Firmware is a type of software that provides control, monitoring and data manipulation of engineered products and systems. A USB device firmware hack called BadUSB was presented at Black Hat USA 2014 conference, demonstrating how a USB flash drive microcontroller can be reprogrammed to spoof various other device types in order to take control of a computer, ex-filtrate data, or spy on the user. BadUSB is a critical security flaw that can turn any USB device into a cyber threat. Security experts have released the BadUSB code online, giving hackers access to it.
This project on Indiegogo, MalDuino, is an Arduino-powered BadUSB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing previous configured commands at superhuman speeds. You could gain a reverse shell, change the desktop wallpaper, anything is possible. MalDuino is targeting penetration testers, hobbyists and pranksters.
Check the campaign video to know more about the project and to see MalDuino in action:
MalDuino aims to offer the best BadUSB experience. In terms of software, MalDuino is programmed via the arduino IDE using open source libraries. Scripts written in DuckyScript can easily be converted into code the MalDuino can understand
Ducky Script is the language of the USB Rubber Ducky, and writing the scripts can be done from any common ascii text editor such as Notepad, vi, emacs, nano, gedit, kedit, TextEdit, etc. Each command resides on a new line and may have options follow.
MalDuino comes in two editions: Elite and Lite. Elite depends on a SD card to save scripts, thus no need to program the board each time you want to change the script running. With DIP switches provided, you can choose which script to run easily.
Read more: MalDuino, The Open Source BadUSB