Fact-checked by Grok 2 weeks ago

BadUSB

BadUSB is a class of computer security exploits that target the reprogrammable firmware in USB device controllers, allowing malicious actors to transform ordinary peripherals—such as flash drives, keyboards, or webcams—into deceptive attack vectors that mimic trusted hardware while executing unauthorized commands, such as keystroke injection or network traffic manipulation.^[1] This vulnerability stems from the inherent design of USB controllers, which use small microprocessors (often based on architectures like the 8051) running custom firmware to interface with host systems, a feature intended for functionality but lacking robust security protections against tampering.^[2] The concept was first publicly disclosed in 2014 by security researchers Karsten Nohl, Sascha Krißler, and Jakob Lell at SRLabs, during a presentation at the Black Hat USA conference titled "BadUSB: On Accessories That Turn Evil."^[3] Their research demonstrated that reverse-engineering and patching USB firmware is feasible with relatively modest resources—taking less than two months for initial prototypes—and can be achieved using tools like custom linker scripts to inject malicious code without altering the device's external appearance or detection by standard antivirus software.^[2] This reprogrammed firmware persists even after OS reinstalls, making infections stealthy and difficult to eradicate through conventional means.^[1] Key attack scenarios include emulating human interface devices (HIDs) to inject keystrokes that steal credentials, escalate privileges (e.g., exploiting sudo on Linux systems), or install backdoors; spoofing network interfaces to redirect DNS queries or perform man-in-the-middle attacks; and hiding data in unexpected storage partitions.^[2] For instance, a compromised USB stick could masquerade as a keyboard to type commands that download malware, while a webcam might be turned into a persistent listener on Linux hosts, as shown in recent variants like BadCam.^[4] As a fundamental flaw in the USB standard, BadUSB cannot be fully patched via software updates alone, since it resides in hardware-level firmware that manufacturers rarely secure or verify post-production.^[1] Implications extend to billions of deployed devices, amplifying risks in shared environments like offices or public charging stations, where USB ports serve as trusted entry points for malware.^[5] Proposed mitigations include hardware-based whitelisting of device IDs, runtime firmware integrity checks, disabling unnecessary USB features, or physical isolation of peripherals, though widespread adoption remains limited due to usability trade-offs and the ecosystem's scale.^[2] Ongoing research in 2025 highlights its persistence, with new tools like ByteBait simulating attacks for training and phishing campaigns exploiting it increasingly.^[6]

Introduction

Definition and Scope

BadUSB is a class of security vulnerability that exploits the reprogrammable firmware in USB devices, allowing attackers to alter the device's behavior so that it impersonates trusted hardware components, such as keyboards or network adapters, to execute malicious actions without triggering conventional detection mechanisms like antivirus software.^[2] This firmware manipulation enables the device to register with a host computer under false pretenses, leveraging the inherent trust placed in USB peripherals during the plug-and-play enumeration process, where devices self-identify without mandatory authentication.^[2] First conceptualized and demonstrated by researchers at SRLabs at Black Hat USA 2014, BadUSB highlights the risks of USB's design philosophy, which prioritizes convenience over rigorous security verification.^[2] The scope of devices potentially affected by BadUSB encompasses a wide range of USB-enabled hardware that relies on microcontroller-based controllers with updatable firmware, including flash drives, keyboards, mice, external hard drives, webcams, and embedded systems in various consumer electronics.^[2] These vulnerabilities primarily target USB controllers from manufacturers such as Phison and Cypress, which manage device communication and can be reprogrammed to alter class descriptors during connection.^[7] At its core, BadUSB exploits the USB Human Interface Device (HID) protocol, which allows devices to emulate input peripherals like keyboards for command injection, or other classes like storage or Ethernet adapters, thereby bypassing host-level security controls that assume device legitimacy.^[2] Unlike traditional USB-based malware, which depends on user-executed files or autorun features stored on the device's storage medium and can be scanned or blocked by endpoint protection tools, BadUSB operates at the firmware level to achieve greater persistence and stealth.^[5] Firmware hijacking in BadUSB does not require exploiting software vulnerabilities in the host operating system; instead, it abuses the hardware trust model, allowing the altered device to survive reformatting, OS reinstalls, or even physical storage wipes, as the malicious code resides in the non-volatile controller memory.^[2] This fundamental difference underscores BadUSB's threat as a supply-chain or physical-access vector that undermines the foundational assumption of USB device integrity.^[8]

