It is common operational security practice to not plug unverified or potentially unsafe USB drives into a PC, as it can be loaded with malware. Today, we take antivirus software for granted and let it conduct malware checks, leading to individuals being cavalier about plugging in USB devices.

However, USB devices can be used as attack vectors and/or footholds for attackers to gain access to the device. This is seen in the TV show Mr Robot, where USBs are used to gain access to a closed network. There even exists a completely cross-platform exploit hinging on an inherent issue of computer design: User input is trusted.

What Is A Bad USB?

To understand what a bad USB is, it is first important to understand how USB devices work. Each USB device has a USB-compliant microcontroller in it, from a mouse and keyboard to plug-in webcams and, most important, flash drives.

These microcontrollers are what interface with the computer to tell it which device is being connected and is the single point of communication between the device and the computer. The microcontroller runs on code known as ‘firmware’, which gives instructions on how to conduct all of its activities.

The bad USB exploit hinges on rewriting this firmware, which cannot be tested or visible to the computer. Since the firmware conducts all communications to and from the device, rewriting it will make the device appear as something else to the computer.

One of the biggest attack vectors using the bad USB exploit is spoofing an HID. HID stands for human interface device and is the computer’s term for keyboards, mice and any other devices used to interact with the system.

To determine what kind of a device any plugged-in USB is, the computer will first query the ‘class code’ of the device. Then, drivers are installed and the device is ready to use. USB mass storage devices have a class code of 08h, while keyboards and other HIDs have a class code of 03h.

By engineering the firmware to send a different class code, it is possible to make a USB flash drive into a virtual keyboard. This is the form bad USB has taken today.

Existing Bad USB Implementations & Scope

Now, the device has been plugged into the user’s computer and has been registered as an HID. A script running on the flash drive can now emulate keystrokes that are considered completely legitimate by the computer because human input is given absolute trust.

In order to make this process easier and more accessible, a company known as Hak5 launched a device called the Rubber Ducky. It looks like a flash drive from the outside, but its firmware has been reprogrammed to make it appear as an HID.

In addition to this, there is a simple programming language that Hak5 created for use with this device, known as Ducky Script. This language is simple, yet powerful, and can perform a variety of functions in conjunction with the Bad USB.

There is even a web-based tool to encode and decode payloads, which come in a variety of settings. The Rubber Ducky can harvest information regarding the computer, user, installed programs, networks and even capture the screen.

There are also a variety of exploits, such as disabling the firewall, finding and FTPing a file to a server, opening a network port, starting a WiFi access point, allowing share access to the C Drive and much more.

Moreover, some bad USBs also come with WiFi capabilities for remote activations. Since almost all operating systems have keyboard shortcuts or input methods for a variety of system-critical tasks, the bad USB is a truly cross-platform attack vector.

This even includes MacOS and Linux, which have long been considered more secure than Windows.

Potential Use-Cases

As seen by the above implementations for exploits, recon and footholds, bad USB is almost purpose-built for malicious attacks. Moreover, provided that a device has the right microcontroller, it can be reprogrammed to be a bad USB on the fly. This means that any old pen drive lying around can easily be used as one of the most powerful hacking tools to be created in modern times.

Ducky Script can be run on any microcontroller that supports it, meaning that the next bad USB could be right around the corner. Even as bad USB is very useful for malicious attacks, it can also be used for various non-malicious purposes. This includes for use by sysadmins for setting up large amounts of computers, as seen in a corporate rollout of a new OS.

Owing to the high frequency of keystrokes that the bad USB can put out (over 1,000 per second), it can be used to set up systems at a fast rate. Any other applications that require a high amount of repetitive keystrokes can also be automated, even without installing third-party applications. By simply plugging in a USB drive, bad USB can give a malicious user complete control over a computer.