Get AI summaries of any video or article — Sign up free
bad USBs are SCARY!! (build one with a Raspberry Pi Pico for $8) thumbnail

bad USBs are SCARY!! (build one with a Raspberry Pi Pico for $8)

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

Bad USB devices enumerate as HID keyboards/mice, so computers treat injected input as legitimate user actions rather than file storage.

Briefing

Bad USB devices turn a simple “plug in a USB drive” moment into a fast, automated keyboard takeover—capable of disabling security software, triggering reverse shells, or playing disruptive pranks—often before anyone notices. The core danger is that computers treat these devices as Human Interface Devices (HID), the same category used for keyboards and mice, which means the system effectively “trusts” the input as if a person typed it.

The transcript demonstrates the risk with quick, hands-off examples: plugging in a malicious USB leads to Windows Defender being disabled, followed by a reverse shell opening on a laptop. The attack doesn’t require visible user interaction because the device can inject keystrokes through the operating system’s normal input pathways. Even when the payload is “just” a Rickroll, the impact can be sticky—audio keeps playing and typical controls may not stop it—highlighting how little time defenders have once the device is connected.

Effectiveness comes from two factors. First, HID trust: when a normal flash drive appears, the computer routes it through file storage workflows. A bad USB instead presents itself as an HID keyboard/mouse, so the operating system routes the traffic as legitimate user input. Second, speed: humans type roughly 50–75 words per minute, while the device can simulate input around 1,000 words per minute. That gap matters when an attacker relies on the victim leaving a computer unlocked or unattended; the malicious sequence can complete before the user realizes anything is happening.

The practical build section focuses on two approaches. The “classic” option is the USB Rubber Ducky from Hak5, a purpose-built bad USB that uses Duckyscript—commands that simulate keyboard actions. The cheaper alternative is a Raspberry Pi Pico (about $5) configured to behave like a bad USB using CircuitPython and an HID library. Setup involves installing CircuitPython onto the Pico, adding the HID support package, and placing a payload script (named code.py for the Pico) so the device runs immediately on connection.

For the Rubber Ducky route, scripts are typically encoded into an inject.bin payload using a web-based encoder, then copied onto the device’s microSD storage. For the Pico route, the payload can be pasted as a Python script and placed into the Pico’s root directory as code.py, with a caution that it may execute as soon as it’s written—meaning editing can accidentally trigger the attack.

Defenses emphasized in the transcript are largely behavioral and policy-based. The simplest rule: don’t plug unknown USB devices into computers. Lock the workstation when stepping away (e.g., Windows Key + L), because a locked screen and password barrier can prevent the HID-injected actions from succeeding. For organizations, the transcript recommends reducing administrative exposure via least privilege and requiring password prompts for admin actions—implemented through Windows registry policy changes or group policy—so malicious keystroke sequences can’t silently elevate privileges.

Overall, the message is that bad USBs exploit everyday habits and default trust in input devices. With the right configuration, a $5 microcontroller can behave like a keyboard at machine speed, turning curiosity-driven USB plugging into a high-risk intrusion path.

Cornell Notes

Bad USBs work by pretending to be a keyboard or mouse (HID), so the computer treats the input as legitimate human interaction. That trust, combined with machine-speed keystroke injection (around 1,000 words per minute), lets a malicious device run payloads before a user notices—such as disabling Windows Defender, opening a reverse shell, or playing disruptive Rickroll-style pranks. The transcript shows two build paths: the USB Rubber Ducky (using Duckyscript encoded into inject.bin) and a cheaper Raspberry Pi Pico configured with CircuitPython and an HID library to run a payload as code.py. Defense centers on not plugging in unknown USB devices, locking computers when away, and tightening admin permissions so injected actions can’t silently approve elevated access.

Why is a bad USB more dangerous than a normal USB flash drive?

A normal flash drive is recognized as mass storage, so the operating system routes it through file-handling workflows. A bad USB instead enumerates as an HID (Human Interface Device)—the same class used by keyboards and mice—so the system treats the incoming data as user keystrokes and pointer actions. That default “human input” trust makes the attack effective even when the device is physically just a USB stick.

