Firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. A USB device firmware hack called BadUSB was presented at Black Hat USA 2014 conference, demonstrating how a USB flash drive microcontroller can be reprogrammed to spoof various other device types in order to take control of a computer, ex-filtrate data, or spy on the user. BadUSB is a critical security flaw that can turn any USB device into a cyber threat. Security experts have released the BadUSB code online, giving hackers access to it.
This project on Indiegogo, MalDuino, is an Arduino-powered BadUSB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing previous configured commands at superhuman speeds. You could gain a reverse shell, change the desktop wallpaper, anything is possible. MalDuino is targeting penetration testers, hobbyists and pranksters.
Check the campaign video to know more about the project and to see MalDuino in action:
“MalDuino aims to offer the best BadUSB experience. In terms of software, MalDuino is programmed via the arduino IDE using open source libraries. Scripts written in DuckyScript can easily be converted into code the MalDuino can understand”
Ducky Script is the language of the USB Rubber Ducky, and writing the scripts can be done from any common ascii text editor such as Notepad, vi, emacs, nano, gedit, kedit, TextEdit, etc. Each command resides on a new line and may have options follow.
MalDuino comes in two editions: Elite and Lite. Elite depends on a SD card to save scripts, thus no need to program the board each time you want to change the script running. With DIP switches provided, you can choose which script to run easily.
The second edition is Lite: a smaller one that can be disguised in most of USB flash disk cases. It has an internal memory of 30 kb to store scripts.
Similar to Arduino Leonardo, you can run MalDuino and operate it anywhere a Leaonardo can run. Some issues were reported by Windows 7 users while running the scripts, but these problems are going to be considered and solved. Another issue is the keyboard different layouts, so if you try to run an English script on a computer with a Spanish keyboard, the wrong characters may be pressed. The English/American keyboards are the only guaranteed up till now
The campaign still has 21 days to go and it has already achieved %1800 of its £500 goal! You can pre-order Lite edition for $16 and Elite for $29. Hardware designs and source codes will be available at Github once the project is launched. More detailed information can be reached at the campaign page.