Discovery and Initial Impact

BadUSB was first identified in 2014 by German researchers Karsten Nohl, Sascha Krißler, and Jakob Lell at Security Research Labs (SRLabs), a Berlin-based cybersecurity firm. Their work revealed fundamental vulnerabilities in USB device firmware that allow malicious reprogramming, enabling devices to masquerade as trusted peripherals. The researchers publicly demonstrated the attack at the Black Hat USA conference in Las Vegas on August 6, 2014, where they presented a talk titled "BadUSB: On Accessories that Turn Evil," accompanied by a detailed whitepaper and video.^[1]^[3]^[9] In the demonstration, Nohl, Krißler, and Lell reprogrammed the firmware of a low-cost USB device—functionally akin to a USB Rubber Ducky—to emulate a keyboard, allowing it to rapidly inject arbitrary commands into a connected computer, such as downloading malware or exfiltrating data. This proof-of-concept highlighted the attack's stealth: it operated at the hardware level, evading traditional antivirus software and persisting even after operating system reinstalls. At the time of disclosure, no specific software patches existed to mitigate the issue, and the vulnerability potentially affected the firmware in billions of USB devices globally, from flash drives to keyboards and smartphones.^[10] The revelation triggered immediate and widespread alarm across the technology and security communities, emphasizing the pervasive risks of USB's trust model, where hosts blindly accept device claims without verification. It underscored threats to air-gapped networks, as malicious USBs could bridge isolated systems by impersonating input devices, and raised concerns about supply chain compromises in hardware manufacturing. Security experts noted parallels to advanced persistent threats like those attributed to state actors.^[11] Media outlets quickly amplified the findings, with in-depth coverage in Wired detailing the attack's implications for everyday computing and BBC News reporting on the lack of defenses against such firmware exploits. The exposure prompted the USB Implementers Forum to recommend sourcing devices from trusted vendors and spurred follow-up testing by SRLabs on controller chips from eight major manufacturers, revealing inconsistent protections across the ecosystem. While companies like Microsoft and Apple initiated reviews of their USB protocol stacks in response to the publicity, no comprehensive, universal fix emerged in the immediate aftermath, leaving the industry to grapple with ad-hoc mitigations.^[11]^[12]^[13]

Technical Mechanism

USB Firmware Vulnerabilities

USB devices rely on microcontrollers, such as those based on the 8051 architecture, to manage device enumeration, communication protocols, and data handling. These microcontrollers execute firmware stored in non-volatile memory like ROM or EEPROM, which includes a bootloader, USB controller logic, and application code that remains hidden from the end user. Firmware in these devices is designed to be updatable to support new features or fix bugs, but many lack secure boot mechanisms or digital signing requirements, allowing unauthorized overwriting with malicious code through standard USB update protocols.^[14] A core protocol weakness in USB lies in its class-based identification system, where devices self-report their type—such as Human Interface Device (HID) class 0x03 for keyboards or mass storage class 0x08—via descriptors during enumeration without any cryptographic verification from the host. This trust model enables attackers to reprogram firmware to alter these descriptors, effectively reclassifying a storage device as an input device or network adapter, exploiting the USB plug-and-play mechanism that automatically trusts and installs drivers for enumerated classes.^[14] Vulnerabilities have been demonstrated in controller chips from manufacturers such as Phison (fully vulnerable) and Alcor (mixed results), which power many USB flash drives, external hard drives, and peripherals. These chips often expose interfaces such as JTAG for debugging or use weak firmware update mechanisms that do not validate incoming code, permitting attackers to dump existing firmware by sniffing USB traffic with tools like Wireshark, replaying SCSI commands, and reflashing modified versions using disassemblers and patching tools. For instance, researchers reversed and patched Phison firmware in under two months by leveraging leaked binaries and open update processes.^[14]^[13] The persistence of malicious firmware stems from its storage in dedicated ROM or EEPROM separate from the user-accessible filesystem, ensuring it survives device resets, reformatting, or even OS-level antivirus scans. This separation allows the firmware to fingerprint the host's OS or BIOS and behave differently—appearing benign to security tools while delivering payloads to targeted systems—rendering traditional data-wiping ineffective against the vulnerability.^[14]

