• Potatos_are_not_friends@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    9 months ago

    Isnt the average Windows user not logged in as admin?

    Most Americans I know own their own computer. Unless it’s with young kids in the house, every individual windows PC is one account with admin access.

    • heavy@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      9 months ago

      You would also get several prompts asking if you want to do this, both from Windows under UAC (by default, even if you can escalate), the Android driver, and the phone itself. It’s rarely the case now that Windows users execute privileged actions without notification, but it’s possible.

      I don’t want to discourage people testing ways to compromise security for the good of everyone, but this is a well known vector and a lot of jumps have to succeed to give the attacker value.

      You can cut down a lot of room for failure by just using a rubber ducky USB instead. It doesnt have to be an Android phone. Even then, there’s more than a few controls in the way.

      • azron@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        9 months ago

        No one pays attention to the prompts. If you’ve ever watched a standard computer user they click away a prompt as fast as it appears without even reading it.

        • heavy@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          1
          ·
          9 months ago

          So I understand better, could you explain the scenario where you would use this and what it would get you as the attacker?

          Is it like: “Hey bud, please plug my phone into your computer.” Then, they click through everything, you get privileged execution, and you choose to modify the hosts file?

          You believe that would have a high chance of success? What do you get afterwards?

    • Downcount@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      edit-2
      9 months ago

      I also own my computer. Doesn’t hold me back to remove my user all admin rights. If you still log in with admin rights, being hacked by a charging phone won’t be the first bad thing happening to your system.