This is just an arduino acting as a HID device that can be controlled from an android phone, right? The slides talk about also acting as a mass storage device for a payload in case there's no internet, but I'm assuming there's no channel back to the arduino/android phone[1] in that case, so you're not going to be able to send screenshots back as described.<p>Basically, if there's internet access to talk to a server, the arduino alone is going to do just as much damage, and if there's not this whole setup is still going to have to send keystrokes blindly and won't be able to exfiltrate data regardless of the android phone controlling everything.<p>Therefore, luckily, I don't think this actually introduces any new threat beyond the existing problem of people already being able to insert random devices that act as keyboards. Unfortunately, this is a hard problem to fix in general, but at least for devices like POS machines it's easy enough to simply not leave the machine logged in.<p>1: It might be possible to use the caps lock status (or maybe a raw HID device?) to get data back, it doesn't sound like Iron-HID is doing this, and anyway the bandwidth probably wouldn't be very high to say the least.