I have managed to stop most of the attack vectors using a varity of different group policies. The only one that I'm having issues with is when it uses the HID attack method.
Has anybody come up with a solution of how to stop it imitating a keyboard and getting let into the system?
Physical access to a USB port means you're pretty much screwed.
HID (ie, keyboard) emulation is only one thing that a USB device can do. It can also pretend to be an ethernet interface, or a modem, and offer "network access" to the PC. If the OS helpfully autoconfigures it, and decides to use it, then the device will be able to sniff the network traffic, spoof DNS queries, etc.
More details here.
Now, if you're only interested in stopping this and not the other attacks, you can stop it with software that will detect an excessive typing speed. That won't stop a slow rubber ducky of course. You could check the USB VID/PID of the keyboard, but a USB device can easily spoof these.
Really, USB is physical access, it's insecure.
Well I guess writing a filesystem filter would not hurt? Then when a USB is plugged in you can somehow get a copy of the firmware. I guess > http://openocd.org/. then you can analyze from there and then block/allow it...
But take a look at this, https://www.kanguru.com/info/kanguru-usb-drives-with-secure-firmware.shtml "USB flash drives .... built with digitally-signed secure firmware"
Or you can just "educate" the user I suppose...
You should get software that locks the screen when a HID is inserted. (For example Penteract Disguised Keyboard Detector.)
That should protect your computer provided you have a strong enough password for it.
I would think it would be as simple as disabling new hardware from being installed in group policies. Making 1 administrator user and the rest of the users near administrator not allowing hardware drivers to be installed and new hardware to be enabled to the computer system would disable a bad USB/rubber ducky's attack so any rubber ducky or bad USB would be rendered useless.
Of course you also would have to disable your CMOS/BIOS if you are worried about attempts from boot up but in Windows, Linux, or just about any other OS out there you should be able to disable the hardware that easy.
Now, the pain in this is that if you want a new flash drive or any other USB device to be used on that computer you would have to go on as the administrator and set it up, but that would stop the attacks.
