BadUSB 101

In this article, we will discuss BadUSB, how to program it, and some offensive tricks of delivering it.

What is BadUSB?

It’s a bird? No

It’s a plane? No

It’s a USB? Maybe…

It’s a Mouse? Somehow…

It’s a Keyboard? Commonly yes…Wait what?

Basically, the BadUSB is an Arduino-backed device that can interpret a mouse and a keyboard.

Is it really used in real life?

If you can imagine, yes, the BadUSB was used and it is still being used in real-life scenarios. One of such examples would be the BestBuy attempt, where attackers multiple letters, where they attached those BadUSB devices, through postal delivery, as you can see below.

BadUSB versus Rubber Ducky

Rubber Ducky is better known than the BadUSB, but let’s see the real differences between those two.

BadUSB:

• Easier to find on the market
• Cheap (~$10)
• Slower
• Uses Digispark Scripts
• A bit buggy sometimes
• Used mostly for in-mass attacks (example: USB Drop Attacks)

You can find a lot of places where you can buy BadUSB devices, including eBay: https://www.ebay.com/itm/253017687273?hash=item3ae90784e9:g:g2MAAOSw6M9bpaSH

Rubber Ducky:

• Market availability is limited (Hard to get if you are outside the USA)
• Pretty expensive (~$60)
• Faster than BadUSB
• Uses DuckyScript as a programming language
• Used for targeted attacks

You can buy the Rubber Ducky from Hak5 official website (or through approved vendors) only: https://shop.hak5.org/products/usb-rubber-ducky-deluxe

How to program it