Block unknown USB devices, defend against "Evil Maid"/"Rubby Ducky" USB attacks like Beamgun does

  • 24 January 2017
  • 3 replies

Userlevel 3
On github there is an experimental project "Beamgun" which adds a defense layer to the Windows USB driver subsystem to block all new USB device attachments, for devices which haven't already been recognized and approved, even when the new device would not normally require a driver installation or any user interaction, e.g. devices which (claim to be) "Network adapter" or "Keyboard (HID device)", etc.
These "Evil Maid" or "Rubber Ducky" USB attacks have been demonstrated where, if a person has physical access to a computer, and the computer is on, the USB device acts like a keyboard or a network adapter or some other USB device types, which allows it to start locally trying to exploit vulnerabilities. Locked screens don't help because the device is talking directly "on the local network" or as an additional keyboard or mouse, etc. Full Disk Encryption doesn't help because the computer is already running and if the USB attack can gain any kind of access (underneath the lock screen) then the files are already accessible decrypted. (File based encryption would help, unless the attack gives the attacker a foothold which then sits and watchs and waits until the legitimate user unlocks the encrypted files).
I would like to see this "beamgun" defense added to endpoint security solutions, especially non-signature based ones like Webroot SecureAnywhere.

3 replies

Userlevel 7
Badge +36
Thank you for your suggestion, however we are not looking to implement this, at this time.
ARE YOU KIDDING ME. Why are you not looking into implementing this?
Userlevel 7
@ because WSA has great protection from all vectors as is with it's Realtime Shield.