Attack Execution Process

In the preparation phase of a BadUSB attack, the attacker reprograms the firmware of a legitimate USB device, such as a thumb drive, to embed malicious payloads. This involves reverse-engineering the device's USB controller firmware, often obtained from manufacturer leaks or sniffed during updates, using disassemblers, heuristics to identify code entry points, and tools like hex editors for direct binary modification or custom patching software to inject code written in C or assembly.^[1] The reprogramming exploits the lack of authentication or encryption in most USB firmware, allowing attackers to alter device behavior without specialized hardware; this process typically requires less than two months for common devices.^[1] During execution, the compromised USB device is inserted into the target computer, where it enumerates as a trusted device class, such as a Human Interface Device (HID) like a keyboard, leveraging the USB protocol's inherent trust model to bypass operating system validation. The malicious firmware immediately activates the payload, emulating rapid inputs that a human user could not replicate; for example, it can open a command shell (e.g., cmd.exe on Windows) and inject keystrokes to execute scripts for credential theft, network reconfiguration, or establishing persistence. In hybrid attacks, the device may initially appear as mass storage to deliver files while simultaneously emulating HID for command injection, though pure HID emulation avoids mounting visible drives to reduce detection risk.^[1] Representative payloads focus on keystroke injection for efficiency and stealth. One common example emulates keyboard input to launch a command shell and download malware from a remote site. More advanced payloads from early demonstrations include emulating a keyboard to capture sensitive inputs like sudo passwords by loading a malicious library, or spoofing an Ethernet adapter to redirect DNS queries to an attacker-controlled server for man-in-the-middle attacks.^[1] Technical nuances enhance the attack's effectiveness and evasion. Payload delivery occurs at high speed—far exceeding human typing rates—enabling full execution in seconds. To evade detection, the firmware can fingerprint the target operating system or BIOS to conditionally suppress visible actions, such as avoiding unnecessary drive mounts that might trigger antivirus scans, while presenting innocuous content if probed.^[1]

History and Development

Initial Demonstration

The initial demonstration of BadUSB occurred at the Black Hat USA 2014 conference in Las Vegas, where researchers Karsten Nohl, Sascha Krißler, and Jakob Lell from Security Research Labs (SRLabs) presented their findings on USB firmware vulnerabilities.^[3] During the session titled "BadUSB: On Accessories that Turn Evil," Nohl and Lell showcased a live proof-of-concept attack using a reprogrammed USB thumb drive connected to a test computer running Windows or Linux.^[10] The device emulated a keyboard to automatically execute commands, such as altering DNS settings or installing backdoor software, thereby hijacking the host system without user interaction or detectable malware on the storage partition.^[15] This demonstration highlighted the attack's stealth, as the USB appeared as a legitimate storage device while covertly performing malicious actions like DHCP spoofing to redirect network traffic.^[14] The methodology involved reverse-engineering the firmware of commercial USB controllers from multiple vendors, revealing that many allowed unsigned or weakly authenticated updates via custom SCSI commands. Nohl, Krißler, and Lell disassembled the proprietary firmware using heuristics and scripting tools to identify reprogrammable microcontrollers, then developed a proof-of-concept toolkit to patch and deploy malicious payloads.^[14] They emphasized supply chain risks, noting that attackers could pre-compromise devices during manufacturing or distribution, turning innocuous accessories into persistent threats that evade traditional antivirus detection.^[10] The approach was vendor-agnostic, applicable to a wide range of USB thumb drives and even Android phones acting as peripherals, demonstrating the broad scope of the vulnerability.^[15] The presentation introduced the term "BadUSB" to the cybersecurity community, rapidly establishing it as a standard reference for firmware-based USB attacks.^[3] No such exploits were known in the wild prior to 2014, marking this as a novel class of hardware-level threat. Accompanying whitepaper-style slides outlined the risks to billions of USB devices in circulation at the time, underscoring the potential for widespread compromise across consumer and enterprise environments.^[14]

