A human interface device, or HID, is a type of computer device that takes input from and gives output to humans. It is a device class that operates by using a generic USB driver which is usually used by keyboards, mice, game controllers, and so on.
HID attacks take advantage of such external devices (usually connected via USB) to maliciously run commands on your computer or device. These external devices usually have an embedded development platform where keystrokes can be configured to drop a malicious payload once this reaches its target platform. The main risk associated with these devices is that these devices emulate other USB-based devices such as mice and keyboards and are trusted by default. This allows the attacker to very quickly write bytes to a file, run it and bypass USB blocking policies since they are different to removable storage devices.
HID attacks are incredibly potent because they can operate at speeds that are virtually impossible for standard users in an organisation to detect. Hackers therefore heavily rely on users leaving devices unattended, or leaving similar devices around offices, hoping for an unknowing user to plug in this device. Once connected these devices can fingerprint the operating system that they are plugged into, and run code to spawn a reverse shell, allowing an attacker to gain persistent access to the device, even after the device has been removed.
Some commonly seen devices that are used for these attacks include the USB Rubber Ducky, Arduino, Raspberry Pi and fake peripheral devices. A USB Rubber Ducky can swipe your password in less than the time taken for you to create it. This tool was introduced way back in 2011 and uses a special scripting language called Ducky Script. Ducky Script uses simple string commands to tell the "duck" what to type and what to do. On the other hand, Arduino is both a microcontroller and microcontroller kit that enables you to control hardware devices using the C programming language. This gives great low-level control and access, through a simple USB stick.
Fake peripheral devices can be the most difficult to detect, as they resemble normal devices such as your everyday mouse and keyboard. Such devices can be modified internally to enable them to perform HID attacks, thereby providing yet another way in which an attacker may deliver a payload which differs from the typical ‘USB’ device.
One common misconception is that USB storage device blocking policies will prevent HID attacks from taking place. This notion is false since the devices used to perform such attacks are classified as HID devices and are therefore not seen as being any different to a common keyboard or mouse by the targeted computer devices. Once connected, the malicious HID device will ‘type’ out predefined commands (as if they are coming from an actual keyboard) at a very high speed, often just causing a stutter or blip on the user’s screen. This makes detecting such attacks very difficult and therefore reliance is placed on technical defensive measures such as anti-viruses and end-point detection and response (EDR) solutions. Having said this, prevention is better than detection, and the best way to prevent these attacks is to train users to never plug untrusted HID or USB peripherals into their devices.
PwC’s experience with clients has shown that simulation exercises and awareness campaigns are the best way to ensure that you can better protect yourself against these attacks.