Limits of USB HID Attacks
Access
Section titled “Access”Whatever you think is possible with this attack. It only works if somebody plugs the BadUSB into a computer. There is no way around this fact.
Unlocked Target
Section titled “Unlocked Target”The target computer has to be running and unlocked. If it’s turned off, the BadUSB won’t be able to do anything. If it’s locked, it would have to know the password and enter it before doing anything useful.
Input Only
Section titled “Input Only”The BadUSB (in most cases) is stupidly following its programming. It starts as soon as it’s plugged in. It executes its script once and only stops when done. It can not detect errors or react dynamically. The BadUSB is acting as an input device only. Like a real keyboard, it just sends keystrokes. What the computer does with the keystrokes is invisible to it.
File Transfers
Section titled “File Transfers”Many BadUSBs don’t even come with a flash drive feature, meaning they are acting as a keyboard only. In this case, you’d have to upload or download files through the internet - which a firewall could stop. If you can copy files from the computer onto the BadUSB, or vice-versa, you still have to know what and where these files are. Because the BadUSB is input only, it can not scan for files and then decide which files are important and which ones aren’t.
Keyboard Layouts 🇩🇪🇬🇧🇺🇸🇫🇷
Section titled “Keyboard Layouts 🇩🇪🇬🇧🇺🇸🇫🇷”Windows keyboards have a different layout than Apple keyboards. Every country has its own set of keyboard layouts too. You will need to modify your script or BadUSB in a way that makes it work with the keyboard layout of your target. Otherwise, it might type the wrong characters.
Apple Keyboard Setup Assistant
Section titled “Apple Keyboard Setup Assistant”When you plug in a new keyboard on macOS, an assistant window will pop up. You can avoid this by letting your BadUSB appear as an Apple keyboard. This is possible by changing the USB Vendor ID (VID) and Product ID (PID). Not every BadUSB can do this easily, though.