29 different types of USB attacks are listed below, even one type which can break out of a virtual machine
Here's a List of 29 Different Types of USB Attacks - Guardian360
In short, no USB device inserted means you are protected, right? Wrong! MouseJack is a class of vulnerabilities that affect most of the wireless, non-Bluetooth keyboards and mice. Read the last part on this topic.
Let’s look at some of the common USB attacks.
BadUSB
BadUSB is a type of computer security attack that uses USB devices pre-programmed (modified firmware) with malicious code. These USBs are often disguised as regular flash drives but contain malicious code that can be used to infect computers or networks. When plugged into a computer, the malicious code is activated and can be used to take control of the system or gain access to sensitive data. The hack utilizes a security flaw in the USB that allows an attacker to insert malicious code into their firmware, transforming it into a keyboard which can be used to type commands harming the victim’s computer. It can also be used to physically damage computers by corrupting the system’s hard drive or frying the motherboard. BadUSB disguises itself as a human interface device (HID) and covertly executes malicious commands or opens virus payloads on the target computer. One prevention is to disable autorun features on all connected systems so that any potential threats cannot automatically execute themselves upon connection without user intervention first being required.
BadUSB can act like different input/output devices like physical keyboard, mouse, network adapter, phone, tablet, webcam, or authentication token. For example, if it pretends it is a keyboard or mouse, the malicious software can inject keystrokes and mouse clicks, performing multiple actions on the computer, like launching Microsoft Outlook and sending an e-mail to a certain address, with attached files from the user’s computer. If it pretends it is an authentication token, a BadUSB would force the computer to prompt a token password, which can then be stored on the flash drive and retrieved later.
Software that protects against BadUSB like HitmanPro.Alert, Kaspersky, G-DATA USB Keyboard Guard and DuckHunter.
USB Killer
A USB Killer is USB drive that has been modified to deliver an electrical surge that can damage or destroy hardware when the altered thumb drive is inserted into a computer's USB port. The modified drive essentially commands the computer's on-board capacitors to rapidly charge and discharge repeatedly. If left alone, the repeated overcharging will overload the USB port and physically destroy the computer's electrical system.
Essentially, a USB Killer works by delivering 210-220 volts to an interface that is designed for 5 volts. The overpowered surge can damage or destroy not only ports, but also attached hardware. It’s a kind of BadUSB.
USB Rubber Ducky
It is a small USB device (e.g. flash drive) that emulates (pretends) to be USB keyboard and can type on their own at very high speeds i.e. executes pre-defined keystrokes. Because most-if not all-OS trust keyboards automatically, it is hard to protect oneself from these attacks.
USB Bash Bunny
Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. That means the target computer sees the Bash Bunny not as an ordinary flash drive, but as a USB Ethernet Adapter connected to a network. It's a network of two – the Bash Bunny and your target – and once connected, you'll have direct access to the target bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.
This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.
Bash Bunny is a more effective method as compared to Rubber Ducky. The USB Rubber Ducky injects keystrokes at superhuman speeds, violating the inherent trust computers have in humans by posing as a keyboard. Bash Bunny simultaneously mimic multiple trusted devices to trick targets into divulging sensitive information without triggering defenses. Aside from emulating a keyboard, Bash Bunny can also be one of the following:
If USB flash drives/SSDs are used on your PC/laptop/phone then malware infection is a non-issue since the drives are scanned upon insertion by the AV from your PC/laptop/phone
If USB flash drives are to use on other’s PC/laptop/phone or the latter use in public places then some of the following protection is required
a) Ensure USB-C ports are certified to USB Type-C Authentication Program – to protect against bad chargers, cables and devices i.e against malicious firmware and hardware attached to USB devices
b) Juice Jacking – A compromised public wall outlet/charging station/hub infected with malware and has full access to your phone/laptop/tablet data. To prevent it use a USB Data Blocker. It is for charging only and blocks hacker’s access, data theft and malware transmission.
c) Use physical port blockers on your laptop especially in public places to prevent unauthorized access to the USB ports if you are away for some time i.e. prevent malware spreading, USB Killer, Rubber Ducky and BadUSB. Physically blocking ports involved no software and acts as first layer protection. Downside is you need to pay for and carry the key to unblock the USB locks.
d) Install G-DATA USB Keyboard Guard (against BadUSB), DuckHunter (against RubberDucky) and Penteract Disguised-Keyboard Detector 2 on your PC/laptop. This acts as a second layer protection.
