1

When you plug a smartphone into a USB port on a Windows 7-10 computer, often a small message box pops up on the Windows device indicating that drivers are being installed. This happens automatically without any user intervention.

As opposed to a similar question I apparently asked over 4 years ago (oh dear), for this question I'm interested in drivers that are installed automatically on the Windows box without any user interaction.

What is the source of those drivers? Do they ever come from the phone itself? Are there any security risks involved with this? Specifically, I'm wondering if there is any risk of plugging in phones manufactured by companies with questionable reputations.

Please note that for this question I'm concerned about the security of the Windows computer, and not the smartphone.

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • 3
    Does this answer your question? [Is it safe to install phone driver?](https://security.stackexchange.com/questions/145819/is-it-safe-to-install-phone-driver) – nobody Feb 16 '21 at 17:30
  • @nobody Who is that smart person who wrote a similar question over 4 years ago? I need to meet them... LOL. Oh dear, my memory "ain't what it used to be", and apparently neither are my search skills. Upon reading that old question, the big difference with this one is that I'm asking about drivers that are installed without any user interaction. So I think this question is still worthwhile, even if I had completely forgotten about that old one (thank you for finding it). Now the big question: What did I have for breakfast this morning? I have *no* idea. ;) – RockPaperLz- Mask it or Casket Feb 16 '21 at 17:41
  • LOL. Anyways to answer your question, drivers are only automatically installed if they are digitally signed by a vendor that Windows/Microsoft trusts. (If any vendor is found abusing the trust, they would probably stop being trusted.) But if you choose to be paranoid, you can disable automatic driver installation. Or only plug in phones from vendors you trust. – nobody Feb 16 '21 at 17:50
  • @nobody I'm glad you find my slow road to dementia humourous! So far, I do too. ;) Thanks for the info on the digital signatures. Are they supposed to be automatically verified to see if they are still valid, or is it "once a driver is signed, it's always signed"? Also, how do you disable automatic driver installation? (I honestly haven't search yet because I apparently need to take a nap, so I won't be offended if you tell me to just look it up.) – RockPaperLz- Mask it or Casket Feb 16 '21 at 17:59
  • They are automatically verified. And I think [this](https://superuser.com/questions/954184/disable-automatic-driver-installation-in-windows-10) should work, although I haven't tested it. – nobody Feb 16 '21 at 18:06
  • @nobody Thanks. I need to plug in some phones and look at the firewall logs. IIRC (which is very questionable given recent events!), I think Windows will still install the drivers even if it cannot verify them. I'm not sure, though, so I need to verify that one way or another. – RockPaperLz- Mask it or Casket Feb 16 '21 at 18:13
  • From the [PNP documentation](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/digital-signatures-and-pnp-device-installation--windows-vista-and-late), unsigned or modified drivers will not be installed automatically. I thought the docs also talked about revoked certificates, but I was wrong. However, I do remember having trouble installing a printer driver because of either an expired or revoked key certificate, not sure which. – nobody Feb 16 '21 at 18:30
  • Since your title generally asks about risks - there is also the risk of the smartphone working like a USB storage, like a keyboard, like a network card etc - with all the risks this causes to the attached computer. No drivers on the computer might be needed for doing this. See for example https://stackoverflow.com/questions/9805731/is-it-possible-to-program-android-to-act-as-physical-usb-keyboard – Steffen Ullrich Feb 16 '21 at 20:14

2 Answers2

1

For automatic driver installation specifically:

Windows installs drivers automatically if they are in-box (that is, included with the OS), or if they are on Windows Update and you have the optional (but I think enabled-by-default) feature to search Windows Update for needed drivers. In both cases, these drivers will be "blessed" by Microsoft with a WHQL (Windows Hardware Qualification Labs) signature - this is necessary to install a driver in 64-bit Windows at all, unless you mess with the boot parameters - meaning that they have been tested for some level of correctness and also come from a known, verified vendor.

Note that WHQL signatures, and even in-box or WU distribution, do not guarantee that the driver has no security vulnerabilities. Driver security is a complicated topic that lots of hardware vendors make mistakes on - there was a high-profile case recently where NVIDIA's graphics driver was found to have some serious vulnerabilities and they pushed an urgent patch - and of course drivers have such a privileged position that vulnerabilities in them can compromise the entire system. On the other hand, if a driver isn't loaded, it doesn't matter how vulnerable it is, and loading a driver requires Admin privileges so low-privilege malware can't just load a known-vulnerable driver to gain an EoP vector.

WHQL also doesn't guarantee the stability of the driver, beyond for basic steps like loading and unloading. Driver instability has long been a leading cause of kernel panics (Blue Screens of Death), though it's unlikely for any WHQL driver to cause a BSOD just from plugging in its hardware.

Also, depending on the phone and how it's configured, the phone itself might not need its own driver. A phone that is connected in USB Mass Storage (UMS) or Media Transfer Protocol (MTP) modes will use a generic Windows driver that supports such modes. These drivers are written by Microsoft and subjected to extensive testing (though of course there can still be bugs).

Do note that, for "active" multi-function devices like smartphones, there may be many different drivers, as the device can present itself as any kind of USB device or even as a hub (which has its own generic driver) with many different devices connected to it.

Outside of drivers specifically, smartphones could also be used for other attacks. There are many kinds of malicious USB devices out there, such as "Rubber Duckies" that type attacker-chosen keystrokes at superhuman speed, or even a "USB Killer" that uses a large power surge to destroy the USB port and possibly other components. Plugging in unknown, untrusted USB devices is risky behavior, and that includes phones!

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

I just tried plugging in a Samsung Galaxy S21 (a new device released this month) in my updated Windows 10 desktop for the first time and noticed that several drivers were installed. The drivers are signed by Microsoft and according to the event logs they seem to be already present in the OS. I can see a list of different driver names that are standard in Windows.

I also tried to connect the same phone for the first time to a laptop in airplane mode (no network/internet connectivity) and the same happened there, so the drivers are not downloaded on the fly as might happen with some devices. According to the logs in event viewer, at least one driver is "using user-mode driver framework", which sounds like a driver that will not have access to the full OS, only the same thing as the current user has access to.

Uninstalling these drivers (with removal of files) from device manager and reconnecting the phone results in devices in device manager that has a warning symbol because needed drivers are not installed. This seems to prove that:

The source of the drivers is Windows 10 itself, and not the phone

The drivers that were installed are "SAMSUNG Mobile USB Modem" and a device with the name of my phone under "Portable Devices", and the following USB controller devices: "SAMSUNG Mobile USB Composite Device", "SAMSUNG Mobile USB Connectivity Device V2".

About your question if there is a risk for the Windows computer I would say that physical access to USB ports will ALWAYS be a risk.

The phone can run any type of software and communicate with the USB port in many ways. It could claim to be an USB HUB with several USB HID devices connected, like a keyboard sending any key presses to the system, including things like WIN+R followed by a command that deletes data and Enter. It could probably also exploit any weaknesses in the USB protocol or already installed drivers that would be activated depending on what USB device the phone will identify as.

The phone device can also host an USB killer which will discharge a high voltage spike into the data pins of the USB port, destroying the motherboard and possible other components as well.

knowsshit
  • 301
  • 1
  • 3