Bad USB devices refer to a large category of malicious USB devices that may perform harmful operations or affect the normal operation of a computer system once connected to it. They are a form of proximity attack that exploits some human vulnerabilities and programming ones.
Basic categories of Bad-USB devices
There isn’t an official categorisation of Bad-USB devices, mainly because each device is designed to solve some specific problems and because they are relatively less commonly used in attacks. Based on their functions and methods of control/triggering, I categorise them myself as:
HID emulator
This describes a large portion of such devices. Upon triggering, they report to the host as HID devices, allowing them to perform predefined actions. For example, one could pose as a keyboard that opens the terminal and runs some commands once connected.
Representative devices
The most representative device of this category is Rubber Ducky, also the oldest civilian-targeted Bad-USB device released by HAK5. It can store some payload inside its FLASH or external storage (like a TF Card) and trigger it directly on the connection. Some models can double as a USB drive, allowing for running something from its storage or extracting content into its storage. Some also have buttons that can perform actions by pressing them.
The cheapest device in this category is DigiSpark, an ATTINY85-based development board. It consists of only the chip and a USB PCB, lowering the cost to around $1.5$. However, the onboard resources are limited: 8k FLASH and only two timers. It’s usually used to make disposable devices or for mass deployment.
A more powerful device is the WHID-Injector, which features an onboard Wi-Fi function provided by the ESP-12S. It has both ATMEGA-32u4 and ESP-12S, allowing the system to offload all Wi-Fi-related functions to ESP without taking up programming space on the AT chip. It allows the device to be controlled over Wi-Fi, either through the web interface or an app, for more complicated operation and live control.
The WHID-Injector has an upgraded version, WHID-elite. Compared to the standard version, it also has a SIM module and NRF24 chip, allowing for programming that works with sub-G remotes and SMS messages. It also has a battery port, making it an ideal testing platform for these functions.
For a more discreet version of HID attack tools, USB-ninja disguises itself as a USB cable. It uses a very small Arduino controller that hides entirely within the USB connector on one end and is controlled via Bluetooth. When not triggered, it works as a USB 2.0 cable; once triggered, it reconnects as a keyboard and performs the designated payload. It can load two payloads simultaneously and uses a magnetic switch to enter the bootloader.
A relatively old and unmaintained project, P4wnP1 is a set of software and scripts that turns a Raspberry Pi 0(w) into a Bad-USB attack tool. The fact that it’s based on RPi means that you may use the advanced functions of a small Linux machine to facilitate your attack. It also comes with a web UI for easier control. Unfortunately, the project has not been updated in the past six years (for the ALOA version, it’s four years), so it can’t run out of the box on a later RPi model. You need to update the image on an old model first because the kernel driver required for newer models is not present, as the base image it uses is too old.
A friend of mine, Wu Xu Shang Zeng, created an all-encompassing Bad-USB testing platform named Xu. It has two versions: the standard one with a USB thumb drive enclosure and the “mega” version with multiple input switches, a screen and Wi-Fi capability. The mega version is designed not just as a USB attack tool but also as a testing ground for different payloads, as it can be programmed to host 16 payloads and uses hardware switches to trigger. The screen can be used to display live debugging information.
Traits and weaknesses
This type of Bad USB device is quite common because of its greatest strength: it’s almost impossible to defend against. Upon connection, it poses as an HID device, which most computer systems cannot filter. Only a few secured hardware platforms can be restricted to recognised HID devices, such as keyboards with a special chip. The HID payload will likely run successfully for most commercial computers once connected.
Another perk of these devices is that they are either very cheap for large-scale deployment (for example, you could put hundreds of them outside to be picked up) or they have advanced functions such as remote control to enable a live and persistent exploit of the system.
However, their biggest problem is that the payload is executed as keyboard or mouse input, meaning there are very limited things to do if you do not have the right credentials. A common way around this is to use it to execute a more advanced exploit tool that can manage privilege escalation, backdoor installation, or other things directly on the target machine (kind of like slipping malware onto a machine while the owner is not looking).
Network device emulator
A less common USB penetration device mimics a network device, such as a USB-ethernet modem or Wi-Fi device, and uses an MITM attack. Because the USB protocol for these devices is complicated, it’s usually achieved in the Linux system’s gadget mode.
Representative devices
The most iconic device of this type would be the Poison Tap project, an open-source project that turns a Raspberry Pi Zero into a malicious internet card. Upon connection, it will announce that it’s a network device, and its subnet is 0.0.0.0/0 — essentially everything. This will make some operating systems think it is a higher priority since the subnets for any other network devices, such as 192.168.0.0/24 for standard home routers, are its subnets. In this case, the OS would use it for any network connection. It can then perform common attacks such as certificate hijacking, credentials stealing, DNS/cache/cookie poisoning (where the name comes from), or even leave a persistent backdoor through cookie poisoning that works after the device is unplugged.
Traits and weaknesses
These devices are unique, relying on operating systems’ known design flaws to work. They usually only work on limited operating systems and require some operation on the system separately (because they won’t work if no internet request is made). Although, in theory, a Linux device can work in more than one mode in gadget mode, there is currently no published project that combines an HID attack device with a network attack device.
However, this type of device provides a significant advantage against HID emulators because it unexpectedly uses an existing and relatively mature attack vector. There are various exploitation tools to work with network layer attacks, and operating on the device directly bypasses most protections.
Physical damaging
Only one device (and its replicas) does this: the USB killer. It has a voltage-boosting circuit that charges the internal capacitors hundreds or even thousands of volts, then feeds the power back into a USB port on data lines, damaging the device. It usually takes a second or two to charge up, and then a distinct discharge sound can be heard when the capacitors discharge.
An official USB killer is quite expensive. However, some people have suggested using a mosquito zapper, keeping only the battery set and the capacitors, and connecting it to the data lines on a USB port. This essentially reuses electric waste and keeps the cost to a minimum.
Traits and weaknesses
USB killer is easy to use, often disguised as a regular USB drive. On this front, it is an effective attacking device. However, most modern computers have a fuse or similar protection connected to the USB port, so it’s not as effective. The most probable outcome is to damage the port, but the motherboard is still OK. On the other hand, mobile devices, industrial equipment, and other similar things with USB ports may not have this kind of precaution.
Leave a Reply