How does typing speed change the attacker’s odds?

The transcript contrasts human typing (about 50–75 words per minute) with bad USB injection (around 1,000 words per minute). When a victim leaves a computer unlocked, the device can complete a scripted sequence—opening dialogs, navigating menus, launching commands—before the user can react. The faster the keystroke stream, the less time there is for detection or interruption.

What’s the difference between the USB Rubber Ducky approach and the Raspberry Pi Pico approach?

The USB Rubber Ducky uses Duckyscript: a set of commands that simulate keyboard input. Scripts are encoded into an inject.bin payload and stored on the device’s microSD; plugging it in triggers the payload. The Raspberry Pi Pico approach uses CircuitPython plus an HID library so the Pico appears as a keyboard/mouse. The payload is placed as code.py (after renaming the provided script), so it runs automatically on connection.

Why can editing a Pico-based payload be risky?

Because the Pico runs code immediately when connected. If the payload is already installed as code.py, plugging the Pico into a computer to edit files can trigger the script right away. The transcript suggests a workaround: factory reset/erase the Pico (using a nuke/flash_nuke-style script) and reload the setup so the device doesn’t execute the attack while being modified.

What practical defenses reduce the impact of bad USB attacks?

The transcript prioritizes user behavior: don’t plug in unknown USB devices, and lock the computer when walking away (so a password gate blocks the injected actions). For organizations, it recommends least privilege and requiring password prompts for administrative actions—implemented via registry/group policy—so malicious sequences can’t rely on a simple “click Yes” for elevation.

What role does administrative access play in these attacks?

Many payloads require elevated privileges to disable protections, install components, or run commands that normal user permissions can’t. If the user lacks admin rights, the HID-injected actions are more likely to fail. Tightening admin access and enforcing password-based consent for elevation can blunt the success rate of scripted keystroke attacks.

Review Questions

  1. What two technical properties make HID-based bad USB attacks especially effective against unattended computers?
  2. Compare how Duckyscript/inject.bin execution differs from the Pico’s code.py execution model.
  3. Which policy changes (least privilege and admin consent prompts) directly target the privilege-elevation step in many bad USB payloads?

Key Points

  1. 1

    Bad USB devices enumerate as HID keyboards/mice, so computers treat injected input as legitimate user actions rather than file storage.

  2. 2

    Machine-speed keystroke injection (around 1,000 words per minute) can complete payloads before a user notices, especially when the machine is left unlocked.

  3. 3

    The USB Rubber Ducky uses Duckyscript encoded into inject.bin, while a Raspberry Pi Pico can be configured with CircuitPython and an HID library to run a payload as code.py.

  4. 4

    Editing a Pico payload can accidentally trigger the attack because the device may execute code immediately upon connection.

  5. 5

    The most reliable user defense is refusing unknown USB devices and locking the workstation when stepping away (e.g., Windows Key + L).

  6. 6

    Organizational defenses should enforce least privilege and require password-based admin consent prompts rather than one-click approvals.

  7. 7

    Admin rights are often the gating factor for successful payloads; removing or restricting those rights reduces the attack’s effectiveness.

Highlights

Bad USBs exploit the computer’s built-in trust in HID devices—turning a USB plug-in into keyboard/mouse control.
The speed gap between humans (50–75 WPM) and the device (about 1,000 WPM) helps payloads finish before detection.
A Raspberry Pi Pico can be configured to behave like a bad USB by installing CircuitPython, adding HID support, and running a payload as code.py.
Defense isn’t just antivirus: locking the computer and tightening admin permissions can stop HID-injected actions from succeeding.

Topics

  • Bad USB
  • HID Devices
  • USB Rubber Ducky
  • Raspberry Pi Pico
  • Windows Defender
  • Reverse Shell
  • Duckyscript
  • CircuitPython
  • Privilege Escalation
  • Defense Strategies

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library