Evolution and Modern Variants

Following the initial 2014 demonstration of BadUSB vulnerabilities, the attack technique saw significant evolution through the proliferation of open-source tools and hardware emulators in the mid-2010s. The USB Rubber Ducky, developed by Hak5 and initially released in 2010, became a cornerstone for BadUSB-style attacks by emulating a keyboard to inject payloads via DuckyScript, with ongoing updates enhancing its scripting capabilities for penetration testing throughout the decade.^[16] Similarly, numerous BadUSB payload libraries emerged on GitHub, providing customizable scripts for keystroke injection and command execution, fostering community-driven advancements in attack automation.^[17] Integration with established penetration testing frameworks further propelled BadUSB's development.^[18] By the late 2010s, devices like the Flipper Zero, released in 2020, introduced portable BadUSB emulation capabilities, allowing users to execute DuckyScript payloads directly from a multi-tool hardware platform, thereby democratizing access to such attacks for ethical hacking and research.^[19] This shift marked a transition toward more versatile, multi-interface tools, including combinations with Bluetooth for wireless payload delivery via applications like BadBT on Flipper Zero, enabling remote keystroke injection without physical USB connection.^[20] In the 2016-2020 period, USB device manufacturers responded to BadUSB risks by implementing firmware signing protocols, such as RSA-2048 digital signatures on drives like the Kanguru FlashTrust, to prevent unauthorized modifications and enhance supply-chain security.^[21] By 2025, modern variants extended BadUSB beyond traditional storage devices, exemplified by the BadCam vulnerabilities (CVE-2025-4371) in Lenovo's Linux-based 510 FHD and Performance FHD webcams, which allow remote attackers to reflash firmware and perform persistent keystroke injection as a BadUSB proxy.^[22] Complementary tools like the ByteBait USB toolkit emerged for simulating BadUSB phishing campaigns in controlled environments, supporting research into multi-stage attacks that mimic legitimate device behaviors for credential harvesting.^[6] Recent research highlights ongoing evolutions toward hybrid threats in interconnected ecosystems, with 2025 studies like NoBU exploring cyber-physical detection of BadUSB payloads in IoT contexts through keystroke-induced vibrations, underscoring the technique's adaptation to persistent, device-agnostic exploits.^[23]

Security Implications

Types of Exploits

BadUSB exploits primarily leverage the reprogrammable nature of USB device firmware to perform unauthorized actions on connected hosts, bypassing traditional security measures by operating at the hardware level. These attacks can be categorized into several key types, each exploiting the trust inherent in USB peripherals to achieve malicious objectives such as data theft, system compromise, or network manipulation.^[14] Keystroke injection represents the most straightforward and prevalent BadUSB exploit, where the compromised device emulates a human interface device (HID), such as a keyboard, to simulate user input and execute arbitrary commands on the host system. For instance, upon connection, the device can rapidly type shell commands to download and install malware, modify system configurations like DNS settings to redirect traffic to attacker-controlled servers, or even capture sensitive credentials such as sudo passwords on Unix-like systems. This method exploits the automatic trust granted to HID devices, allowing attackers to gain initial access without requiring user interaction beyond plugging in the device.^[14] Device impersonation extends the attack surface by enabling the USB device to masquerade as multiple or alternative device classes beyond its original function, such as posing as a network adapter or mass storage device. In this vector, a seemingly innocuous USB flash drive might simultaneously register as an Ethernet adapter to perform man-in-the-middle attacks by intercepting and altering network traffic, or emulate a storage device to trigger autorun mechanisms for malware deployment. Hybrid attacks combine these capabilities, for example, using HID emulation for command execution while presenting a storage interface to exfiltrate data, thereby amplifying the exploit's versatility and stealth.^[14] Persistence mechanisms ensure the longevity of BadUSB infections by embedding rootkits directly into the device's firmware, allowing repeated malicious operations even after apparent disinfection or reformatting attempts. Firmware-level modifications can hide payloads that activate on subsequent connections, such as infecting the host's boot sector with a secret partition containing a rootkit, which loads before the operating system and evades antivirus scans. This rooting technique renders the device a persistent threat vector, as standard user-level cleaning cannot access or alter the low-level firmware code.^[14] BadUSB exploits often integrate with social engineering tactics to facilitate initial physical access, such as leaving "lost" USB drives in high-traffic areas to entice curious users to insert them into their systems, exploiting human curiosity and the perceived low risk of peripherals. Additionally, the scalability of these attacks is heightened through supply chain compromises, where malicious devices can be introduced and distributed on a large scale without detection.^[14]^[24]

