Hasn't this been known for half-a-decade?<p>I mean, it's a product you can literally buy and it's impossible to adequately defend against.<p><a href="https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads" rel="nofollow">https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads</a><p><a href="https://shop.hak5.org/products/usb-rubber-ducky-deluxe" rel="nofollow">https://shop.hak5.org/products/usb-rubber-ducky-deluxe</a>
As has been pointed out, you couldn't block this kind of thing without blocking USB keyboards altogether.<p>I wonder what it would look like to have a background program that would detect and intercept any newly connected device by default, give it a fake (VM?) environment, and log everything it tried to do to the screen while prompting to ask if you want to let it into the "real" system. Obviously this is what security professionals do manually, but I'm talking about a totally transparent and automatic version that could be left running all the time.
There are a variety of physical port blockers available as well as devices to lock cables in place. Some protrude, others are flush and require a key for removal.<p>If you have business policies and training in place, hopefully the additional steps of removing a lock will also provide time for adequate second thoughts to percolate through those with poor judgment. Malicious actors won't be seriously deterred, but that's a different matter.
Qubes OS has an interesting way of combatting these kinds of attacks. You can manually attach a usb drive to a specific program VM, limiting the damage possible by a malicious flash drive.<p>I want to say it even lets you disable or whitelist usb keyboards/mice entirely but I’m not 100% certain.<p>QubesOS is pretty different from other OSes though, I wish those sorts of device isolation were possible or more easily accomplished in other operating systems.
At Defcon, a buddy of mine screwed around with a bluetooth HID device, that when connected to, would automatically attempt to open a webpage and send them to an innocuous site (Which obviously could have been a less innocuous site).<p>Couldn't believe we got multiple people to connect to it under the guise the device would do a cool thing.