root privileges are needed to inject the code, and if you're rooted you should be using the Superuser.apk to warn you about that when it first happens.  And since it is done over a USB cable, you're at most 3 feet from the actual keyboard and mouse.  Don't let random strangers, goofy roommates, or ex-girlfriends use your USB connectors, and things will probably be OK.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.