BadUSB
What is BadUSB?
BadUSBA class of attacks that reprograms a USB device's controller firmware so it claims a malicious identity such as a keyboard, network adapter, or storage volume.
BadUSB was disclosed by Karsten Nohl and SR Labs at Black Hat 2014. It exploits the fact that most USB devices have rewritable controller firmware that operating systems trust implicitly. An attacker reflashes a thumb drive, charger, or peripheral so that, when plugged in, it presents extra USB descriptors: an HID keyboard that types commands, a network card that redirects DNS, or a hidden partition that delivers malware. Because the malicious behaviour lives in firmware, antivirus and disk wipes cannot remove it. Mitigations include using devices with signed firmware, USB allow-listing by VID/PID, disabling autoplay, and treating untrusted USB peripherals as hostile.
● Examples
- 01
A reflashed promotional USB stick handed out at a conference acts as a keyboard and silently runs PowerShell on insertion.
- 02
A trojanised USB-Ethernet adapter quietly hijacks DNS to redirect corporate traffic.
● Frequently asked questions
What is BadUSB?
A class of attacks that reprograms a USB device's controller firmware so it claims a malicious identity such as a keyboard, network adapter, or storage volume. It belongs to the Attacks & Threats category of cybersecurity.
What does BadUSB mean?
A class of attacks that reprograms a USB device's controller firmware so it claims a malicious identity such as a keyboard, network adapter, or storage volume.
How does BadUSB work?
BadUSB was disclosed by Karsten Nohl and SR Labs at Black Hat 2014. It exploits the fact that most USB devices have rewritable controller firmware that operating systems trust implicitly. An attacker reflashes a thumb drive, charger, or peripheral so that, when plugged in, it presents extra USB descriptors: an HID keyboard that types commands, a network card that redirects DNS, or a hidden partition that delivers malware. Because the malicious behaviour lives in firmware, antivirus and disk wipes cannot remove it. Mitigations include using devices with signed firmware, USB allow-listing by VID/PID, disabling autoplay, and treating untrusted USB peripherals as hostile.
How do you defend against BadUSB?
Defences for BadUSB typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BadUSB?
Common alternative names include: Reprogrammed USB, USB firmware attack.
● Related terms
- attacks№ 1192
USB Rubber Ducky
A USB device sold by Hak5 that masquerades as a keyboard and injects pre-programmed keystrokes at machine speed when plugged into a target computer.
- attacks№ 395
Evil Maid Attack
A physical attack in which an adversary briefly accesses an unattended device to tamper with firmware, bootloader, or hardware and steal secrets later.
- attacks№ 1116
Supply Chain Attack
An attack that compromises a trusted third-party software, hardware, or service provider in order to reach its downstream customers.