MalDuino — Open Source BadUSB

MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.

It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.

[Seytonic], the maker of MalDuino, says its objective is it to be a cheaper, fully open source alternative with the big advantage that it can be programmed straight from the Arduino IDE. It’s based on ATmega32u4 like the Arduino Leonardo and will come in two flavors, Lite and Elite. The Lite is quite small and it will fit into almost any generic USB case. There is a single switch used to enable/disable the device for programming.

The Elite version is where it gets exciting. In addition to the MicroSD slot that will be used to store scripts, there is an onboard set of dip switches that can be used to select the script to run. Since the whole platform is open sourced and based on Arduino, the MicroSD slot and dip switches are entirely modular, nothing is hardcoded, you can use them for whatever you want. The most skilled wielders of BadUSB attacks have shown feats like setting up a fake wired network connection that allows all web traffic to be siphoned off to an outside server. This should be possible with the microcontroller used here although not native to the MalDuino’s default firmware.

For most users, typical feature hacks might include repurposing the dip switches to modify the settings for a particular script. Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking. It will be interesting to see what people will come up with and the scripts they create since there is a lot of space to tinker and enhanced it. That’s the greatness of open source.

You can watch the prototype in action in the video:

28 thoughts on “MalDuino — Open Source BadUSB

  1. For a few months I had a script on my Ducky that did the registry setting to block the Windows 10 installer from running on client computers. It would do the regedit then reboot the computer. Also blocked gwx.exe from running so that pesky nag icon wouldn’t show up.
    Before the “group policy” groupies show up, not all my clients have a domain.

    1. You could have just, you know, declined the upgrade.

      All the PCs at my workplace are on Win8.0 (pity me) and we were told to decline the upgrade offer. Never had any issues.

      1. It’s important to remember that if almost any user sees an upgrade prompt they will click on it and start the upgrade.
        Not to mention each machine silently downloading 4GB of windows 10 install files (before you even accept or decline)

        1. Wasn’t it something insane like clicking the close X in the corner would count as agreeing to the upgrade? Microsoft caught a lot of flak for that brain dead decision and they reverted that change. You had to click the actual decline button for it to refuse the upgrade.

          1. In my experience as soon as the nagware update was installed, Windows 10 downloads to the root of your C:\ in a couple of hidden folders.
            On mine there was an accept button but no decline button so I uninstalled it.
            I am actually using windows 10, but I always do clean installs :)

          2. It was a

            >You are being upgraded.

            Dialog so you had to click the “Nooooo!!!” option.

            Personally I had no issues with it, if you can’t read a a single dialog and answer it accurately you don’t have the competence to make those decisions.

          3. @Alex Rossie
            Meh, I would say if Windows 10 downloads before you’ve chosen anything (taking up my tiny ssd’s space), then that program desn’t have the competence to remain on my machine :)

      2. I was sceptical of windows 10 to begin with, I use it on all my windows boxes now but there there some privacy settings that need to be set as a must. First stop cortana it records you and sends it to Microsoft, The computer tries to learn about you by sending keyboard input to Microsoft too disable that. You are also entered into some P2P windows update program where you send others copies of the latest updates which could be GB’s in size, Turn that off. Windows 10 is great but your privacy is at risk without doing all these things plus a few more. Once you have done all that your privacy is still probably at risk anyway.

      3. We had a bunch upgrade anyway. My wife’s office computer upgraded without any notification. For a while there it was breaking crap left and right. It’s better now, but we still run into compatibility issues here and there.

        1. 10 seems pretty good after the second major update since RTM. For older hardware, some Vista or 7 drivers will work, some won’t. Some will install, show no problems in Device Manager but the device just won’t work.

          One of those are the ViXS PureTV cards HP and Compaq used with Vista. I tried to get one working with 7 and 10. Drivers would install but no TV software could see the tuner. The OEM boxes they shipped in all had Vista with Media Center and apparently that’s the only OS and application that works with them.

    2. My experience-decline, and it went away. FTR: Older Dell Optiplex 380 running Win7Pro bought wholesale from WalMart for about $120. Best computer I’ve ever owned-positively screams along in it’s main tasks (Internet, photo editing, Excel and Word).

      It may not have done an end-run-around because it has BIOS-level controls to lock out OS changes.

  2. I have a rather different need for something like this, and I suspect a lot of others might too.

    I use a Keyboard/Video/Mouse switch to use one keyboard mouse and screen with multiple computers. BUT, the one I have will not work with the wireless keyboards or mouses because it does not support the USB dongles they need. I have taken this up with the KVM manufacturer, and they have no interest in helping.

    What seems to be needed is a device like this that properly identifies itself as a Keyboard or mouse and has a USB socket that will initialise the device dongle on the other side. This need may be too complex for such a relatively simple device, but I have to mention the alternative need.

    Either way, it is a great idea you have.

  3. “Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking.”

    Why in the world would you want to run word list attacks on an extremely slow device, when you could have the data sent to you and cracked on a much faster system?

    1. I don’t think brute-forcing via keyboard emulation can get much faster.

      > you could have the data sent to you and cracked on a much faster system
      What is this “data”, and how do you plan to crack it?

  4. What if it wrote and executed a script that would use the status LED bit fields to transfer data back to the SD card. This would allow you to steal data even from offline computers. Once the data has been extracted it could wait until the device is plugged in to a computer that has an internet connection and transfer the stolen data to a remote server.

    1. Got to agree, I would have been more impressed if instead of a just slightly better rubber ducky they added the ability to switch it to run poison tap in case the computer was passwords locked

    1. Wiring up an SD card slot to a Digispark clone would take up much more space than the Malduino elite version. The elite and lite versions are both custom PCBs to reduce size. You would also have to modify the firmware that Seytonic has written to support the sd card on the Digispark aswell.

      One of the other problems with that model in particular it the flimsiness of the plug and the fact that if you insert it upside down by accident you will short out the USB slot.

  5. What about the other way back: send data from the machine to the dongle and storing it on the SD memory.
    Like:
    1 – select the switch to upload a script
    2 – run this script and select the file you want to upload
    3 – the script uploads using uplink to keyboard (like led or whatever) to send the file to the dongle
    4 – voilà! you have a file from an airgap machine!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s