Real-World Applications and Incidents

BadUSB attacks have been employed by cybercriminals in targeted campaigns requiring physical access, such as mailing malicious USB devices to victims. In 2020, the cybercrime group FIN7, known for point-of-sale malware operations exceeding $1 billion in fraud, targeted U.S. hospitality, retail, and defense sectors by sending USB dongles disguised as promotional items; upon insertion, these devices emulated keyboards to execute commands and install malware.^[25]^[26] The FBI issued alerts in 2020 and 2022 highlighting FIN7's use of BadUSB for initial access, often combined with phishing to increase success rates.^[27] Notable incidents underscore the technique's potency in real-world breaches. A 2020 attack on a U.S. hospitality provider involved a mailed USB that, once plugged in, used BadUSB to bypass antivirus and deploy ransomware, marking one of the earliest confirmed wild deployments.^[25] In August 2025, researchers at Eclypsium disclosed "BadCam" vulnerabilities (CVE-2025-4371) in Linux-based Lenovo 510 FHD and Performance FHD webcams, allowing remote attackers to flash malicious firmware and repurpose the devices as persistent BadUSB tools for keystroke injection or data exfiltration in corporate networks.^[22]^[28] This exploit highlighted evolving threats where everyday peripherals could be weaponized without physical tampering. BadUSB is a staple in physical penetration testing and red teaming exercises, simulating insider threats or social engineering scenarios. Penetration testers frequently use devices like USB Rubber Ducky or Flipper Zero to demonstrate rapid system compromise, injecting payloads in seconds to highlight gaps in endpoint security.^[29] These tools enable ethical hackers to mimic criminal tactics, such as dropping infected USBs in parking lots to test employee policies, emphasizing risks from unvetted physical media. State-sponsored actors have incorporated USB-based attacks, including BadUSB variants, in geopolitical operations. Verizon's 2025 Data Breach Investigations Report documented Russia-aligned advanced persistent threats (APTs) deploying USB malware against Ukrainian targets in February 2025, exploiting physical vectors for initial access.^[30] Despite such cases, BadUSB has not caused mass outbreaks due to its reliance on physical proximity, limiting scalability compared to remote exploits; however, it remains highly impactful in high-security environments like air-gapped networks, where USB ports serve as the primary data bridge.^[10] The report also noted 149 lost or stolen asset incidents leading to 122 breaches in 2024-2025, with internal actors responsible for 73%, often involving removable media as an entry point.^[31]

Mitigation and Prevention

Software-Based Defenses

Software-based defenses against BadUSB attacks operate at the operating system and application levels, focusing on detection, policy enforcement, and behavioral monitoring to prevent unauthorized USB device actions without requiring hardware changes. These measures include built-in OS features for device authorization, endpoint protection platforms that analyze USB traffic, and administrative policies to limit automatic execution and unsigned drivers. By enforcing whitelisting, scanning for anomalies, and logging device interactions, such defenses mitigate the risks posed by USB devices masquerading as trusted peripherals like keyboards. In Windows, Microsoft Defender for Endpoint provides protections for USB and removable devices through real-time scanning and Attack Surface Reduction rules that block exploits targeting USB interactions. Device Guard, now integrated into Windows Security features, enforces code integrity policies requiring signed drivers, preventing the loading of malicious unsigned USB drivers commonly used in BadUSB scenarios. Additionally, reducing the window for automated attacks can be achieved through policies delaying device activation or requiring user approval on compatible hardware like Surface devices. Linux systems utilize USBGuard, a software framework that implements a policy engine for authorizing USB devices based on whitelisting and blacklisting rules defined by device attributes such as vendor ID, product ID, and class. This engine, enforced via a kernel module and daemon, allows administrators to permit only approved device classes—such as storage or HID—while blocking unauthorized ones, effectively countering BadUSB by denying access to rogue devices during enumeration. For macOS, enterprise deployments can leverage Mobile Device Management (MDM) profiles to restrict USB accessory connections and enforce approval prompts, though built-in protections primarily rely on System Integrity Protection to limit kernel-level exploits from USB inputs. Endpoint protection tools enhance these OS capabilities by monitoring for anomalous behavior indicative of BadUSB. CrowdStrike Falcon Device Control offers granular visibility into USB devices, enabling policies to block HID emulation and unauthorized storage access, which helps detect and prevent keystroke injection attacks. Similarly, ManageEngine Device Control identifies disguised USB devices by enforcing device ID-based rules and scanning for firmware inconsistencies, blocking access to those exhibiting HID anomalies without legitimate storage functions. Administrative best practices further strengthen defenses through policy enforcement. In Windows environments, Group Policy can disable AutoRun for removable media to prevent automatic execution of malicious payloads from USB devices, while mandatory driver signing ensures only verified code loads during device installation. Scripting and logging, such as using Windows Event Forwarding to track USB enumeration events (e.g., PnPDeviceConnected), allow for auditing and rapid response to suspicious connections. Key concepts in software defenses include behavioral analysis, which flags rapid keystroke bursts characteristic of automated BadUSB injections—typically exceeding human typing speeds of 10-15 characters per second—by monitoring inter-keystroke timings and payload patterns. As of 2025, tools like Netwrix Auditor incorporate AI-driven anomaly detection to analyze USB activity alongside endpoint changes, identifying deviations in device behavior such as unexpected HID emulation in storage devices and automating alerts for potential threats.^[32]

