Connect a smartphone to your PC and you might be giving it the power to do anything you could do - and its just a matter of creating a USB driver.

You have to admire this idea even though after you know about it you also have to admit that is seems fairly obvious. It's a sort of "why didn't I think of that".

The idea presented by a pair of researchers at the Black Hat DC conference is that you take a smart phone - an Android as it happens but it could be any - and you write a driver to make the USB connection look like a keyboard or a mouse. It's not a completely new idea and has been applied to other devices and other interfaces before.

When the unsuspecting user plugs the phone in to sync it with a PC the mobile phone takes control and does what it likes - well as much as the user typing on the keyboard could do. Clearly the PC can't tell the difference between the fake keyboard and a real one so it can't prevent the attack.

It is also fairly easy to see how to build an eco-system of malware based on the idea. The phone first gets infected with the driver then it infects the PC which in turn spreads and infects other phones. It could be a lot of trouble if it was to be implemented for real and we probably should be thinking of ways of short circuiting the attack. It certainly highlights the insecurity of the USB connection. Users regard the physical nature of the connection to restrict the threat but clearly this isn't the case.

More Information

http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Stavrou