Bad Keyboard Attacks: Technical Deep Dive

Hardware Architecture and Implementation

USB Controller Microarchitecture

At the heart of every bad keyboard device lies a microcontroller capable of USB communication and HID (Human Interface Device) emulation. Understanding the hardware architecture is crucial for both implementing attacks and developing effective countermeasures.

Core Components

Primary Microcontroller: The central processing unit that handles USB protocol communication, payload storage, and execution logic. Common choices include:

• ATmega32U4: Arduino-compatible microcontroller with native USB support

• STM32F103: ARM Cortex-M3 based controller with USB OTG capabilities

• ESP32-S2: WiFi-capable microcontroller with USB HID support

• RP2040: Raspberry Pi's dual-core ARM processor with flexible PIO for USB

USB Interface Hardware: Physical implementation of USB protocol handling:

• USB transceiver circuits for differential signaling

• Crystal oscillators for precise timing (typically 12MHz or 16MHz)

• Voltage regulation for 3.3V/5V operation

• ESD protection circuits

Memory Architecture:

• Flash Memory: Stores firmware, attack payloads, and configuration (typically 32KB-2MB)

• SRAM: Runtime memory for variable storage and execution (typically 2KB-256KB)

• EEPROM: Non-volatile storage for persistent configuration (typically 512B-4KB)

Advanced Hardware Features

Multi-Interface Controllers: Some sophisticated devices implement multiple USB interfaces simultaneously:

• Mass storage controller for appearing as USB drive

• HID controller for keyboard/mouse emulation

• CDC (Communication Device Class) for serial communication

• Custom vendor-specific interfaces

Wireless Capabilities: Modern attack devices often include:

• WiFi modules for remote command and control

• Bluetooth LE for covert communication

• Sub-GHz radio (433MHz, 915MHz) for long-range triggering

• NFC interfaces for proximity-based activation

Environmental Sensors: Advanced devices may include:

• Accelerometers to detect insertion/removal

• Temperature sensors to detect operating environment

• Light sensors to determine if device is concealed

• Timing circuits for delayed activation

USB Protocol Deep Dive

USB Enumeration Process

Understanding the detailed USB enumeration process reveals multiple intervention points for both attacks and defenses:

1. Device Attachment Detection

   • Host detects device insertion via voltage level changes

   • USB hub reports port status change to host controller

   • Host begins enumeration sequence

2. Initial Communication Setup

   Host → Device: GET_STATUS request (checks device responsiveness)
   Device → Host: Status response
   Host → Device: RESET signal (resets device to known state)

3. Device Descriptor Retrieval

   Host → Device: GET_DESCRIPTOR (Device) request
   Device → Host: Device descriptor containing:
     - Vendor ID (VID)
     - Product ID (PID)  
     - Device class information
     - Configuration count

4. Configuration and Interface Setup

   Host → Device: GET_DESCRIPTOR (Configuration) request
   Device → Host: Configuration descriptor detailing:
     - Interface count and types
     - Endpoint configurations
     - Power requirements

5. Driver Assignment and Activation

   • OS matches descriptors against available drivers

   • Appropriate driver loaded (typically usbhid.sys on Windows)

   • Device granted access to input subsystem

HID Protocol Implementation

HID Descriptor Structure: Defines the device's capabilities and report formats:

typedef struct {
    uint8_t bLength;           // Descriptor length
    uint8_t bDescriptorType;   // HID descriptor type (0x21)
    uint16_t bcdHID;          // HID specification version
    uint8_t bCountryCode;     // Country code for hardware
    uint8_t bNumDescriptors;  // Number of report descriptors
    uint8_t bDescriptorType2; // Report descriptor type (0x22)
    uint16_t wDescriptorLength; // Report descriptor length
} HID_DESCRIPTOR;

HID Report Descriptor: Defines input/output report formats using a compact binary language:

// Example keyboard report descriptor
static const uint8_t keyboard_report_descriptor[] = {
    0x05, 0x01,        // Usage Page (Generic Desktop)
    0x09, 0x06,        // Usage (Keyboard)
    0xa1, 0x01,        // Collection (Application)
    0x05, 0x07,        //   Usage Page (Keyboard/Keypad)
    0x19, 0xe0,        //   Usage Minimum (224)
    0x29, 0xe7,        //   Usage Maximum (231)
    0x15, 0x00,        //   Logical Minimum (0)
    0x25, 0x01,        //   Logical Maximum (1)
    0x75, 0x01,        //   Report Size (1)
    0x95, 0x08,        //   Report Count (8)
    0x81, 0x02,        //   Input (Data,Var,Abs)
    // ... additional fields for key codes
};