Note:- DuckHunter helps to prevent any type of automated keystroke injection attack
github.com
Physically blocking ports c) with software d) provide great protection against the abovementioned attacks.
e) USB Device Control – To protect against data loss and data theft by monitoring and controlling data transfers from endpoints to removable storage devices e.g. giving Read/Write access rights to USB devices, blocking/disabling USB ports through registry/GPO/ BIOS/USB device manager settings or third-party USB Blocker Software. Set USB flash drives to ‘Read-Only’ mode for root. Create a WRITE folder and set to Read/Write mode
g) Always software lock the PC/laptop to prevent unauthorised login especially in public places. That's because most BadUSBs are 'dumb' and just blindly send keystrokes according to their programming. So, they cannot detect if they are stuck in a password prompt.
h) Keep AV/AM up to date. It will not scan the firmware but it should (or may be not) detect if the BadUSB tries to install or run malware, hopefully not too late.
i) Enforced USB malware scan of inserted USB flash drive/SSD
j) Always scan an unknown USB device before use
k) Always use passwords and encryption on your USB drive as an extra layer of protection for your data; make sure you have this information backed up in case something happens to your drive.
l) Install ESET DriveSecurity AV on USB flash drives
m) Run USB flash drives in VM
MouseJack
MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.
The MouseJack exploit centres around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.
Note: MouseJack only affects non-Bluetooth wireless devices.
Solution: Use Bluetooth Mouse/Keyboard or onboard Keyboard/Keypad
MouseJack FAQ — Bastille
Here's a List of 29 Different Types of USB Attacks - Guardian360
In short, no USB device inserted means you are protected, right? Wrong! MouseJack is a class of vulnerabilities that affect most of the wireless, non-Bluetooth keyboards and mice. Read the last part on this topic.
Let’s look at some of the common USB attacks.
BadUSB
BadUSB is a type of computer security attack that uses USB devices pre-programmed (modified firmware) with malicious code. These USBs are often disguised as regular flash drives but contain malicious code that can be used to infect computers or networks. When plugged into a computer, the malicious code is activated and can be used to take control of the system or gain access to sensitive data. The hack utilizes a security flaw in the USB that allows an attacker to insert malicious code into their firmware, transforming it into a keyboard which can be used to type commands harming the victim’s computer. It can also be used to physically damage computers by corrupting the system’s hard drive or frying the motherboard. BadUSB disguises itself as a human interface device (HID) and covertly executes malicious commands or opens virus payloads on the target computer. One prevention is to disable autorun features on all connected systems so that any potential threats cannot automatically execute themselves upon connection without user intervention first being required.
BadUSB can act like different input/output devices like physical keyboard, mouse, network adapter, phone, tablet, webcam, or authentication token. For example, if it pretends it is a keyboard or mouse, the malicious software can inject keystrokes and mouse clicks, performing multiple actions on the computer, like launching Microsoft Outlook and sending an e-mail to a certain address, with attached files from the user’s computer. If it pretends it is an authentication token, a BadUSB would force the computer to prompt a token password, which can then be stored on the flash drive and retrieved later.
Software that protects against BadUSB like HitmanPro.Alert, Kaspersky, G-DATA USB Keyboard Guard and DuckHunter.
USB Killer
A USB Killer is USB drive that has been modified to deliver an electrical surge that can damage or destroy hardware when the altered thumb drive is inserted into a computer's USB port. The modified drive essentially commands the computer's on-board capacitors to rapidly charge and discharge repeatedly. If left alone, the repeated overcharging will overload the USB port and physically destroy the computer's electrical system.
Essentially, a USB Killer works by delivering 210-220 volts to an interface that is designed for 5 volts. The overpowered surge can damage or destroy not only ports, but also attached hardware. It’s a kind of BadUSB.