Hardware and Protocol Solutions

Hardware measures against BadUSB primarily focus on physically isolating data transfer pathways or incorporating secure hardware elements to prevent unauthorized firmware interactions. USB data blockers, commonly referred to as "USB condoms," are inline adapters that physically sever the data pins (D+ and D-) in USB cables while preserving power delivery (VBUS and GND lines), thereby allowing safe charging from untrusted ports without enabling any data exchange or device enumeration. These devices effectively mitigate BadUSB risks in scenarios involving public charging stations, as demonstrated in practical deployments where they block all potential firmware-based attacks by design.^[33]^[34] Physical switches and port locks provide another layer of hardware protection by allowing users to manually disable USB data modes on host devices or cover unused ports, preventing any connection that could trigger malicious firmware execution. For instance, key-operated locks or toggle switches on laptops and desktops can isolate ports, ensuring that only authorized connections occur, which is particularly useful in high-security environments like government facilities. Additionally, modern USB controllers integrated with ARM TrustZone technology create secure enclaves that isolate firmware operations, enforcing secure boot processes and preventing unauthorized reflashing; the USB Armory, a compact computer-on-a-stick, leverages TrustZone to render its USB interface invulnerable to BadUSB by hardware-enforced isolation of peripheral emulation.^[5]^[35]^[36] Protocol enhancements address BadUSB at the USB standard level. These standards, evolving into USB 3.2, USB4, and later specifications, incorporate improved authentication mechanisms such as enhanced device descriptor validation and resistance to spoofing via stricter protocol handshakes, though full mandatory signing remains optional. Tools like Google's open-source USB Keystroke Injection Protection further support protocol-level validation by analyzing timing anomalies in USB traffic to detect anomalous device behaviors during supply chain or runtime checks.^[37] Vendor-specific responses have bolstered hardware protections, with some companies implementing signed bootloaders in their USB controllers to complicate firmware reprogramming attacks, requiring cryptographic verification before loading any updates. In 2025, innovations such as NoBU introduce cyber-physical locks that combine hardware interlocks with firmware monitoring to thwart reflashing attempts, detecting and blocking unauthorized HID emulation in real-time. These measures, including NoBU's design which forces human-device interaction for sensitive operations, have shown high effectiveness in lab evaluations, preventing known BadUSB vectors in over 95% of test scenarios.^[23] Despite these advances, hardware and protocol solutions face limitations, particularly their inability to retrofit legacy USB devices lacking updateable firmware, leaving older systems vulnerable to persistent threats. Studies from 2025 indicate that while these mitigations block approximately 90-95% of documented BadUSB attack vectors through physical isolation and signing, sophisticated adversaries may still exploit unsigned or bypassed protocols in transitional environments.^[23]^[38]