USB Communication Timing

Critical Timing Windows: Understanding USB timing is essential for both attack optimization and detection:

• Device Recognition: 10-100ms for initial enumeration

• Driver Loading: 100-1000ms depending on system performance

• First Input Capability: 200-2000ms total from insertion

• Polling Interval: Typically 10ms for keyboard devices (configurable)

Dual-Function USB Drive Architecture

The Microcontroller Revolution in USB Storage

Modern USB flash drives increasingly use sophisticated microcontrollers rather than simple storage controllers, creating opportunities for dual-function implementations that can act as both storage devices and HID input devices.

Hardware Implementation Details

Controller Selection: Advanced USB drives use microcontrollers capable of implementing multiple USB device classes:

• Alcor Micro AU6989: Common in consumer USB drives, supports mass storage and HID

• Phison PS2251: High-performance controller with custom firmware capabilities

• SMI (Silicon Motion) SM3267: Supports multiple interface configurations

• Realtek RTS5561: Dual-interface capable with large flash memory support

Memory Architecture in Dual-Function Devices:

[Flash Memory Layout]
├── Firmware Partition (32-128KB)
│   ├── USB Mass Storage Driver
│   ├── HID Keyboard Driver  
│   ├── Attack Payload Code
│   └── Configuration Data
├── Storage Partition (Remaining Space)
│   ├── Legitimate Files (for cover)
│   ├── Additional Payloads
│   └── Exfiltrated Data Storage
└── Hidden Partition (Optional)
    ├── Advanced Payloads
    └── Persistence Mechanisms

USB Composite Device Implementation

Composite Device Architecture: A single USB device presenting multiple interfaces simultaneously:

// USB Configuration Descriptor for Composite Device
typedef struct {
    USB_CONFIG_DESCRIPTOR config;
    
    // Mass Storage Interface
    USB_INTERFACE_DESCRIPTOR msc_interface;
    USB_ENDPOINT_DESCRIPTOR msc_bulk_in;
    USB_ENDPOINT_DESCRIPTOR msc_bulk_out;
    
    // HID Keyboard Interface  
    USB_INTERFACE_DESCRIPTOR hid_interface;
    HID_DESCRIPTOR hid_descriptor;
    USB_ENDPOINT_DESCRIPTOR hid_interrupt_in;
    
} COMPOSITE_CONFIG_DESCRIPTOR;

Interface Coordination: The microcontroller firmware must handle multiple USB interfaces concurrently:

• Mass Storage Class (MSC): Implements SCSI commands over USB for file system access

• Human Interface Device (HID): Handles keyboard input reports and LED status

• Endpoint Management: Separate endpoints for storage data and HID reports

• Power Management: Coordinating power states across multiple interfaces

Firmware Reflashing and Customization

Factory Firmware Vulnerabilities: Many USB drive controllers can be reflashed with custom firmware:

Common Reflashing Methods:

1. Vendor Tools: Manufacturers provide firmware update utilities

   # Example using Phison tools
   GetInfo.exe [device] # Identify controller and current firmware
   UDiskMP.exe [firmware.bin] [device] # Flash custom firmware

2. JTAG Interface: Hardware debugging interface for direct firmware access

   [USB Controller] ---- [JTAG Debugger] ---- [Development PC]
                  ↓
              [Custom Firmware Upload]

3. Bootloader Exploitation: Exploiting firmware update mechanisms

   // Example bootloader entry sequence
   while (bootloader_pin_active()) {
       if (receive_firmware_signature_valid()) {
           flash_firmware(received_data);
           restart_with_new_firmware();
       }
   }

Custom Firmware Capabilities:

• Dynamic Interface Switching: Alternating between storage and HID modes

• Conditional Activation: HID functionality triggered by specific conditions

• Steganographic Storage: Hiding attack data within legitimate files

• Anti-Forensics: Firmware that can destroy evidence when detected

Implementation Example: BadUSB on USB Drive

Firmware Structure for a dual-function attack device:

// Main firmware loop
void main_loop() {
    switch (current_mode) {
        case MODE_STORAGE:
            handle_mass_storage_requests();
            if (attack_trigger_detected()) {
                switch_to_hid_mode();
            }
            break;
            
        case MODE_HID:
            execute_attack_payload();
            if (attack_complete()) {
                switch_to_storage_mode();
            }
            break;
    }
}

