Introduction
USB attacks involve the use of malicious USB devices to compromise computer systems.
In a typical scenario, a custom USB device that emulates a keyboard is used to attack a workstation. When plugged in, the device masquerades as a regular keyboard and immediately starts “typing” a pre-programmed set of keystrokes at high speed – typically commands to download and install a backdoor on the victim to gain persistent access. Such an attack can be executed in a manner of seconds, after which the attacker retrieves the device and quietly leaves the scene.
A well-known example of USB attack device is the Rubber Ducky, that can be used in physical intrusion scenarios. Of course, the same hardware that is used by penetration testers for legitimate reasons can also be used by people with less noble intentions against third parties.
An unmarked Rubber Ducky
USB devices can also act as composite devices, that emulate multiple functions at the same time. For example: a keyboard with mass storage and a network interface card or a Bluetooth/Wifi dongle, to exfiltrate data or retain a foothold into the infected system.
Fortunately, there are tools available to thwart those attacks. Today we will be exploring some of the options available to us. Spoiler: they are cheap, if not free.
USBGuard (for Linux machines)
As described by the authors:
USBGuard is a software framework for implementing USB device authorization policies (what kind of USB devices are authorized) as well as method of use policies (how a USB device may interact with the system)
In other words, this is a daemon running as a service, that monitors USB events and authorizes (or blocks) USB devices based on predefined policies.
Installation
Refer to the documentation for installation instructions. On Debian systems, usbguard can be easily installed as a package:
sudo apt install usbguardNB: Before starting the USBGuard service you should generate a rules file, so that the currently attached USB devices (in particular mouse and keyboard) continue to work!
A rules file can be generated like this to “freeze” the current configuration:
sudo sh -c 'usbguard generate-policy > /etc/usbguard/rules.conf'Hint: open a SSH session to the computer if possible, so that you don’t get locked out by mistake.
Then, you can safely start service usbguard:
sudo systemctl start usbguard.serviceAlso enable service on start-up:
sudo systemctl enable usbguard.serviceUsage
To observe what happens when plugging in unauthorized USB devices, run dmesg -wT in a console window and observe the output. It will look like this:
[Wed Jul 2 20:48:35 2025] usb 2-1: new low-speed USB device number 2 using ohci-pci
[Wed Jul 2 20:48:36 2025] usb 2-1: New USB device found, idVendor=046d, idProduct=c31c, bcdDevice=49.00
[Wed Jul 2 20:48:36 2025] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[Wed Jul 2 20:48:36 2025] usb 2-1: Product: USB Keyboard
[Wed Jul 2 20:48:36 2025] usb 2-1: Manufacturer: Logitech
[Wed Jul 2 20:48:36 2025] usb 2-1: Device is not authorized for usage
Here, we plugged in a Logitech keyboard that was not pre-authorized. As a result, USBGuard blocked it. A potential hacking attempt was averted.
Defining rules
The behavior of USBGuard can be adjusted by rules, via a configuration file. See the online documentation for details. The rules format will immediately make if you are already familiar with the output of lsub or udev.
Let’s retrieve the current rules and dump them to a file:
usbguard generate-policy > rules.confEdit file and add your rules:
nano rules.confPush config to USBGuard and restart service:
sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
sudo systemctl restart usbguard
For example, to authorize a Logitech USB keyboard with vendor_id:product_id string “046d:d41c”, the following rule is sufficient:
allow 046d:d41cbut can be made more specific (eg. include a serial number). The hash is generated by USBGuard itself.
More generic rules can be defined to allow certain device classes. For example you can allow mass storage devices but nothing else:
allow with-interface equals { 08:*:* }A more elaborate rule to deny USB keyboards if there is already a keyboard connected:
allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 })This rule alone should defeat Rubber Ducky but always test that rules are working as intended.
Tips: rules can be made very flexible with conditions. For example, conditions can be based on the local time, to match regular work hours.
Opinion: excellent software, flexible and free. Only for Linux computers.
Low-tech approach (for all computers)
Security does not always have to be a high-tech effort. No need to configure USB security in software if you can just interdict the ports.
Aucas USB port lock
USB ports can be physically blocked by purpose-made port plugs made of plastic or similar. The picture above shows an example of port plug from vendor Aucas.
Try a query like “usb port lock” in your favorite search engine for more suggestions.
Opinion: a cheap, non-intrusive option for computers that are publicly exposed, for example in crowded environments like trade shows.
Low-tech approach (paranoid)
No comments.
Auditing
USB events can and should be audited. Check your SIEM documentation to implement USB auditing.
Example using the open-source Wazuh security platform: Monitoring USB drives in Linux using Wazuh
Watch out for unusual vendor/product strings. For example, a non-customized Rubber Ducky would produce a lsusb trace like this, which is a telltale sign of USB attack:
[Thu Jul 3 02:46:17 2025] usb 1-4: new full-speed USB device number 8 using xhci_hcd
[Thu Jul 3 02:46:18 2025] usb 1-4: New USB device found, idVendor=413c, idProduct=2106, bcdDevice= 1.00
[Thu Jul 3 02:46:18 2025] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[Thu Jul 3 02:46:18 2025] usb 1-4: Product: HID Keyboard
[Thu Jul 3 02:46:18 2025] usb 1-4: Manufacturer: DUCKY
[Thu Jul 3 02:46:18 2025] usb 1-4: SerialNumber: 120120330ABCDEF01234
Conclusion
USB attacks are a type of physical attack that require low technical skills, yet they can cause tremendous damage to your organization. Fortunately, there are defense techniques that are easy to implement.
As always, computer security starts with a good hygiene and physical security.
References