References

[1]
USB peripherals can turn against their users - SRLabs Research
Jul 31, 2014 · BadUSB reprograms USB devices into stealthy attack tools. Infected peripherals can survive OS reinstalls, leaving computers permanently ...
[2]
[PDF] BadUSB — On accessories that turn evil
This compromises the. “second factor” security model of online banking. Proof-‐of-‐concept released at: srlabs.de/badusb ...
[3]
Black Hat USA 2014 | Briefings
BadUSB - On Accessories that Turn Evil. USB has become so commonplace that we rarely worry about its security implications. USB sticks undergo the occasional ...
[4]
New BadUSB Attack Turns Linux Webcams Into Persistent Threats
Aug 11, 2025 · Researchers at Eclypsium have shown how Linux-based webcams can be weaponized and turned into persistent threats.Missing: 2023 | Show results with:2023
[5]
What is a BadUSB? Understanding Attacks, Scripts & Protection | Ivanti
Jul 29, 2025 · BadUSB attacks evade antitrust detection by exploiting USB firmware to mimic trusted devices. Once connected, they can quickly execute ...Missing: developments | Show results with:developments
[6]
ByteBait USB: a robust simulation toolkit for badUSB phishing ...
Jul 1, 2025 · This paper addresses BadUSB devices in phishing campaigns, which exploit inherent trust in USB devices to execute malicious actions like keystroke injection.
[7]
BadUSB potential not as widespread as originally thought
Nov 13, 2014 · “It's not like you plug into your computer and it tells you this is a Cypress chip, and this one is a Phison chip. You really can't check ...
[8]
BadUSB: What is it and how to avoid it - ManageEngine
BadUSB is an attack that exploits an inherent vulnerability in USB firmware. Such an attack reprograms a USB device, causing it to act as a human interface ...<|control11|><|separator|>
[9]
BadUSB - On Accessories that Turn Evil by Karsten Nohl + Jakob Lell
Aug 11, 2014 · We're here to present a new class of attacks one that originates at USB devices and attacks computers.
[10]
This thumbdrive hacks computers. “BadUSB” exploit makes devices ...
Jul 31, 2014 · “BadUSB” exploit makes devices turn “evil”. Researchers devise stealthy attack that reprograms USB device firmware. Dan Goodin – Jul 31, 2014 ...
[11]
Why the Security of USB Is Fundamentally Broken - WIRED
Jul 31, 2014 · Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack ...Missing: Guardian | Show results with:Guardian
[12]
Hackers can tap USB devices in new attacks, researcher warns
Jul 31, 2014 · German crypto specialist and and chief scientist with Berlin's SR Labs Karsten Nohl is reflected in a computer screen as he looks at ...
[13]
Attack code for 'unpatchable' USB flaw released - BBC News
Oct 6, 2014 · Attack tools. Details of the BadUSB flaw were released at the Black Hat computer security conference in August by Karsten Nohl and Jakob Lell.Missing: vulnerability | Show results with:vulnerability
[14]
Only Half of USB Devices Have an Unpatchable Flaw, But ... - WIRED
Nov 12, 2014 · Others remember BadUSB only as the Phison bug. That second group needs to wake up to the same level of awareness of the first group," Nohl says.
[15]
[PDF] BadUSB — On accessories that turn evil
On accessories that turn evil. Karsten Nohl <nohl@srlabs.de>. Sascha Krißler <sascha@srlabs.de>. Jakob Lell <jakob@srlabs.de>. Page 2. 2. Demo 1 – USB ...Missing: whitepaper | Show results with:whitepaper
[16]
Black Hat 2014: Experts demo badUSB proof-of-concept tools
Aug 8, 2014 · While guarding against badUSB devices is difficult, Nohl said among the best defenses is to give thoughtful consideration to the USB devices ...<|control11|><|separator|>
[17]
https://github.com/topics/badusb-payloads
[18]
badusb-payloads · GitHub Topics
Presenting a wide range of more than 100 powerful BadUSB scripts exclusively designed for Mac OS & the Flipper Zero device.Missing: example | Show results with:example
[19]
Flipper zero msf badusb payload generator/executor #17274 - GitHub
