Hardware Security

BadUSB Controls for Engineering Teams

BadUSB controls that survive contact with engineering teams — USB device control, HID allowlisting, USBGuard and WDAC, plus detection that does not block real work.

A USB dock with several ports, one port glowing red and blocked while the others glow cyan
Threat reference

BadUSB controls for engineering teams have a hard constraint: engineers plug in more hardware than anyone — keyboards, docks, debuggers, dev boards, SDRs — so a blanket USB block breaks real work and gets disabled within a week. The controls that survive are allowlist-based: permit known-good devices by hardware ID, block new unknown HID devices, and alert on the rest. This guide ships the device-control architecture (USBGuard on Linux, device-installation policy on Windows) plus the detection that catches a malicious device without stopping legitimate engineering.

A BadUSB device — a USB Rubber Ducky, a malicious cable, or a Flipper Zero in BadUSB mode — is a hardware addition: MITRE ATT&CK T1200 — Hardware Additions, with injected commands mapping to T1059.001.

What is a BadUSB attack, and why is it hard for engineering teams?

BadUSB abuses the implicit trust the operating system grants to a USB device’s declared class. A device can claim to be a keyboard and inject keystrokes, a network adapter and reroute traffic, or storage — and the OS believes it. The USB Rubber Ducky detection patterns post covers the behavioral detection; this post is about the controls that prevent it at scale.

The engineering-team challenge is that the obvious control — block USB — is a non-starter. Developers need keyboards, KVMs, docks, JTAG/SWD debuggers, dev boards, and SDRs. A policy that blocks them all gets exception-requested into uselessness. The answer is precision: allow the known, block the novel.

What are the BadUSB control options?

ControlPlatformWhat it doesTrade-off
Device allowlist (by hardware ID)Win / LinuxPermit known devices, block the restNeeds an inventory to maintain
Block new HID by defaultWin / LinuxStops injected-keyboard attacksMust allow legit new keyboards
USBGuardLinuxPolicy-based device authorizationTuning for dev workflows
WDAC / app allowlistingWindowsBlocks the payload’s executionSetup effort
Port physical controlHardwareDisable/epoxy unused portsCrude; rare for laptops

The pattern that works for engineers: allowlist what they use, block new HID keyboards by default, and let application allowlisting backstop the payload — so even a permitted-looking device cannot run an arbitrary command.

How to enforce BadUSB controls

On Linux, USBGuard authorizes devices by attribute. Start from your current, trusted devices and block anything new by default:

# /etc/usbguard/rules.conf — allow current devices, block new ones
allow id 046d:c52b serial "..."      # known wireless receiver
allow with-interface equals { 03:*:* } \
  if !allowed-matches(with-interface equals { 03:00:01 })   # HID, not new keyboards
block                                 # default-deny everything else

On Windows, use device-installation restrictions (Group Policy / Intune) to allow known device IDs and block new HID classes, and pair it with WDAC so an injected command cannot run an unsigned payload. The detection layer then alerts on anything that slips the policy.

Sigma New USB Device Installed With a HID Keyboard Interface
title: New USB Device Installed With a HID Keyboard Interface
id: 4f1d9b73-darkpwn-illustrative
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 6416
    ClassName: 'Keyboard'
  filter_known:
    DeviceId|contains: 'KNOWN_INSTANCE_PREFIX'
  condition: selection and not filter_known
falsepositives:
  - Genuinely new keyboards/KVMs (add to the allowlist, then this clears)
level: medium
Sigma USB Device Presenting Multiple Conflicting Device Classes
title: USB Device Presenting Multiple Conflicting Device Classes
id: 8c2e1a64-darkpwn-illustrative
status: experimental
logsource:
  product: linux
  service: usbguard
detection:
  selection:
    event: 'device.present'
    interfaces|contains|all: ['03:', '08:']   # HID + Mass Storage on one device
  condition: selection
falsepositives:
  - Legitimate composite devices (some keyboards with storage); allowlist them
level: medium

How to roll out BadUSB controls without breaking engineering

  1. Inventory the USB devices engineers actually use (keyboards, docks, debuggers, dev boards) and build the allowlist from reality.
  2. Deploy in audit/monitor mode first — log what would be blocked, refine the allowlist, then enforce.
  3. Block new HID keyboards by default on high-value endpoints; allow known instance IDs.
  4. Layer application allowlisting (WDAC/AppLocker) so a slipped device’s payload still fails.
  5. Give a fast exception path so a legitimate new debugger does not drive workarounds.

Common BadUSB control mistakes

  • Blanket USB blocking. Breaks engineering and gets disabled.
  • Allowlisting by class, not device. “Allow all keyboards” permits the Ducky.
  • No audit phase. Enforcing blind generates exception chaos.
  • Control without detection. Allowlists drift; you still need alerts on the novel.

BadUSB controls checklist

  1. Inventory engineers’ real USB devices; build a hardware-ID allowlist.
  2. Deploy device control (USBGuard / Windows device-install policy) in audit mode first.
  3. Block new HID keyboards by default on high-value endpoints; allow known IDs.
  4. Layer WDAC/AppLocker so payloads cannot execute.
  5. Forward USB device events to the SIEM; alert on new HID and conflicting classes.
  6. Correlate device-add with rapid script-host launches.
  7. Provide a fast, low-friction exception path for legitimate new hardware.
  8. Review the allowlist on a schedule for drift.

The takeaway

BadUSB controls for engineering teams work when they are allowlist-based: permit the hardware engineers actually use, block new unknown HID devices, layer application allowlisting for the payload, and alert on the novel. Precision is what keeps the control deployed. Continue with USB Rubber Ducky detection patterns and Flipper Zero NFC risk, or browse the full Hardware Security pillar.

Training & tools referenced

Disclosure: Some links below are affiliate links. If you buy through them, darkpwn may earn a commission at no extra cost to you. We only recommend training and tools we actually use in our own lab, and affiliate links never influence editorial coverage.

  • TryHackMeAuthorized labs to practice USB and endpoint security controlsSecurity Training
    Start training

Frequently asked questions

What is a BadUSB attack?

BadUSB is a class of attack where a USB device's firmware makes it impersonate a trusted device class — most commonly a keyboard (HID) that injects keystrokes, but also network adapters or storage. Because the OS trusts the device class, antivirus and USB mass-storage policy do not stop it. A USB Rubber Ducky and a malicious cable are examples.

How do engineering teams control BadUSB without blocking work?

Use device control that allowlists known-good devices by hardware ID rather than blanket-blocking USB, which breaks legitimate engineering work. USBGuard on Linux and Windows device-installation policy (or WDAC) let you permit existing keyboards, docks, and debuggers while blocking new, unknown HID devices and alerting on them.

Can you block BadUSB with antivirus?

No. A BadUSB device injects keystrokes or presents a trusted device class; it runs no malicious file of its own, so signature antivirus has nothing to scan. The controls are device allowlisting plus application allowlisting to stop whatever the keystrokes try to run.

What is USBGuard?

USBGuard is a Linux framework that enforces a device-authorization policy: you define allowed USB devices by attributes (vendor, product, serial, interface class) and it blocks devices that do not match. It is the Linux counterpart to Windows device-installation restrictions for BadUSB control.

Newsletter

Liked this breakdown?

Defensive security research — detection, hardening, and hardware — delivered when there is something worth saying. No spam, unsubscribe anytime.