USB Rubber Ducky
It is a small USB device (e.g. flash drive) that emulates (pretends) to be USB keyboard and can type on their own at very high speeds i.e. executes pre-defined keystrokes. Because most-if not all-OS trust keyboards automatically, it is hard to protect oneself from these attacks.
USB Bash Bunny
Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. That means the target computer sees the Bash Bunny not as an ordinary flash drive, but as a USB Ethernet Adapter connected to a network. It's a network of two – the Bash Bunny and your target – and once connected, you'll have direct access to the target bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.
This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.
Bash Bunny is a more effective method as compared to Rubber Ducky. The USB Rubber Ducky injects keystrokes at superhuman speeds, violating the inherent trust computers have in humans by posing as a keyboard. Bash Bunny simultaneously mimic multiple trusted devices to trick targets into divulging sensitive information without triggering defenses. Aside from emulating a keyboard, Bash Bunny can also be one of the following:
- Serial Device
- Ethernet Device
- USB Mass Storage
- HID (Human Interface Device)
If USB flash drives/SSDs are used on your PC/laptop/phone then malware infection is a non-issue since the drives are scanned upon insertion by the AV from your PC/laptop/phone
If USB flash drives are to use on other’s PC/laptop/phone or the latter use in public places then some of the following protection is required
a) Ensure USB-C ports are certified to USB Type-C Authentication Program – to protect against bad chargers, cables and devices i.e against malicious firmware and hardware attached to USB devices
b) Juice Jacking – A compromised public wall outlet/charging station/hub infected with malware and has full access to your phone/laptop/tablet data. To prevent it use a USB Data Blocker. It is for charging only and blocks hacker’s access, data theft and malware transmission.
c) Use physical port blockers on your laptop especially in public places to prevent unauthorized access to the USB ports if you are away for some time i.e. prevent malware spreading, USB Killer, Rubber Ducky and BadUSB. Physically blocking ports involved no software and acts as first layer protection. Downside is you need to pay for and carry the key to unblock the USB locks.
d) Install G-DATA USB Keyboard Guard (against BadUSB), DuckHunter (against RubberDucky) and Penteract Disguised-Keyboard Detector 2 on your PC/laptop. This acts as a second layer protection.
Note:- DuckHunter helps to prevent any type of automated keystroke injection attack
GitHub - pmsosa/duckhunt: :dart: Prevent RubberDucky (or other keystroke injection) attacks
:dart: Prevent RubberDucky (or other keystroke injection) attacks - pmsosa/duckhunt
github.com
Physically blocking ports c) with software d) provide great protection against the abovementioned attacks.
e) USB Device Control – To protect against data loss and data theft by monitoring and controlling data transfers from endpoints to removable storage devices e.g. giving Read/Write access rights to USB devices, blocking/disabling USB ports through registry/GPO/ BIOS/USB device manager settings or third-party USB Blocker Software. Set USB flash drives to ‘Read-Only’ mode for root. Create a WRITE folder and set to Read/Write mode
- 8 BEST USB Blocker Software 2023: USB Port & Data Lockdown
- How to enable or disable CD/DVD ROM Drives, USB Drives or Ports in Windows 11/10
g) Always software lock the PC/laptop to prevent unauthorised login especially in public places. That's because most BadUSBs are 'dumb' and just blindly send keystrokes according to their programming. So, they cannot detect if they are stuck in a password prompt.
h) Keep AV/AM up to date. It will not scan the firmware but it should (or may be not) detect if the BadUSB tries to install or run malware, hopefully not too late.
i) Enforced USB malware scan of inserted USB flash drive/SSD
j) Always scan an unknown USB device before use
k) Always use passwords and encryption on your USB drive as an extra layer of protection for your data; make sure you have this information backed up in case something happens to your drive.
l) Install ESET DriveSecurity AV on USB flash drives
m) Run USB flash drives in VM
MouseJack
MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.
The MouseJack exploit centres around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.
Note: MouseJack only affects non-Bluetooth wireless devices.
Solution: Use Bluetooth Mouse/Keyboard or onboard Keyboard/Keypad
MouseJack FAQ — Bastille
Last edited:
