How DIY USBs are used to Hack Computers? HID Attack using Digispark & Arduino
Let me ask you a question, how many of you guys check the back of your computer every time you turn it on before you start your work? Do you ever check what all things are connected to your computer before you get going? If not, trust me guys, you will need to do that in the future. Why? A simple DIY electronic circuit like this USB is enough for someone to hack and take full control of your system. Let me show you how! Just to remind you guys, this article is for educational purposes only!
USB.. Very Convenient..
The introduction of the USB was a revolution! It’s the most convenient way of connecting devices, sending and receiving data, storing data, charging devices, and whatnot. Depending on the function, the USB protocol can act differently.
USB Based HID Devices
Most of today’s Keyboards and mice are connected to your computer via USB right? These are known as HID or Human Interface Devices. HID or Human Interface Devices are Devices that take input from us and pass it on to the device connected to them. HID devices include a keyboard, joystick, mouse, touchpad, graphic tablet, etc.
The Keyboard
Every single key in your keyboard has a keystroke. When you press a key on your keyboard, that keystroke will be sent to your computer via USB, and the computer prints that key in your notepad. Or you can send a combination of keystrokes for example ALT, CTRL, and T that will be received by the computer and open the terminal. Convenient right?
But what if, you don’t press any keys but the Keyboard sends keystrokes to open a terminal and type a command that will allow hackers to get complete control over your system?
DIY USB HID Devices
The thing is it’s very easy to create our own USB devices that will act as HID devices, especially keyboards. All you need is a cheap microcontroller like this one. On one hand, it’s a really useful thing. We can create our own customized devices according to our needs like this Photoshop Control Panel that I made last month or we can create our own Media Controller.
But on the other hand, this functionality can be used to perform malicious activities as well. How? Just a single line of code is needed for a person to take control of your system. Don’t believe me? Let me show you.
Performing USB HID Attacks using DIY Digispark Circuits
This is Digispark, It is a lightweight microcontroller development board. Digispark comes with 6 GPIO pins, I2C and SPI serial communication, and a USB interface. It also has 3 PWM pins. You can make this Board work as a keyboard or as a mouse and do nasty stuff with the push of a button.
The way we do that is by sending particular keystrokes in a particular sequence that will do particular actions in your computer in order.
For example, send keystrokes to open the terminal, wait for some time for the computer to open the terminal, and then send keystrokes to type in the commands that will initiate a connection to a hacker’s computer. Once that is done, send keystrokes to close the terminal. Everything happens in super high speed. so it’s very hard to notice. If you want you can try this yourself.
This same thing can be done using some of the latest Arduino boards like Arduino Nano RP 2040. This board can be connected to your computer using a simple USB cable and send keystrokes.
Doing Wireless HID Attacks
Now, what if I told you this attack can be done wirelessly? Now before going further, if you like this video, make sure you give this video a like and subscribe to our channel by hitting the subscribe button right here. For wireless attacks, we can use any board in the Arduino MKR family, for example, Arduino MKR 1000. This board will be connected to your target computer when the user is not around. When the PC is turned on, it will power up the Arduino, it will connect to a Wi-Fi network, and start a web server at port 80.
Using a mobile phone, which is connected to the same Wi-Fi network, we can easily access the webpage which is served by the Arduino and we can execute various commands by simply tapping the links from the mobile phone.
That is pretty scary, right? All we need is 5 secs of physical access to their computer when they are not around! Most of the time, this happens in office machines and school machines where people get a lot of time with other computers.
Social Engineering to Perform USB HID Attacks
There are other ways you and your computer could fall victim to these kinds of attacks. They could trick you to connect these malicious USB drives to your computer.
Sometimes, hackers drop these armed USBs in the form of flash drives at public places like parks, restaurants, or even office premises. This kind of attack relies on the curiosity of the people to find out what is inside, and who is likely to plug it into their system. Once the USB is connected to the system, all the malicious keystrokes will be sent to the computer in a matter of milliseconds and before you know it, the hackers are on your computer!
You will also see these kinds of malicious USBs hidden inside legitimate USB devices such as USB hubs, USB power banks, or even Fancy Items that can be connected to USB ports!
This kind of attack is very dangerous because if executed properly, hackers can completely take over your computer and gain access to all your files and information. Once they have remote access, they can install malicious software such as keyloggers that will collect everything you type including personal messages and passwords, or even install malware such as worms that will infect all the computers in your office network.
How to Protect Yourself?
How to avoid these attacks and be safe? Never ever connect unknown devices to your computer. Whichever device you connect to your computer must be trusted. Always look behind your CPU before turning on your computer and make sure that there are no known devices connected to it. Always lock your computer when you are away from it. Even if you see any orphaned USB devices, just ignore it. Don’t even think about connecting it to your PC.