When is a keyboard not a keyboard?
Carl Williams, Security Engineer at Foursys gave a brilliant ethical hacking demonstration at our SecureTour17 events this year. The focus of his hack related to USB key stroke injection, tying in wonderfully with our other guest speaker, Graham Cluley and his talk about the insider threat.
USB keystroke injection refers to the USB device we can plug into computers which disguises itself as a keyboard to any operating system that detects it, but is able to issue commands to the system. Most of the time this bypasses device control because, as we know, no one blocks keyboards.
You can buy the commercialised ‘rubber ducky’ for this kind of hacking, however in the video, Carl uses an Arduino Digispark (well, he uses a fake version he bought of eBay for less than £1…) which is usually used to get people into coding.
One of the first defenses about this kind of attack is knowing it exists.
Watch Carl’s full keynote that he gave at the London leg of SecureTour17 to see from start to finish how he executes this extremely effective attack.