Skip to navigation

PCPro-Computing in the Real World Printed from

Register to receive our regular email newsletter at

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.

// Home / Blogs

Posted on December 4th, 2012 by Darien Graham-Smith

The USB stick that thinks it’s a keyboard


To Covent Garden, where James Lyne – director of technology strategy at Sophos – has been presenting a review of the security landscape during 2012, and a look forward to next year’s threats. The review is an annual event, and always entertaining thanks to Lyne’s bona fide geek credentials: this year’s talk included references to Anonymous masks, the obligatory Gangnam Style allusion and several exhortations to “[verb] all the things”.

Predictions for 2013 include increasingly sophisticated and targeted attacks, on mobile platforms as well as PCs. No surprises there. More interestingly, Lyne also expects to see a rise in ransomware, which locks away your files and provides the decryption key only on payment of a fee. So far, malware ransoms have typically been around the £200 mark, but Lyne reckons criminals will soon start to recognise high value targets (such as company CEOs) and demand much higher fees for the return of sensitive documents. He describes this type of attack as “irreversible”, as there’s nothing third-party software can do to recover your files if they’ve been strongly encrypted: the only defence is to keep backups. You’ve been warned.

The part of the talk that particularly struck me, however, relates to the little device pictured above, which Lyne demonstrated with glee. Fully assembled, it looks just like a regular USB flash drive. Or, from the internal microSD slot, you might assume it was some sort of card reader. In fact – believe it or not – it’s a keyboard.

The key-less keyboard

To be precise, the device is a keyboard controller. Windows detects it as a regular full-sized keyboard, but instead of providing physical keys for the user to press, the device takes its input from a pre-programmed microSD card. Load it up with a simple script and as soon as the device is plugged into a Windows PC it will automatically open a command prompt, type in an exploit giving the attacker remote access to your PC, and launch it.

Instead of providing physical keys for the user to press, it takes its input from a pre-programmed microSD card

As infection vectors go, it’s pretty ingenious. You won’t take over the world with an attack like this – not least because it doesn’t spread at all. To that extent it’s the very definition of a targeted attack. But choose the right targets – for example, start posting these little devices out to corporate executives and senior politicians – and you may well reap an awful lot of extremely sensitive information. Lyne mentioned that several of these devices have already been found in the wild over the past year.

The perfect crime? Well, not quite. If you’re watching the screen when plugging the device in you’ll see the command prompt briefly open and close – that’s inevitable, given the way the device works. Your suspicions will probably also be aroused when you notice that the device doesn’t show up as a drive in Explorer. A slightly more complex design could perhaps cover its tracks by combining legitimate storage with an illicit keyboard controller – but by the time you smell a rat, the malware is already lodged into your system anyway.

And of course the device flies straight under the radar of conventional security software, because, well, it’s a keyboard. It has no storage – none visible to the operating system, anyway – so there’s simply nothing to scan.

I cannot but admire the brilliant lateral thinking that’s gone into this little device. Mainstream operating systems and applications may be getting ever more robust, but malicious hackers are becoming (in Lyne’s memorable phrase) “tragically competent” at working around established security measures. I get the feeling Sophos won’t be running short of new and ingenious types of malware to showcase any time soon.

Tags: , , ,

Posted in: Random


Follow any responses to this entry through the RSS 2.0 feed.

You can skip to the end and leave a response. Pinging is currently not allowed.

4 Responses to “ The USB stick that thinks it’s a keyboard ”

  1. Ben Says:
    December 4th, 2012 at 10:12 am

    Slightly concealingly these devices have been commercially available for a little while (i.e. the Hak5 USB Rubber Ducky and have had some interesting uses from speedy office pranks to more sinister uses!

  2. Keith Says:
    December 4th, 2012 at 12:39 pm

    I got sent something very similar to this by Sky. When you plug it in it does not appear as a drive, but an HID device. It runs a command trough the “Run” function to open up a support URL. When I break it open it doesn’t have a micro SD card but has a chip covered in resin to make it impossible to see what it is. Even more reason to never plug in any USB thumb drive.

  3. Andrew Says:
    December 4th, 2012 at 1:18 pm

    HAK5 launched the USB Rubber Ducky way back in 2010 ( Upgraded in 2011 (, it contains a simple scripting language that allows it to launch any attack that a user with access to your keyboard could do but in a fraction of the time (

    Never leave your PC unattended and unlocked and never plug anything into a USB port that you don’t trust.

  4. friemel6 Says:
    March 4th, 2013 at 6:24 pm

    it is a good thing that this was invented and produced late it is already old now the solution is fuck off the implications are endless flash compiled hacking is now here for your entertainment anarchy will reign theres no money no more and like locusts we scavange the earth good job


Leave a Reply

Spam Protection by WP-SpamFree

* required fields

* Will not be published






Your email:

Your password:

remember me


Hitwise Top 10 Website 2010