What is BadUSB and How to Avoid it

Can a single USB bring down an entire network? You might be surprised. Let’s review exactly what a BadUSB attack is and how you can prevent them from happening to you.

What is BadUSB?

In short, BadUSB disguises itself as a human interface device and covertly executes malicious commands or opens virus payloads on the target computer. This is done by exploiting a critical flaw deeply rooted in USB firmware that cannot be easily patched.

Rather than a hacker spending the time to open the command prompt, type in numerous commands, and open a reverse shell, they can simply plug in a BadUSB to do all the manual work in just a few seconds.

What makes BadUSBs even more dangerous is the fact that they are so easy to configure. For example, penetration testing products such as Hak5’s Rubber Ducky uses “Ducky Script,” which can be learned quickly, even by someone with no programming experience.

Products like MalDuino operate similarly but use the Arduino-based open-source platform to attack endpoints. MalDuino BadUSBs can even come with a small onboard computer with expandable microSD storage. This allows the attacker to launch and execute complete programs and services from the device.

BadUSBs can even be hidden inside innocuous-looking USB cables. These cables can facilitate data transfer and charging while executing a malicious script. Unfortunately, in a messy server room or desktop environment, many wouldn’t think to look twice at a spare USB cable.

One of the latest versions of BadUSB is called the OMG Cable, or Offensive MG Kit. The cable looks like a standard Wi-Fi cable but contains a hidden Wi-Fi microcontroller that can send payloads wirelessly through the device. It’s just like BadUSB, but one that a hacker could remotely control.

Lastly, wirelessly enabled BadUSBs can perform what is called a de-authentication attack on nearby wifi devices. These wifi deauths exploit inherent flaws in the wifi protocol to force users off the wireless network. This is more than just inconvenient, as the attacker can create a new fake rogue access point to trick users into connecting so their data can be stolen.

How do BadUSBs work?

BadUSBs exploit the trust computers have with human interface devices (HIDs). For example, when you plug in your keyboard, the computer automatically trusts the device as a piece of input hardware. Unfortunately, BadUSBs mimic an HID, so the computer is tricked into thinking the USB is a human behind a keyboard. This is an incredibly colossal oversight and is why BadUSBs are such a threat to networks.

If you try to run the same commands on a BadUSB through an executable or script file, they will likely be blocked. This is because adequately secured machines will scan and verify the author and contents before it is executed.

BadUSBs don’t need special hardware and can be either built at home or purchased from numerous websites. Any modern USB that supports overwriting and comes with a microcontroller can be turned into a BadUSB. The scripts used on BadUSBs are straightforward and similar to configuring a batch file but can be expanded to support more advanced languages such as JavaScript or C#.

BadUSB Capabilities

If you can type it on a keyboard, you can execute it on a BadUSB. Functions such as “wait,” “pause,” and keyboard shortcut commands can all be run via script. In many cases, attackers only need to open an elevated command prompt or execute a payload to compromise a machine fully.

Below is an example of a BadUSB opening notepad and typing “Hello World.” This is done in Ducky Script and some straightforward syntax.

GUI r

DELAY 50

STRING notepad.exe

ENTER

DELAY 100

STRING Hello World

ALT f

STRING s

REM alt-f pulls up the File menu, and s saves.

This flexibility and ease of use allow even inexperienced bad actors to carry out a potentially devastating attack in mere seconds. As you can imagine, there’s a ton you could do with a BadUSB, but how can you stop it?

How to prevent BadUSB attacks

Since BadUSBs mask themselves as keyboards, they are nearly possible to detect. A few programs, such as DuckHunter, can monitor single endpoints for these types of attacks. However, businesses will want to take a more organized approach to secure USB ports and implementing protection policies. So let’s take a look at a few ways you can prevent BadUSBs from infecting your network.

Lockdown local access

BadUSB attacks can be mitigated and sometimes prevented by implementing local solid security policies. These policies can be set via Group Policy, logon script, or manual registry edits.

Restricting access to an elevated command prompt can stop BadUSB attacks that open ports for malicious services. In some cases, users may never need access to the command prompt, and the option can be disabled completely.

You can set a password for any use of an elevated command prompt by modifying the registry:

  1. Access your Registry Editor by typing “regedit” in the start menu.
  2. Navigate to “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and find “ConsentPomptBehaviorAdmin”
  3. Click Modify and change the Value Data to 1. Click OK.