// Attack trigger detection
bool attack_trigger_detected() {
    // Examples of trigger conditions:
    return (specific_file_accessed() ||
            time_delay_expired() ||
            remote_activation_received());
}

// Mode switching implementation
void switch_to_hid_mode() {
    usb_disconnect();
    reconfigure_usb_descriptors(HID_DESCRIPTORS);
    usb_reconnect();
    current_mode = MODE_HID;
}

Software Implementation Deep Dive

Attack Payload Development Framework

DuckyScript Interpreter: Most attack devices implement a DuckyScript interpreter in firmware:

typedef struct {
    uint8_t command;
    uint16_t parameter;
    uint8_t data[];
} DUCKY_COMMAND;

// Command processing loop
void execute_ducky_script(uint8_t* script, size_t length) {
    DUCKY_COMMAND* cmd = (DUCKY_COMMAND*)script;
    
    while (cmd < script + length) {
        switch (cmd->command) {
            case CMD_STRING:
                type_string((char*)cmd->data);
                break;
            case CMD_DELAY:
                delay_ms(cmd->parameter);
                break;
            case CMD_KEY:
                send_key_combination(cmd->parameter);
                break;
            // ... additional commands
        }
        cmd = next_command(cmd);
    }
}

Advanced Payload Capabilities:

• Environment Detection: Identifying target OS, security software, and system configuration

• Adaptive Execution: Modifying behavior based on detected environment

• Error Handling: Graceful failure and recovery mechanisms

• Logging and Reporting: Recording attack success/failure for later analysis

Operating System Integration Points

Windows HID Stack Interaction:

Application Layer
    ↓
Win32 API (User32.dll, Kernel32.dll)
    ↓  
Windows Message Queue
    ↓
Raw Input/Legacy Input APIs
    ↓
HID Class Driver (hidclass.sys)
    ↓
HID USB Transport (hidusb.sys)
    ↓
USB Hub Driver (usbhub.sys)
    ↓
USB Host Controller (ehci.sys/xhci.sys)
    ↓
Hardware (USB Controller)

Linux HID Processing Pipeline:

Userspace Applications
    ↓
Input Subsystem (/dev/input/eventX)
    ↓
Input Core (input.c)
    ↓
HID Core (hid-core.c)
    ↓
USB HID Driver (usbhid/hid-core.c)
    ↓
USB Subsystem (usb-core)
    ↓
USB Host Controller Driver
    ↓
Hardware

Kernel-Level Attack Implementation

Direct Kernel Memory Manipulation: Advanced attacks may attempt to modify kernel structures:

// Example Windows kernel structure manipulation
typedef struct _DEVICE_OBJECT {
    CSHORT Type;
    USHORT Size;
    LONG ReferenceCount;
    struct _DRIVER_OBJECT *DriverObject;
    // ... additional fields
} DEVICE_OBJECT, *PDEVICE_OBJECT;

// Hypothetical attack modifying device permissions
NTSTATUS modify_device_permissions(PDEVICE_OBJECT device) {
    // Locate security descriptor
    PSECURITY_DESCRIPTOR sec_desc = get_device_security_descriptor(device);
    
    // Modify ACL to grant additional access
    modify_acl_permissions(sec_desc, GENERIC_ALL);
    
    return STATUS_SUCCESS;
}

Advanced Attack Techniques

Firmware-Level Persistence

UEFI/BIOS Modification: Some sophisticated attacks target system firmware:

// Example UEFI DXE driver installation
EFI_STATUS InstallMaliciousDxeDriver() {
    EFI_HANDLE ImageHandle;
    EFI_DEVICE_PATH_PROTOCOL* DevicePath;
    
    // Load malicious driver from embedded storage
    Status = gBS->LoadImage(FALSE, gImageHandle, DevicePath, 
                           MaliciousDriverImage, DriverSize, &ImageHandle);
    
    if (!EFI_ERROR(Status)) {
        // Start the malicious driver
        Status = gBS->StartImage(ImageHandle, NULL, NULL);
    }
    
    return Status;
}

Hardware Security Module Bypass

TPM Interaction: Advanced attacks may attempt to interact with hardware security modules:

// Example TPM command construction
typedef struct {
    uint16_t tag;
    uint32_t paramSize;
    uint32_t ordinal;
    uint8_t authHandle[4];
    uint8_t nonceOdd[20];
    uint8_t continueAuthSession;
    uint8_t authData[20];
} TPM_COMMAND_HEADER;

