Skip main navigation

Understanding USB Safety

In this video, you will learn about the dangers of harmful USB devices and how to guard against it to the best of your ability.
In this video, we’re talking about USB safety, and we’re going to be giving an example. So there’s a lot of different USB devices out there.
USB mice: USB drives, USB keyboards, USB devices that we could charge our phones and plug them in to our computers. But how safe are these devices? Now there’s a number of USB devices out there that could actually harm our computers and our entire network. One example is the USB rubber ducky, which I have here. Now the USB rubber ducky, you can actually make these. We use Arduino for about $15 also. But the way these devices work are, it’ll look like a USB device, especially the USB rubber ducky, it has a enclosure where it looks like any other USB device. And there was an example of this in one of the Mr. Robot episodes.
So in theory, I can take one of these things. I could drop it somewhere, maybe label it “payroll” or “Bitcoin wallet.” So a person will pick it up, plug it in their computer, and it will execute a payload. Now what makes this device unique is that once it plugs in, the computer will recognise it as a USB keyboard and start typing. Because of this, antiviruses will typically not pick this up because it’s actually looking for a crafted payload. Something like, if I took a USB device, which is also another threat, I can create a metasploit payload. Metasploit is a framework designed for penetration testing. So in that framework, I can create a PDF file.
Again, I can name it “Bitcoin wallet,” “payroll documentation,” anything that’s going to entice someone to open it up. And once a person actually clicks that PDF file, it could execute a payload. And I could have put a Trojan on the computer, remotely accessing the computer at any time. Now with the USB rubber ducky, again,
it operates as a keyboard: plug it in, it starts typing, antivirus won’t recognise it because I’m just typing a bunch of commands. And we’ll be taking a look at this as an example later. Other things like Kali NetHunter, NetHunter is Keli Linux that you can put on a mobile device, a phone, or a tablet. And one of the attacks on here is a USB human interface keyboard attack, which is the same thing as a USB rubber ducky or our Arduino kit, which would be a teensy, that you could execute that payload. Now other things out there– even USB cables like these here– they’re firewire cables for things like iPhone or even the Android cables.
They plug in and they do the same thing. They will execute a payload by typing out the commands just like the Arduino or USB rubber ducky. So obviously, all of these are very dangerous attacks. The use cases, I can go in. If a person has their computer facing outwards where I can get exposure to USB plug, if they’re not there, I could plug it in. In a matter of seconds, I could have a back door into their computer. Otherwise, if I do, say, a metasploit payload to use USB device. I can go into a business, go up to the front desk and say, “hey, I’m here for an interview.
Unfortunately, when I was walking up, I had my resume on one hand, a coffee in another. And someone bumped into me, spilled coffee over my resume. I have a USB device with my resume on here. Would you please plug this in and print out my resume? I really need this for this job. It’s only two pages. Could you please print it out?” And when the person plugs the USB device and clicks on that PDF file, the PDF file will probably be blank, maybe come up with an error message. But once they click on it, then it would put a reverse door in.
So again, all these are examples of bad things that could happen by an exposed USB port or by picking up an unknown device and plugging it into a computer. So let’s actually take a look at that. Let’s take a look at that example. I’m going to plug this USB rubber ducky in real quick. We’ll give that a second. And I put a slight delay on the USB rubber ducky. Just in case the computer needs time to actually load the USB drivers for this. So here we go. And it launches a Rick Astley video.
So the payload I created– you plug the USB device in, it goes in the run bar, it opens a browser, launches this Rick Astley video, and auto-plays it. It has the volume up. So this could have been anything. This could have been, again, a reverse door. I could have created more accounts on the computer, admin accounts. I could have exfiltrated username and passwords, password hashes, anything I could type on the keyboard, it would actually execute here. So you can see how dangerous it was. And again, it did take a few seconds for it to start. But again, that was only because I put a delay on the USB rubber ducky from starting.
If I plugged the USB device in and it’s going to recognise it immediately, I could have had the thing execute immediately. And the rate this thing types is around, I want to say 100 characters a second. So it types insanely fast. I can do quite a bit of code execute it in a matter of a second or two. So as you can see, these are really dangerous tacks. And this is why you really need to protect your USB port on your computer. Now different ways you can protect your USB ports on your computer, you could do things like, the easy way is, have your ports protected.
If you have a desktop, make sure your computer is situated in a way where people can’t just walk up and take a look at it.

In this video, you will learn about the dangers of harmful USB devices and how to guard against them to the best of your ability.

Once you’ve watched the video, go through the following list of additional actions you can take to secure yourself against malicious USB devices:

  • keep your computer ports safe by limiting access
  • never plug in unknown USB devices
  • devise and implement a USB policy

Reflect and share: One action item to include in a USB policy could be to report unknown USB devices to your IT department. Your IT department can then assess whether they may be harmful. What are some other actions you could include in a USB safety policy? Share below.

This article is from the free online

Cyber Security Foundations: Why Cyber Security is Important

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education