52

Someone connected their Android phone to my MacBook and it made me think if this has put my MacBook at risk.

It was for 3 seconds and I was in control of the MacBook the whole time.

Emanuil Rusev
  • 681
  • 1
  • 5
  • 8
  • 19
    In theory, yes, in practice, probably not. If it had been a Firewire device, quite possibly. – Matthew Jun 09 '16 at 12:55
  • 23
    Is there a reason to suspect that this person is targeting you or your data? Or are you worried about general Android malware that the person would have unwittingly exposed you to? If it's the former, yes, you are at risk from anything plugged into your computer; if it's the latter, nope even the worst Android malware seen in the wild doesn't have any special upstream infection techniques. – Jeff Meden Jun 09 '16 at 14:03
  • @Matthew as long as it's not a USB device from a pentester or similar. I'll just add custom rom to my phone to have it act as a HID device and send out the right sequence of keystrokes. – ewanm89 Jun 09 '16 at 16:31
  • 1
    Good point. Although you would hope those people would be more worried about infection in the other direction too – Matthew Jun 09 '16 at 16:41
  • Cory Klein's answer mentions a "USB condom" and it got me thinking the answer is pretty simple. "Don't let strangers plug things into your ports" and "Don't go plugging your stuff into strange ports." Seems the rules are more universal then our sex-ed teachers thought. – coteyr Jun 09 '16 at 20:10
  • @Matthew Who said I didn't have multiple phones, one setup for said purpose and one I keep clean for personal use? – ewanm89 Jun 09 '16 at 20:19
  • 2
    @MartinCarney Yes, in theory, though you would be limited to the slowest possible charge as it blocks all possible methods of asking for more current. Certainly not so good on a 2A charge tablet, at 500mA it just won't charge, just drain slower. – ewanm89 Jun 09 '16 at 20:21
  • @ewanm89 Today I learned. That explains why my portable charger (which comes with a charge-only cable) won't charge my tablet, just slow how long it takes to run down. – Martin Jun 09 '16 at 23:20
  • 2
    I would carry around charge only usb cable, I learned the hard way (when trying to import code onto my arduino) that such a thing exists, (it would only have +,- cables into the usb instead of the data cables) that way data cannot be transmitted. – andyADD Jun 10 '16 at 15:02
  • When I sailed, I had a donut in every port.. err.. another story. Yes.. connecting anything a risk. 10 years ago (a century in technology), even dumb devices like LCD picture frames, thumb drives etc. shipped with successful malware. Surely, an Android is a risk as well. – Paulb Jun 10 '16 at 18:55
  • Why did he charge his phone for three seconds? – Micheal Johnson Jun 11 '16 at 14:21
  • @MichealJohnson This. If he plugged it in without your permission he is probably not a good guy. – Sebb Jun 11 '16 at 20:54
  • @MichealJohnson It was 3 seconds because I removed it. – Emanuil Rusev Jun 12 '16 at 11:09
  • 3
    It's dangerous -- you can catch Android, which slowly turns your Macbook into a Chromebook. Remember, only use your Macbook to charge iPhones! – Federico Poloni Jun 13 '16 at 06:16
  • You can turn the phone off and then charge it with a USB cable connected. That removes the risk of having a 'live' O/S connected to your Mac and mitigate the risk... –  Jun 12 '16 at 20:56

6 Answers6

62

Yes.

Android devices have the capabality to act as basically any USB device.

This opens up gates for all kind of Bad USB attacks like

Rubber ducky attack that types in scripts very fast (Almost un-noticable by the user) by acting as a keyboard (HID | Human interface device).

Then it could act as a network device and setup MITM

These two are done by emulating normal USB devices.

Also USB exploits specific to the OS or platform maybe used.

If you want to try these you can try NetHunter.

https://en.wikipedia.org/wiki/NetHunter

https://nakedsecurity.sophos.com/2014/08/02/badusb-what-if-you-could-never-trust-a-usb-device-again/

Community
  • 1
  • 2
    what if the session is locked? the device has to guess the password, right? – Display Name Jun 10 '16 at 11:56
  • @SargeBorsch If the session is locked using a pasword normal Ruberducky attacks won't work. But USB exploits usually work. I remember reading about a thumbnail exploit used to run code cos the thumbnail cache process was running even when locked. –  Jun 10 '16 at 13:24
  • @SargeBorsch I think MITM will work even with session locked. –  Jun 10 '16 at 13:24
  • but how? USB devices do not receive all key presses. And even if they could act as a display, password characters are usually masked on screen. – Display Name Jun 10 '16 at 13:36
  • @MITM works by the USB device acting as a network or device similar to USB-LAN device. As long as USB device driver is loaded the attack works. I don't know if USB devices are loaded in Mac during lock state. –  Jun 10 '16 at 13:58
  • @SargeBorsch Also by USB exploits I don't mean Rubber ducky attacks. I mean the attacks that exploit driver loading of USB devices. –  Jun 11 '16 at 09:29
17

This could get dangerous if you have autorun enabled. Malware can get executed automatically this way. "Fortunately" autorun isn't possible in vanilla Mac OS X, so you shouldn't be too worried. (Of course there are many more possibilities to run malicious software too.)

The smartphone pretty much acts like an usb stick. So every security risk you get with plugging in an usb stick also applys for smartphones.

Community
  • 1
licklake
  • 1,032
  • 1
  • 9
  • 22
  • Well, when we connected the Android phone, an iCloud popup showed up advertising photo syncing - do you think this could mean that autorun is enabled? – Emanuil Rusev Jun 09 '16 at 12:56
  • I am no expert on macs, so i can't tell you for sure. But there are always some exploits out there, so its imaginable that software can get executed this way. – licklake Jun 09 '16 at 13:03
  • 13
    @EmanuilRusev Since it's highly unlikely that an Android device would contain autorun software for iCloud (unless they were somehow personally targeting you) I would suspect that the iCloud popup was simply your MacBook's response to seeing that the connected usb device had photos on it. Try it with a normal usb stick that has a few JPGs on it, and you will probably see the same screen. – Jeff Meden Jun 09 '16 at 13:58
  • 1
    @JeffMeden Several android devices connect using camera protocol (PTP), that is what probably prompted the photo popup. – Mindwin Jun 09 '16 at 15:36
  • 7
    No need for autorun, all one needs to do tell the USB to emulate a keyboard and send the keystrokes to do whatever... – ewanm89 Jun 09 '16 at 16:29
  • @ewanm89: keystrokes alone don't work as well on a mac as they do windows... – dandavis Jun 09 '16 at 18:58
  • 7
    @dandavis Yeah, clearly a unix based operating system is nigh impossible to configure without a mouse. Any reference for that weird claim? – Voo Jun 09 '16 at 18:58
  • you typically need sudo or swiping to make things stick around on a mac... i didn't say it impossible, just not as wide-open as most off-the-shelf PCs, and there are fewer mac expliot tools for low-skill attackers – dandavis Jun 09 '16 at 18:59
  • 5
    @dandavis in other words it's as open as a standard user on windows or linux... funny that is. And if someone is emulating HID and sending scripted keystrokes then I wouldn't call it low-skill. Automated yes, low-skill, no. Privilege escalation exploits do exist, popping the terminal with just the keyboard is easy, and emulating keyboard is HID, which means I can emulate mouse just as easily. – ewanm89 Jun 09 '16 at 20:04
  • @dandavis also my reply was countering lack of autorun as a defense and at that point autorun or emulating HID method I'm using the same privilege level to start with. If we want to get downright nasty, it's not unknown for USB controller drivers to be exploitable by a device. – ewanm89 Jun 09 '16 at 20:15
  • @ewanm89: oh it's a problem for sure, safer!=safe. i just wanted to point out that windows, especially older versions, is easier to own with such techniques. – dandavis Jun 09 '16 at 23:18
  • @ewanm89 No, there's a big difference in security. In mac, there's a difference between admin and root and so you have to re-type your password to become root before you do anything serious. On Windows, you just say, "ok". See this article by Jeff Atwood for more info: https://blog.codinghorror.com/choosing-anti-anti-virus-software/ – BonsaiOak Jun 09 '16 at 23:51
  • 3
    @bonsaioak only if you are logging in to an account with admin privileges else it asks for username and password for uac escalation. Maybe we should enable root account on Mac and log in directly with that and compare. Or modify sudoers to not need password for any escalation. I am a UNIX guy through, give me Linux or freeBSD any day, but don't drink the sole collage that it is more secure just because it isn't configured correctly. – ewanm89 Jun 10 '16 at 07:42
  • @BonsaiOak oh, and when changing password through sytem preferences, OSX edits /etc/shadow without asking for password for something that needs root permissions from an admin account. Infact non of the gui apps require one to renter password for things like formatting disks, basically you can bypass it if you go through apple API's through say applescript. It is only asked to get root directly on the terminals via sudo. – ewanm89 Jun 10 '16 at 07:56
16

Yes, but you can mitigate the risk by using a USB condom that does not connect the cables that convey data and communication, but leaves the charging pins live.

You would still be exposed to attacks that can take place over the power cables, such as the device supplying a very high voltage or current back to your laptop. Presumably MacBook USB ports have taken some preventative measures against this kind of attack, but I don't know for sure.

Community
  • 1
Cory Klein
  • 281
  • 1
  • 8
  • As the attacker currently didn't use the USB port before you, softwarematically disabling the usb may also do the trick. Not sure if it will still charge, but here is a description of how it can be done: Browse to ‘/System/Library/Extensions’ folder on the system disk. Remove both IOUSBMassStorageClass.kext and IOFireWireSerialBusProtocolTransport.kext which are found in this directory. Reboot the machine. (Putting them back will probably restore the ports) – Dennis Jaheruddin Jun 10 '16 at 13:31
  • 1
    @DennisJaheruddin This might prevent the OS from interacting intentionally with that USB port, but do you know it doesn't permit that USB port from interacting with the hardware USB controller in a malicious way? – Yakk Jun 10 '16 at 15:30
7

There's also the possibility that it's not actually an Android phone, but a "USB Killer" of some sort:

enter image description here

This is a device which, when connected to the USB port, will send -220 volts down the data / power lines, thereby frying the USB controller and possibly other components of your laptop. This one looks like a flash drive, but it could easily be made to look like an Android phone.

I don't think this is a significant risk though, unless someone is targeting you and wants to destroy your laptop for some reason.

Jonas Czech
  • 187
  • 7
  • 3
    Scared me. So diabolical. I'm sleeping with one eye open tonight. – Paulb Jun 10 '16 at 18:57
  • One could fit a lot of power storage caps inside a phone-sized device.... BRB! – Criggie Jun 11 '16 at 23:59
  • 1
    @Paulb that won't help you. Instead of getting your laptop fried (property damage + break and entry, easily suable) you end up in a bloody fight (lots of physical pain, risk of death, can be sued for defending yourself too well) – John Dvorak Jun 12 '16 at 06:33
5

There is always the possibility that someone could have found a vulnerability that could abuse the system at any level. Vulnerabilities have been found continuously on all systems throughout the history of computers, so it is not impossible.

That said, the risk seems fairly low.

Julie Pelletier
  • 1,919
  • 10
  • 18
  • 2
    USB is a well known attack vector, but you don't need any exploit or find a vulnerability. That's working as intended. The only thing one has to do is claim to be an USB keyboard and then do whatever you want. There are some recent mitigations as additions to the linux kernel (the user is basically asked what kind of device they're plugging in) but in all mainstream OSes it's really simple to exploit. – Voo Jun 09 '16 at 18:58
  • 2
    Your answer boils down to "Anything's possible." That's not a very useful answer. – Martin Jun 09 '16 at 19:37
  • 3
    Martin, how would you answer if I asked you if I had any chance of catching an unknown disease when going somewhere? There can **not** be a definite answer. – Julie Pelletier Jun 09 '16 at 19:45
0

Depends on the cable. If it's a cheapo "one-size fits all" charger cable like this, (sold in chain store pharmacies like CVS, Walgreens, etc), it might have fewer wires, (to save on manufacturing costs). If the data wires don't exist, it can't transmit any data.

Instructables has a how to for downgrading a four wire USB data cable to a two wire charger cable. Summary, open cable sheath, see four wires, leave the red and black, cut the other two, tape it up.

agc
  • 131
  • 4