Turning a Pico into a Human Interface Device (HID) | The State of Security


I just walked out of room 716 at SecTor here in Toronto, where I shared details on my Raspberry Pi Pico project. I’m happy that I was finally able to share this and even happier to announce that the GitHub repo is now open to the public. I won’t walk you through the code, but you can reach out to me if you have questions.  

So, what is the repo? As I mentioned in the announcement for my SecTor session, I looked at turning a Pico (or any device running an RP2040) into a Human Interface Device (HID). I started out creating a Stream Deck and had such a great time building that and turning it into a tool to teach Python to teens, that I decided to dig deeper into the functionality of the Pico’s HID functionality. As a demo for SecTor 2021, I created a Pico that, when plugged into a computer, would emulate a keyboard and quickly issue commands. Over the past year, I’ve extended that and created example code.  

While BadUSB attacks are not new, I’m hoping that this makes them more accessible and opens the door for further education about how these attacks are performed and the damage they can do. With a little bit of creativity, these devices could be hidden in standard USB devices and distributed to employees as part of annual security awareness training. While they can service malicious individuals, there’s a lot of harmless fun that can be had demonstrating the dangers of these devices to non-technical individuals.  

Within the GitHub repo, you’ll find the keycode library (one already exists within CircuitPython, but I wasn’t happy with the approach it used), a template for the BadUSB attack, sample code, and plenty of example payloads. This tooling can be useful, not only for security awareness training, but also for administrators needing to deliver configuration to remote systems that are not networked. Anything you can do with a keyboard; you can do with a Pico using this code and that provides extensive flexibility and functionality.  

If you explore the repo or use the code, I’d love to hear how you are using it and what you think of the code. I’m sure there are plenty of improvements that could be made and I’m happy to hear your suggestions. Enjoy! 





Source link