We built a flash drive that hacks any computer

3 years ago 1

ARTICLE AD BOX

Using a relatively cheap microcontroller and 3D-printed enclosure, we built a “BadUSB” device that tricks any PC you plug it into that it’s a keyboard.

It can be programmed to execute a series of keyboard commands, including ones that could let attackers steal data or damage systems.

A BadUSB is a device that looks like a flash drive but contains a microcontroller that can act as a malicious device when plugged into your computer.

One of the most popular BadUSB devices is the Hak5 Rubber Ducky, which can be programmed to automate a vast list of tasks, from automatically setting up a new computer to opening a remote connection for someone to take over your machine.

These are available from $59.99 (R1,038, excl. VAT), which makes them a bargain for any hacker or pentester, but it may be a bit much if you only want to see how it works.

We decided to build a similar device using a cheap, sub-R100 ATtiny85 development board available from various local suppliers.

The ATtiny85 is a microcontroller that can be programmed using the Arduino IDE, which offers a low barrier of entry.

A simple 3D-printed enclosure can make it look like a generic flash drive.

The DigiKeyboard library allows the board to present itself as a keyboard when plugged into a computer’s USB port.

This ‘keyboard’ can then execute a bunch of pre-programmed keystrokes and commands to perform tasks on the computer it is plugged into.

This may not sound very dangerous until you realise that a keyboard usually has the same privileges as the user sitting in front of a computer.

Some basic examples of what a BadUSB can do include a bunch of pranks to more advanced malicious scripts.

A simple prank is a Rickroll, easily opened by pressing Win+R and entering the video URL before pressing enter.

The same can be done to open any other website automatically — including ones that could try and phish login credentials.

It is also easy to open an administrator PowerShell window with Win+X, A, Left Alt+Y.

We used this to collect all the saved Wi-Fi passwords on a device, save them as a text file using comma-separated values, and email them to a predetermined address.

Some online examples also show how attackers can use a BadUSB device to install malicious software, such as a keylogger or create a remote connection to an external device.

Scripts are available that work on different operating systems — such as MacOS or Linux — as keyboards work the same, even if the shortcuts might be slightly different.

While a BadUSB can be a fun party trick, it does demonstrate how dangerous it can be to plug unknown USB devices into your machine.

It may be a USB drive someone left behind or a BadUSB that takes over your machine and steals all your information.