// Attempt to extract stored keys or certificates
uint32_t attempt_tpm_key_extraction() {
    TPM_COMMAND_HEADER cmd;
    cmd.ordinal = TPM_ORD_GetPubKey;
    // ... construct command
    
    return send_tpm_command(&cmd);
}

Detection and Analysis Techniques

Hardware-Level Detection

USB Traffic Analysis: Monitoring USB communication patterns:

// USB packet capture structure
typedef struct {
    uint64_t timestamp;
    uint8_t endpoint;
    uint8_t direction;
    uint16_t length;
    uint8_t data[];
} USB_PACKET;

// Anomaly detection in USB timing
bool detect_automated_input(USB_PACKET* packets, size_t count) {
    for (size_t i = 1; i < count; i++) {
        uint64_t interval = packets[i].timestamp - packets[i-1].timestamp;
        
        // Detect impossibly fast or perfectly regular timing
        if (interval < MIN_HUMAN_INTERVAL || 
            interval == EXACT_AUTOMATED_INTERVAL) {
            return true;
        }
    }
    return false;
}

Firmware Analysis Techniques

Firmware Extraction and Reverse Engineering:

# Extract firmware from USB device
dd if=/dev/sdb of=firmware.bin bs=512 count=64

# Analyze firmware structure
binwalk firmware.bin
strings firmware.bin | grep -i "ducky\|payload\|attack"

# Disassemble firmware code
objdump -D -m arm firmware.bin

Static Analysis of Attack Payloads:

# DuckyScript payload analysis
def analyze_ducky_script(script_content):
    suspicious_patterns = [
        r'powershell.*-w.*hidden',
        r'cmd.*\/c.*echo.*\|.*certutil',
        r'START.*iexplore.*data:',
        r'STRING.*http.*\.exe'
    ]
    
    threats = []
    for pattern in suspicious_patterns:
        if re.search(pattern, script_content, re.IGNORECASE):
            threats.append(f"Suspicious pattern: {pattern}")
    
    return threats

Countermeasure Implementation

Hardware-Based Protection

USB Port Filtering Hardware:

// Hardware USB filter implementation
typedef struct {
    uint16_t vid;
    uint16_t pid;
    uint8_t device_class;
    bool authorized;
} DEVICE_POLICY;

bool evaluate_device_policy(USB_DEVICE_DESCRIPTOR* desc) {
    DEVICE_POLICY* policy = lookup_device_policy(desc->idVendor, desc->idProduct);
    
    if (!policy) {
        // Unknown device - request authorization
        return request_user_authorization(desc);
    }
    
    return policy->authorized;
}

Software-Based Monitoring

Real-Time Input Analysis:

// Keystroke timing analysis
typedef struct {
    uint64_t timestamp;
    uint8_t keycode;
    bool is_press;
} KEYSTROKE_EVENT;

bool detect_automated_typing(KEYSTROKE_EVENT* events, size_t count) {
    double avg_interval = calculate_average_interval(events, count);
    double variance = calculate_variance(events, count);
    
    // Human typing has high variance, automated typing is regular
    return (variance < AUTOMATED_VARIANCE_THRESHOLD);
}

Conclusion: The Technical Landscape

The technical implementation of bad keyboard attacks represents a sophisticated intersection of hardware engineering, firmware development, USB protocol manipulation, and operating system exploitation. Understanding these technical details is crucial for cybersecurity professionals developing effective countermeasures.

The evolution toward dual-function USB devices with reflashable firmware represents a significant escalation in attack sophistication. These devices blur the line between legitimate storage devices and malicious input devices, making detection and prevention significantly more challenging.

Key technical takeaways include:

1. Hardware Complexity: Modern attack devices use sophisticated microcontrollers with multiple interface capabilities

2. Firmware Flexibility: Reflashable firmware enables dynamic attack capabilities and evasion techniques

3. USB Protocol Exploitation: Deep understanding of USB enumeration and HID protocols enables sophisticated attacks

4. Operating System Integration: Attacks leverage trusted input pathways that bypass traditional security controls

5. Detection Challenges: Technical countermeasures must operate at multiple levels from hardware to application

This technical landscape continues to evolve as attackers develop more sophisticated techniques and defenders implement more advanced detection and prevention mechanisms. The arms race between attack and defense in this domain requires deep technical expertise and continuous innovation on both sides.