{"id":474067,"date":"2022-12-13T18:02:23","date_gmt":"2022-12-13T16:02:23","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=474067"},"modified":"2022-12-13T18:15:57","modified_gmt":"2022-12-13T16:15:57","slug":"we-built-a-flash-drive-that-hacks-any-computer","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/hardware\/474067-we-built-a-flash-drive-that-hacks-any-computer.html","title":{"rendered":"We built a flash drive that hacks any computer"},"content":{"rendered":"

Using a relatively cheap microcontroller and 3D-printed enclosure, we built a “BadUSB” device that tricks any PC you plug it into that it’s a keyboard.<\/p>\n

It can be programmed to execute a series of keyboard commands, including ones that could let attackers steal data or damage systems.<\/p>\n

A BadUSB is a device that looks like a flash drive but contains a microcontroller that can act as a malicious device when plugged into your computer.<\/span><\/p>\n

One of the most popular BadUSB devices is the Hak5 Rubber Ducky, which can be programmed to automate a vast list of tasks, from automatically setting up a new computer to opening a remote connection for someone to take over your machine.<\/span><\/p>\n

These are available from $59.99 (R1,038, excl. VAT), which makes them a bargain for any hacker or pentester, but it may be a bit much if you only want to see how it works.<\/span><\/p>\n

We decided to build a similar device using a cheap, sub-R100 ATtiny85 development board available from various local suppliers.<\/span><\/p>\n

\"\"<\/a>

ATtiny85 development board<\/p><\/div>\n

The ATtiny85 is a microcontroller that can be programmed using the Arduino IDE, which offers a low barrier of entry.<\/span><\/p>\n

A simple 3D-printed enclosure can make it look like a generic flash drive.<\/span><\/p>\n

\"\"<\/a><\/p>\n

The DigiKeyboard library allows the board to present itself as a keyboard when plugged into a computer’s USB port.<\/span><\/p>\n

This ‘keyboard’ can then execute a bunch of pre-programmed keystrokes and commands to perform tasks on the computer it is plugged into.<\/span><\/p>\n

This may not sound very dangerous until you realise that a keyboard usually has the same privileges as the user sitting in front of a computer.<\/span><\/p>\n

Some basic examples of what a BadUSB can do include a bunch of pranks to more advanced malicious scripts.<\/span><\/p>\n

A simple prank is a Rickroll<\/a><\/strong>, easily opened by pressing Win+R and entering the video URL before pressing enter.<\/span><\/p>\n

\"\"<\/a>

DigiKeyboard C code to RickRoll victim who plugs in BadUSB<\/p><\/div>\n

The same can be done to open any other website automatically \u2014 including ones that could try and phish login credentials.<\/span><\/p>\n

It is also easy to open an administrator PowerShell window with Win+X, A, Left Alt+Y.<\/span><\/p>\n

We used this to collect all the saved Wi-Fi passwords on a device, save them as a text file using comma-separated values, and email them to a predetermined address.<\/span><\/p>\n

Some online examples also show how attackers can use a BadUSB device to install malicious software, such as a keylogger or create a remote connection to an external device.<\/span><\/p>\n

Scripts are available that work on different operating systems \u2014 such as MacOS or Linux \u2014 as keyboards work the same, even if the shortcuts might be slightly different.<\/span><\/p>\n

While a BadUSB can be a fun party trick, it does demonstrate how dangerous it can be to plug unknown USB devices into your machine.<\/span><\/p>\n

It may be a USB drive someone left behind or a BadUSB that takes over your machine and steals all your information.<\/span><\/p>\n

We’ve posted an animated GIF of the BadUSB in action in the forum<\/a><\/strong>. For those on mobile data: it’s 7.3MB big.<\/p>\n

\n

Now read:\u00a0Hacking teams exploit Samsung Galaxy S22 zero-day twice \u2014 win R1.3 million<\/a><\/h2>\n","protected":false},"excerpt":{"rendered":"

We built a BadUSB drive that can hack any PC you plug it into.<\/p>\n","protected":false},"author":341074,"featured_media":474095,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29,15,16],"tags":[41294,83303,83305,35],"class_list":["post-474067","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-gadgets","category-hardware","category-software","tag-arduino","tag-badusb","tag-hak5","tag-headline"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474067"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341074"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=474067"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474067\/revisions"}],"predecessor-version":[{"id":474103,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/474067\/revisions\/474103"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/474095"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=474067"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=474067"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=474067"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}