Alternatively, you can prevent access to Command Prompt all together through group policy. This allows you to include or exclude specific user groups for this change. Skip step four if you use logon scripts or remote desktop services on that endpoint.

  1. Launch Group Policy Editor from your Windows Server environment.
  2. Navigate to “User Configuration > Administrative Templates > System.”
  3. Find “Prevent access to the command prompt” and Enable it.
  4. Find “Disable the command prompt script processing” and choose Yes.
  5. Click Apply.

Using these commands and ensuring users do not have unnecessary privileges on their machine can stop BadUSB attacks dead in their tracks.

Block access to USB ports

Another option is to block USB ports altogether. As you can imagine, this isn’t the best option if you want your users to stiletto use USB devices in the office still use USB devices in the office. These blockers are physically inserted into or over the port and locked with a key.

This approach is best for critical systems and machines dedicated to sensitive information. While an attacker is less likely to try and infect that machine, any committed bad actor with unsupervised access can bypass a USB blocker with a few simple tools.

Use behavior monitoring tools

As mentioned above, programs like DuckHunter can prevent automated scripting attacks via USB. This is done primarily by detecting when the keyboard is being used to type faster than humanly possible. Scripts execute commands exceptionally quickly, which is highly unnatural. The problem lies in these malicious payloads can implement before programs like DuckHunter identify the behavior and stop it.

Use enterprise device control

The best way for enterprises to stop BadUSB attacks at scale is to use specialized software for device control. This software implements multiple policies and monitoring techniques to prevent users from plugging in unverified devices.

Programs such as ManageEngine Device Control stop BadUSB attacks by creating a whitelist-only environment. The first stage of the process collects and identifies a list of all USB-enabled devices. Then, you can choose only to allow specific devices from this list, stopping anything that matches the approved list. This takes the opposite approach to USB access and creates a zero-trust environment for new devices.

Device Control gives you visibility into the types of USB devices that currently exist and what they are. For instance, you can quickly identify devices such as printers or iOS devices and set custom policies for each one. In addition, you can choose to receive alerts as well when a malicious device is detected. The alert lets you know that the attempt was blocked and provides details on what PC the attack originated from.

If users need to access an untrusted thumb drive for a project, administrators can allow limited or timed access to that device. In addition, each device can be set to allow read-only access or prevent files from being added to it. This will enable users to remain productive while still protecting against BadUSB attacks.

Battling BadUSBs

Unfortunately, BadUSB attacks are here to stay. But there are numerous ways to protect your environment from them. The simplest way to stop an automated USB attack is to secure your local desktop environment. Ensure all endpoints are patched, are running anti-virus, and restrict local admin access rights.

Consider implementing a DLP or device control system for companies looking to protect intellectual property and prevent data theft. While these tools are marketed more towards enterprise use, they provide robust security controls that help sysadmin scale their file and device monitoring efforts.

BadUSB FAQs

What does a BadUSB do?

BadUSB is a method of slipping malware onto a computer by hiding it in the firmware on a USB stick. When a USB device connects to a computer, it copies over its drivers to enable communication. This initial transfer of instructions can be used to install a package controller that will then install more malicious programs from the USB stick. Detection evasion methods and persistence routines can hide backups on the hard drive of the infected computer and insert registry entries to ensure that any malware that is deleted gets quickly reinstalled.

Can a rubber ducky be detected?

A rubber ducky is a USB stick that acts like a Human Interface Device (HID), which means the keyboards and mice that connect to a computer via a USB port. The rubber ducky acts like an automated keyboard, sending keystroke instructions to the operating system, thus launching programs and entering data just as though a user sat at the computer typing. Anti-virus systems don’t even check on the activity of rubber duckies because for all any program can tell, this is a valid peripheral device that the user has added.

What language do rubber duckys use?

A rubber ducky is a hacker device that can be used to breach a system and steal data. The device is a USB stick that instructs the computer that it attaches to that it is a Human Interface Device (HID), such as a keyboard or a mouse. This is a method to access accounts on the Web, such as internet banking, that have their credentials stored in the browser. The scripts that implement automated instructions are written in a language called DuckyScript, which is very easy to learn.