Nov 16, 2022 · Hello, I am a big fan of your software. Especially metasploit. Respect to Egypt ) Write you with one help request.
[20]
Bad USB - Flipper Zero - Documentation
Bad USB · Flipper Zero scripting language · Uploading new payloads to Flipper Zero · Using your Flipper Zero as a BadUSB device ...Missing: injection | Show results with:injection
[21]
AGO061/BadBT - GitHub
BadBT is a Flipper Zero application that allows to use BadUSB scripts over Bluetooth - AGO061/BadBT.Missing: combination | Show results with:combination
[22]
https://eclypsium.com/blog/badcam-now-weaponizing-linux-webcams/
[23]
BadCam: Turning Linux Webcams Into BadUSB Attack Tools
Aug 9, 2025 · Eclypsium researchers have discovered vulnerabilities in USB webcams that allow attackers to turn them into BadUSB attack tools.Missing: SRLabs | Show results with:SRLabs
[24]
NoBU: An effective and viable cyber-physical solution to thwart ...
Aug 24, 2025 · 4 NoBU: Thwarting Bad-USB attacks. NoBU aims to address the BadUSB threat by leveraging the expected physical phenomenon triggered by keystrokes ...<|control11|><|separator|>
[25]
[PDF] Defending Against Malicious USB Firmware with GoodUSB - UF CISE
Dec 7, 2015 · This allows for attacks such as BadUSB, where a USB storage device with mali- cious firmware is capable of covertly acting as a keyboard as well ...Missing: definition | Show results with:definition
[26]
Hackers Use Snail-Mail to Send Malware USB Drive
Mar 26, 2020 · A US hospitality provider has recently been the target of an incredibly rare BadUSB attack, ZDNet has learned from cyber-security firm Trustwave.
[27]
FBI: Cybercrime Gang Mailing 'BadUSB' Devices to Targets
Mar 30, 2020 · The FBI says FIN7 has been mailing the malicious USB devices to potential victims, sometimes also while running a phishing attack.
[28]
FIN7 group continues to target US companies with BadUSB devices
Jan 7, 2022 · The FBI warns US companies that the FIN7 cybercriminals group is targeting the US defense industry with BadUSB devices.
[29]
Linux-Based Lenovo Webcams' Flaw Can Be Remotely Exploited for ...
Aug 9, 2025 · Lenovo webcam flaws let attackers deploy remote BadUSB exploits, risking keystroke injection and persistent malware.Missing: variants | Show results with:variants
[30]
https://www.verizon.com/business/resources/reports/dbir/
[31]
2025 Data Breach Investigations Report - Verizon
The 2025 Data Breach Investigations Report (DBIR) from Verizon is here! Get the latest updates on real-world breaches and help safeguard your organization ...
[32]
[PDF] 2024 Data Breach Investigations Report | Verizon
May 5, 2024 · Each year, the DBIR timeline for in-scope incidents is from November 1 of one calendar year through October 31 of the next calendar year. Thus, ...
[33]
Flying this weekend? This $6 USB condom will protect your data ...
Jun 24, 2023 · These are a super-simple, cheap solution to the problem of using untrusted USB charging devices. Simply plug it into a port, and any and all potential data ...Missing: BadUSB mitigations
[34]
What is BadUSB Attack and How to Prevent it? - ManageEngine
BadUSB attack is when a USB device has an in-built firmware vulnerability that allows itself to be disguised as a human interface device.Missing: Phison Alcor Ilitek
[35]
https://www.fedtechmagazine.com/article/2017/07/4-ways-prevent-leaks-usb-devices
[36]
USB Armory is the Swiss army knife of security devices | PCWorld
Nov 19, 2014 · Yet although USB Armory can be programmed to emulate all sorts of USB peripherals in software, it's invulnerable to the BadUSB attack, Barisani ...
[37]
USB Keystroke Injection Protection - Google Open Source Blog
Mar 10, 2020 · USB keystroke injection attacks have been an issue for a long time. Now there's a tool that measures the timing of incoming keystrokes and ...Missing: BadUSB | Show results with:BadUSB
[38]
An effective and viable cyber-physical solution to thwart BadUSB ...
Request PDF | On Aug 24, 2025, Andrea Ciccotelli and others published NoBU: An effective and viable cyber-physical solution to thwart BadUSB attacks | Find, ...