We built a flash drive that hacks any computer
Using a relatively cheap microcontroller and 3D-printed enclosure, we built a “BadUSB” device that tricks any PC you plug it into that it’s a keyboard.
It can be programmed to execute a series of keyboard commands, including ones that could let attackers steal data or damage systems.
A BadUSB is a device that looks like a flash drive but contains a microcontroller that can act as a malicious device when plugged into your computer.
One of the most popular BadUSB devices is the Hak5 Rubber Ducky, which can be programmed to automate a vast list of tasks, from automatically setting up a new computer to opening a remote connection for someone to take over your machine.
These are available from $59.99 (R1,038, excl. VAT), which makes them a bargain for any hacker or pentester, but it may be a bit much if you only want to see how it works.
We decided to build a similar device using a cheap, sub-R100 ATtiny85 development board available from various local suppliers.
ATtiny85 development board
The ATtiny85 is a microcontroller that can be programmed using the Arduino IDE, which offers a low barrier of entry.
A simple 3D-printed enclosure can make it look like a generic flash drive.
The DigiKeyboard library allows the board to present itself as a keyboard when plugged into a computer’s USB port.
This ‘keyboard’ can then execute a bunch of pre-programmed keystrokes and commands to perform tasks on the computer it is plugged into.
This may not sound very dangerous until you realise that a keyboard usually has the same privileges as the user sitting in front of a computer.
Some basic examples of what a BadUSB can do include a bunch of pranks to more advanced malicious scripts.
A simple prank is a Rickroll, easily opened by pressing Win+R and entering the video URL before pressing enter.
DigiKeyboard C code to RickRoll victim who plugs in BadUSB
The same can be done to open any other website automatically — including ones that could try and phish login credentials.
It is also easy to open an administrator PowerShell window with Win+X, A, Left Alt+Y.
We used this to collect all the saved Wi-Fi passwords on a device, save them as a text file using comma-separated values, and email them to a predetermined address.
Some online examples also show how attackers can use a BadUSB device to install malicious software, such as a keylogger or create a remote connection to an external device.
Scripts are available that work on different operating systems — such as MacOS or Linux — as keyboards work the same, even if the shortcuts might be slightly different.
While a BadUSB can be a fun party trick, it does demonstrate how dangerous it can be to plug unknown USB devices into your machine.
It may be a USB drive someone left behind or a BadUSB that takes over your machine and steals all your information.
We’ve posted an animated GIF of the BadUSB in action in the forum. For those on mobile data: it’s 7.3MB big.
Now read: Hacking teams exploit Samsung Galaxy S22 zero-day twice — win R1.3 million
Loading ...